The Breach from Next Door. How Russian APT Exploited Wi-Fi to Infiltrate Their Target

Cybersecurity
Written By Emilia Mancilla

How do attackers breach a secure organization without stepping foot inside? In the Nearest Neighbor Attack, the Russian APT group Fancy Bear(also known as APT28) [2] executed a sophisticated cyber-espionage campaign, exploiting weak Wi-Fi security and nearby organizations to infiltrate their ultimate target.

This wasn’t just a typical hacking attempt—it was a carefully planned operation. The attackers:

  • Stole credentials using password-spraying.

  • Exploited Wi-Fi networks that lacked multi-factor authentication (MFA).

  • Leveraged systems in neighboring organizations to bypass physical distance.

  • Extracted sensitive data while leaving minimal traces.

Here’s a high-level overview of the attack path:

Now, let's break down the attack path [1]. 

1. Initial Recon and Credential Harvesting

  • Objective: Gain access credentials to Organization A's network.

  • Method:

    • Conducted password-spraying attacks on public-facing services of Organization A.

    • Successfully brute-forced several valid username-password combinations.

    • Public-facing services were protected by multi-factor authentication (MFA), which prevented immediate use of these credentials.

2. Exploiting Wi-Fi Network Vulnerabilities

  • Gap Exploited: Organization A's enterprise Wi-Fi network required only a valid domain username and password for access, without MFA.

  • Challenge for Attackers: The attackers were geographically distant and could not directly connect to Organization A’s Wi-Fi.

3. Compromising Neighboring Organizations

  • Strategy:

    • Identified and targeted nearby organizations (Organization B, Organization C) geographically close to Organization A.

    • Breached these organizations through:

      • Exploiting vulnerable public-facing services.

      • Using compromised credentials obtained via brute force or phishing.

    • Focused on finding dual-homed systems—devices connected to both wired and Wi-Fi networks.

4. Leveraging Dual-Homed Systems

  • Execution:

    • Attackers gained control of a dual-homed system within Organization B.

    • Used its Wi-Fi adapter to connect to Organization A's Wi-Fi network, leveraging previously brute-forced credentials.

    • Bypassed physical proximity limitations by daisy-chaining through compromised neighboring networks.

5. Gaining Access to Organization A's Network

  • Connection Established: Successfully authenticated into Organization A's Wi-Fi network.

  • Network Penetration:

    • Gained access to the internal network.

    • Began reconnaissance to locate sensitive data.

6. Privilege Escalation

  • Zero-Day Exploitation: Used a privilege escalation vulnerability (CVE-2022-38028) in the Microsoft Windows Print Spooler.

  • Persistence Established:

    • Deployed tools like servtask.bat to dump sensitive registry hives (SAM, SECURITY, and SYSTEM).

    • Used PowerShell scripts to compress and stage data for exfiltration.

7. Lateral Movement and Data Exfiltration

  • Objective: Access sensitive Ukraine-related projects and data.

  • Techniques:

    • Moved laterally across systems to identify valuable data.

    • Used living-off-the-land tools to avoid detection (e.g., netsh for port-forwarding, vssadmin for creating shadow copies).

    • Exfiltrated data via:

      • SMB connections.

      • Staging data on public-facing systems for external download.

8. Anti-Forensic Measures

  • Covering Tracks:

    • Used Windows utility Cipher.exe to securely delete files.

    • Removed all artifacts related to tools and scripts after use.

    • Minimal malware deployment to evade endpoint detection.

9. Further Intrusions via Guest Wi-Fi

  • Post-Detection Activity: After initial remediation by Organization A, attackers pivoted to the guest Wi-Fi network.

  • Exploit: Poor segmentation allowed access to internal systems from the guest network.

  • Reinfiltration: Attackers regained access to sensitive data before being detected again.

Citation 

1. Koessel, S., Adair, S., & Lancaster, T. (2024, November 22). The nearest neighbor attack: How a Russian APT weaponized nearby Wi-Fi networks for covert access. Volexity. https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/

2. CrowdStrike. (2019, February 12). Who is FANCY BEAR (APT28)? CrowdStrike. https://www.crowdstrike.com/blog/who-is-fancy-bear/

Emilia Mancilla
Previous

Inside Operation Digital Eye - How Hackers Used Legitimate Tools for Infiltration
Next

Beware the Wolf- WolfsBane Marks Its Linux Territory