In a recent cyber-espionage attack carried out by the notorious Russian advanced persistent threat (APT) group Fancy Bear at the onset of the Russia-Ukraine conflict, a novel attack vector was demonstrated. This attack showcased how a threat actor can remotely infiltrate the network of an organization located far away by compromising a Wi-Fi network in close proximity. Fancy Bear, also known as APT28 or Forest Blizzard, successfully breached the network of a US-based organization using this method, which has been dubbed the “Nearest Neighbor” attack by researchers at Volexity.
According to the Volexity researchers Sean Koessel, Steven Adair, and Tom Lancaster, the threat actor behind this attack managed to compromise multiple organizations in close proximity to their intended target, known as Organization A. What made this attack unique was that the threat actor was located thousands of miles away from the victim, showcasing a new class of attack for remote cyber infiltration.
Fancy Bear, a subset of Russia’s General Staff Main Intelligence Directorate (GRU) and a long-standing adversary for over two decades, is also known by the name “GruesomeLarch” within the cybersecurity community. The attack was discovered just before Russia’s invasion of Ukraine in February 2022 when Volexity detected a compromised server at a customer site. Further investigation revealed that Fancy Bear was collecting data related to Ukraine from individuals within a Washington, DC-based organization.
The attack involved Fancy Bear executing credential-stuffing attacks to compromise at least two Wi-Fi networks near the target organization. By using these compromised credentials, the threat actor was able to infiltrate the organization, as multifactor authentication (MFA) was not in place for the Wi-Fi networks. The researchers highlighted the creativity and resourcefulness of the threat actor in achieving their cyber-espionage objectives through this attack.
Throughout the investigation, Volexity worked with multiple organizations, including Organizations B and C, that were breached as part of the attack chain leading up to the main target, Organization A. The attacker leveraged privileged credentials to gain access to Organization A via the Remote Desktop Protocol (RDP) from a system within Organization B’s network, showcasing a complex and multi-stage infiltration process.
Fancy Bear utilized a living-off-the-land approach during the attack, leveraging standard Microsoft protocols and tools like Cipher.exe to move laterally within the organization. The use of commonly available tools made detection and attribution more challenging for defenders. The researchers underlined the importance of monitoring and placing alerts on suspicious activities like the use of netsh and Cipher.exe utilities to detect similar attacks.
This attack underscored the need for organizations to enhance their network security posture, especially regarding Wi-Fi networks. Recommendations included creating separate environments for Wi-Fi and Ethernet networks, implementing MFA for Wi-Fi authentication, and monitoring for anomalous behavior that could indicate a compromise. By taking proactive measures and adopting a security-first approach, organizations can better defend against sophisticated cyber threats like the Nearest Neighbor attack orchestrated by Fancy Bear.