HQ/EMEAFind out how we can help your business
One of Russia’s most prolific cybercriminal threat organisations, Fancy Bear, hacked a US firm’s enterprise WiFi network from thousands of miles away, using a novel approach known as the “nearest neighbour attack.”
Reports revealed that the group transitioned its focus to its target entity after successfully compromising it in a nearby building within the WiFi range. The attack was discovered on February 4, 2022, after researchers noticed a server intrusion at a customer location in Washington, DC, working on Ukrainian-related projects.
Fancy Bear, also known as APT28, is a member of Russia’s military unit 26165, the General Staff Main Intelligence Directorate (GRU), and has been conducting cybercriminal operations for at least two decades.
The nearest neighbour attack was initiated after another threat group besides Fancy Bear compromised the target’s WiFi network.
Hackers known as GruesomeLarch first accessed the target’s workplace WiFi network via password-spraying attacks on a victim’s public-facing service. However, MFA protection prevented the credentials from being used on the public web.
Although connecting via workplace WiFi did not need MFA, operating remotely from the victim posed an issue. Due to the possibility of exploitation, the APT28 gang started to hunt for groups in surrounding buildings that may act as gateways to the target wireless network.
The plan was to hack another organisation’s network and look for dual-home gadgets with wired and wireless connections. These devices include laptops or routers, allowing the hackers to use their wireless adapter to connect to the target’s workplace WiFi.
Therefore, as part of this attack, APT28 compromised many organisations, daisy-chaining their connections with valid access credentials. Finally, they found a device within the required range that could connect to three wireless access points near the windows of a victim’s conference room.
Using a remote desktop connection (RDP) from an unprivileged user, the threat actor could roam laterally on the target network, looking for systems of interest and exfiltrating data.
The hackers used servtask.bat to dump Windows registry hives (SAM, Security, and System), then compressed them into a ZIP package for exfiltration. The attackers used standard Windows capabilities to minimise their footprint while collecting data.
This newly discovered ‘nearest neighbour attack’ shows that a close-access operation may be carried out remotely, which generally needs proximity to the target. Therefore, organisations and security providers should assess the threat level of this new tactic to prevent hackers from achieving their objectives.
