Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Craig Hale

Russian hackers are attacking innocent companies to get access to their neighbors

A Wi-Fi router placed on a desk with cables going in. A hand is holding a padlock on top of the router.

  • Russia’s APT28 cyber-espionage group linked to ‘Nearest Neighbor Attack’
  • Victim’s Wi-Fi network was protected, but its neighbor’s wasn’t
  • Timing aligns with Russia’s invasion of Ukraine in 2022

Russian cyber-espionage group APT28, also known as Fancy Bear, was able to breach an American company’s network by leveraging a ‘Nearest Neighbor Attack’ exploiting nearby Wi-Fi networks.

First identified by cybersecurity firm Volexity in February 2022, the attack raises new concerns about vulnerabilities in corporate Wi-Fi system.

In this case, APT28, tracked by Volexity as ‘GruesomeLarch,’ targeted a US organization engaged in Ukrainian-related projects, hence the nation-state’s interest in the firm.

‘nearest neighbour attacks’

The attack on the unnamed US company – a customer of Volexity’s whose identity has been protected – started with password-spraying to acquire credentials for the victim’s enterprise Wi-Fi network. The firm’s multi-factor authentication protected its public-facing systems however the hackers then turned to a nearby organization to force entry.

Volexity explained: “The threat actor was halfway around the world and could not actually connect to [the victim’s] Enterprise Wi-Fi network. To overcome this hurdle, the threat actor worked to compromise other organizations who were in buildings within close proximity to [the victim’s] office. Their strategy was to breach another organization.”

APT28 exploited a device that was connected to both wired and wireless networks – it acted as a bridge to the target’s enterprise Wi-Fi, enabling lateral movement and data exfiltration.

Furthermore, the attackers used native Windows tools like Cipher.exe to erase evidence, making it hard to detect and trace the attack. They also exploited a zero-day vulnerability in the Windows Print Spooler service to escalate privileges within the victim’s network.

Given that the attack took place weeks before Russia’s invasion of Ukraine, its geopolitical significance aligns with its choice of target company.

Volexity is now advising all companies to monitor suspicious activity, create separate networking environments for Wi-Fi and Ethernet networks, and apply authentication and certificate-based solutions.

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.