Forest Blizzard, a threat group linked to Russia’s GRU military intelligence service, has been identified as the perpetrator behind a series of cyber attacks on a US-based organization. The group managed to breach the organization’s systems by exploiting vulnerabilities in the computer systems of nearby firms, which they used to gain access to the target’s enterprise Wi-Fi network.
According to Volexity, a company specializing in detecting and removing nation-state level intruders from organizations’ networks, the attacks were first detected in early February 2022. The attackers were found trying to exfiltrate sensitive registry hives from a server on the target organization’s network. They had gained access by logging in through Remote Desktop Protocol (RDP) using an unprivileged user account.
Prior to this incident, the attackers had conducted password spraying attacks against the organization’s internet-facing web services in an attempt to discover valid login credentials. However, their efforts were thwarted by the implementation of multi-factor authentication (MFA) which prevented them from using the credentials directly.
To bypass this hurdle, the threat actors exploited the lack of MFA on the organization’s Enterprise Wi-Fi network. They breached a nearby organization’s system, moved laterally within that organization’s network, and used a Wi-Fi adapter connected to a system with compromised credentials to authenticate to the target organization’s Wi-Fi network.
The attackers also leveraged stolen VPN credentials to breach the systems of multiple organizations in the vicinity, eventually gaining access to the target organization’s guest Wi-Fi network. They were able to move from organization to organization without deploying any malware, solely relying on valid user credentials for access.
In a separate incident in 2024, Microsoft shared details about a post-compromise tool called GooseEgg used by the group in other attacks. This information led Volexity to attribute the intrusions to Forest Blizzard, also known as APT28 or GruesomeLarch.
The attack method employed by Forest Blizzard allowed them to connect to the target organization’s enterprise Wi-Fi network without the need for physical proximity. Volexity emphasized the importance of securing Wi-Fi networks, recommending the implementation of multiple authentication factors or the use of authentication certificates to enhance security.
The group utilized built-in Windows tools such as VSSAdmin and Cipher to carry out their attacks and evade detection by Endpoint Detection and Response (EDR) products. This sophisticated approach underscores the need for organizations to continuously enhance their cybersecurity measures to prevent similar incidents in the future.