US company attacked via neighboring third-party WLAN devices

The security world is now aware of a new method of attacking protected networks: the "Nearest Neighbor Attack". Using this method, Russian cyber attackers from the APT28 group allegedly succeeded in penetrating the network of a company in the USA. They attacked both the infrastructure of this company and that of a neighboring company at the same location.

As the security consultants from Volexity report, one of their customers was hit. The customer noticed suspicious access to its systems, but could not explain how the attackers were able to access the network. Volexity investigated the incident for a month and a half and came to several conclusions: The intruders had specifically targeted this company in February 2022 because it was running unspecified "projects in Ukraine", had searched for data on them, and had also used a zero-day vulnerability to do so. Shortly afterwards, the Russian invasion of Ukraine began.

In combination, and because Volexity has had previous dealings with this organization, Volexity attributes the attack to APT28, which is also known under names such as Fancy Bear, Forest Blizzard, Sofacy or, as used by Volexity so far, GruesomeLarch. All of these names, which are used by security researchers as working names, refer to the same group, which represents an "Advanced Persistent Threat" (APT), i.e. an organization that poses a threat over a long period of time using sophisticated methods and a great deal of effort.

Analysis by Microsoft puts us on the trail of APT28

According to the conventional wisdom of security researchers, the organizations behind APTs are usually states that finance, protect and support the groups, for example by passing on security vulnerabilities. The attribution of the attack to Volexity's customer was ultimately only possible because Microsoft described a method used by APT28 in April 2024 to exploit a vulnerability in Windows. Volexity also found parts of this method in the attack on its customer. The tool for this is called "GooseEgg" and contained the exploit that was found at the US company under attack in February 2022. More precisely: parts of it, because the intruders had covered many of their tracks, including by securely overwriting free memory space with the "cipher.exe" tool integrated into Windows.

Before it could get that far, however, the intruders had to find their way into the network. This was not immediately possible because access to the systems was secured with multi-factor authentication (MFA). Although the attackers had captured access data via password spraying, they failed at the next factor after logging in with it. However, the login for the company's own guest WLAN had no MFA. But how do you get within range of the wireless network from Russia?

Neighbor WLAN as a bridge to the target

The answer is relatively simple: via a neighboring Wi-Fi device that can receive signals from the target's access points. This is also where the cybercriminals started by attacking this third-party company via the internet and then using its Wi-Fi devices as a bridge to the target company. This was detected because Volexity's systems evaluated network logs from both companies during the active attacks. Ultimately, it turned out that the attackers always accessed the network via the same three access points, and via a company located directly opposite in the same street.

The fact that critical systems could be reached via the target's guest WLAN was due to the fact that one of them was accessible via both wired Ethernet and the guest WLAN. This meant that MFA was no longer available, it was obviously a misconfiguration. From this system, the attackers made their way through the rest of the network.

Avoiding this is not the only lesson to be learned from the incident. Administrators should now also pay more attention not only to incoming but also outgoing connections via WLAN. If there is suddenly constant wireless network traffic to another company WLAN that has never been seen before, you should take a very close look.

(nie)