Russian state hackers APT28 (Fancy Bear/Forest Blizzard/Sofacy) breached a U.S. company through its enterprise WiFi network while being thousands of miles away, by leveraging a novel technique called "nearest neighbor attack."
The threat actor pivoted to the target after first compromising an organization in a nearby building within the WiFi range.
The attack was discovered on February 4, 2022, when cybersecurity company Volexity detected a server compromise at a customer site in Washington, DC that was doing Ukrainian-related work.
APT28 is part of Russia's military unit 26165 in the General Staff Main Intelligence Directorate (GRU) and has been conducting cyber operations since at least 2004.
The hackers, which Volexity tracks as GruesomeLarch, first obtained the credentials to the target's enterprise WiFi network through password-spraying attacks targeting a victim's public-facing service.
However, the presence of multi-factor authentication (MFA) protection prevented the use of the credentials over the public web. Although connecting through the enterprise WiFi did not require MFA, being "thousands of miles away and an ocean apart from the victim" was a problem.
So the hackers became creative and started looking at organizations in buildings nearby that could serve as a pivot to the target wireless network.
The idea was to compromise another organization and look on its network for dual-home devices, which have both a wired and a wireless connection. Such a device (e.g. laptop, router) would allow the hackers to use its wireless adapter and connect to the target's enterprise WiFi.
