Thought Leadership
The Russian hacker group ATP28 has attacked a US company using a new technique called “Nearest Neighbor Attack” and gained remote access to its Wi-Fi network.
Attack method: Wi-Fi access through neighbors
The Russian hacker group ATP28, also known as Fancy Bear, Forest Blizzard or Sofacy, has apparently penetrated the network of a US company via Wi-Fi without even getting close to the company. The hackers used a relatively new attack technique called “Nearest Neighbor Attack” to gain access from thousands of kilometers away. The attackers first compromised another company in the same or a nearby building that was within range of the actual target’s Wi-Fi.
First discovery of the attack
The attack was discovered back in February 2022, when security experts from Volexity found a compromised server at a customer whose work was related to Ukraine. Reconstruction of the attack revealed that the attackers had probably initially obtained the victim’s Wi-Fi password via password-spraying attacks. However, as multi-factor authentication (MFA) prevented it from being used over the internet, the hackers had to get creative.
So they looked for organizations within Wi-Fi range of the actual victim whose network contained dual-home devices that had both a wired and a wireless connection. With such a router or laptop, it would then be possible to connect to the victim’s Wi-Fi, as the device would not dial in via the Internet, but locally, thus bypassing the MFA.
Assignment of the attack to ATP28 (Fancy Bear)
During their investigation of the incident, the security experts at Volexity discovered that ATP28 had compromised several companies in the immediate vicinity of the actual victim. Attackers had created a whole chain of connections with valid credentials until they finally found a device that was located at the right distance from the actual victim and was able to connect to access points in its network. Using a remote desktop connection (RDP) from an unprivileged account, the attackers were then able to move around the target network to search for interesting systems and compress data into a ZIP archive and then exfiltrate it. They mainly used native Windows tools in order to leave as few traces as possible.
At the time of the attack over two years ago, security researchers were unable to attribute the attack to any known threat actor. It wasn’t until April of this year that a report from Microsoft led security experts on the trail of ATP28. Based on the details in the Microsoft report, it is very likely that APT28 was able to escalate its privileges before executing critical data by exploiting the CVE-2022-38028 vulnerability in the Windows Print Spooler service on the victim’s network as a zero-day.
Conclusion
The attack shows that even attacks that actually require physical proximity to the victim can now be carried out remotely. And even if the security precautions for Internet-enabled devices are constantly improving, you should not be lulled into a false sense of security and consistently apply measures such as MFA to Wi-Fi networks within the company.
(vp/8com GmbH & Co. KG)
