Hackers Linked to Russia’s GRU Breach American Company Using New Wi-Fi Attack Technique
Russian hacker group APT28 (Fancy Bear/Forest Blizzard/Sofacy) breached the corporate Wi-Fi network of an unnamed American company to steal data related to Ukraine-related projects. BleepingComputer reported on the incident.
APT28 is reportedly part of Russia’s military unit 26165 within the Main Intelligence Directorate (GRU) of the General Staff, and has been conducting cyber operations since at least 2004.
The attack was discovered on February 4, 2022, when cybersecurity firm Volexity identified a server breach at a facility in Washington, D.C., which had connections to Ukraine. This time, the hacker group, identified by specialists as GruesomeLarch, used a new technique called “neighbor proximity attack.”
According to the report, the hackers first obtained login credentials to the company’s corporate Wi-Fi network by using a method known as “password spraying,” targeting a public service. However, multi-factor authentication (MFA) prevented them from using these credentials over the public network, as the attackers were “thousands of miles and an ocean away from the target.”
To bypass this, APT28 began looking for nearby organizations to find devices with dual connections, which had both wired and wireless network access. Such a device could be used to access the corporate Wi-Fi network of the targeted company through its wireless adapter.
Volexity reported that during this attack, Russian hackers compromised several organizations, progressively linking their networks using valid access credentials. Ultimately, they discovered a device capable of connecting to three wireless access points near a conference room’s windows. This allowed the attackers to move through the target network in search of systems of interest and extract data.
“GruesomeLarch was actively targeting Organization A to gather data from individuals with expertise and projects related to Ukraine,” Volexity emphasized.