The activities of the American company, the name of which has not been disclosed, were related to Ukraine. To access this data, hackers from Russia’s General Intelligence Directorate (GRU) hacked the company through its corporate WiFi network using a new technique called a «nearest neighbor attack.»
The activities of the American company, the name of which has not been disclosed, were related to Ukraine. To access this data, hackers from Russia’s General Intelligence Directorate (GRU) hacked the company through its corporate WiFi network using a new technique called a «nearest neighbor attack.»
Volexity, a cyber security company, discovered a server compromise at a Washington, D.C. client site that performed work related to Ukraine, BleepingComputer reports.
APT28 hackers are part of Russian military unit 26165 of the Main Intelligence Directorate of the General Staff (GRU) and have been conducting cyber operations since at least 2004.
First, they obtained credentials to the victim’s corporate Wi-Fi network using password spraying attacks targeting the victim’s public services.
However, the presence of multi-factor authentication (MFA) made it impossible to use credentials over a public network. While connecting via corporate Wi-Fi didn’t require MFA, being «thousands of miles and an ocean away from the victim» was a problem.
So the hackers got creative and began looking for organizations in nearby homes that could serve as a base for a targeted wireless network.
The idea was to compromise another organization and find dual-access devices on its network that have both wired and wireless connections. Such a device (for example, a laptop, a router) would allow hackers to use its wireless adapter and connect to the corporate Wi-Fi network.
Volexity found that APT28 compromised several organizations in this attack by enabling their connections with valid access credentials. Eventually, they found a device in good range that could connect to three wireless access points near the windows of the victim’s conference room.
Using a remote desktop (RDP) connection from a non-privileged account, the attacker was able to navigate the target network in search of systems of interest and steal data.
The hackers ran the servtask.bat file to create a dump of Windows registry keys (SAM, Security, and System), compressing it into a ZIP archive for later exfiltration.
Attackers relied on built-in Windows tools to minimize their footprint when collecting data.
«Volexity also determined that GruesomeLarch actively targeted Organization A to collect data from individuals with experience working with Ukraine and projects actively involving Ukraine,» the cybersecurity company said.
APT28's «neighborhood attack» shows that a close-in operation that normally requires proximity to a target (such as a parking lot) can also be conducted from a distance and eliminates the risk of being physically identified or caught.
