This post is also available in:
עברית (Hebrew)
A new, attack method has emerged from Russian state-backed hackers, leveraging nearby WiFi networks to infiltrate organizations. The cyberattack, attributed to the notorious APT28 group (also known as Fancy Bear, Forest Blizzard, or Sofacy), bypassed advanced security measures like multi-factor authentication (MFA) by chaining compromised WiFi networks, allowing the attackers to strike from thousands of miles away.
The attack, discovered by cybersecurity firm Volexity, targets organizations by exploiting vulnerable WiFi devices in close proximity to the intended target. In the documented case, hackers began by breaching Organization C’s WiFi network, hopping to Organization B’s network, and ultimately reaching the final target, Organization A.
APT28, associated with Russia’s General Staff Main Intelligence Directorate (GRU), initially tried to compromise Organization A directly using password spray tactics, but MFA security thwarted their efforts. Instead of giving up, the hackers adapted their strategy by exploiting WiFi networks from neighboring organizations. They relied on “dual-homed” systems—machines with both wired and wireless network connections—enabling them to connect to WiFi networks and bypass authentication systems.
Using compromised credentials, the attackers connected to Organization A’s WiFi network through an exposed access point, gaining unauthorized access. Additionally, they breached Organization B’s network, which lacked MFA protection for its VPN. This complex, multi-step approach allowed them to circumvent defenses that would have been otherwise insurmountable.
To carry out the attack, APT28 used sophisticated tactics, including custom PowerShell scripts to identify nearby WiFi networks and brute-forcing wireless credentials. Once inside, they used built-in Windows tools to erase traces of their presence, while exfiltrating critical data using common techniques like shadow copies and PowerShell commands.
What makes this attack particularly striking is the attackers’ ability to operate from a distance, utilizing WiFi networks in neighboring buildings. The method is similar to older “close access” operations, where hackers would hide radio equipment nearby, but the “Nearest Neighbor Attack” removes the risk of being physically detected.
Volexity’s investigation revealed that the hackers even used public-facing servers to exfiltrate stolen data, showing a high level of sophistication. One of the key recommendations from Volexity is to harden WiFi network security, including the use of MFA for WiFi access and segregating wireless networks from Ethernet-based ones to prevent such breaches.
As attacks like these evolve, the findings underline the importance of reinforcing network security, especially in environments where WiFi systems could be a potential entry point for sophisticated adversaries.
