Security Intelligence
Loading table of contents...
Loading table of contents...
Hackers working for Russia’s Main Intelligence Directorate (GRU), codenamed APT 28, have been observed leveraging a technique dubbed the “nearest neighbor attack” to breach a Washington, DC-based company doing Ukrainian-related work.
The attack began when APT 28 obtained credentials to the target’s corporate Wi-Fi network through password-spraying. However, these credentials weren’t enough as the target required multi-factor authentication (MFA) when logging in from the open web. To log in without MFA, the user would need to be connected to the target’s Wi-Fi.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
To overcome this obstacle, APT 28 targeted several organizations that were physically near the primary target in hopes they could compromise a device with a wireless adapter capable of connecting to the target’s Wi-Fi. Ultimately, APT 28 found a suitable device within range that it used to connect to three of the target’s wireless access points near the windows of a conference room.
Once connected to the target’s Wi-Fi, APT 28 moved laterally and exfiltrated sensitive information using native Windows tools to help avoid detection.
Source: Bleeping Computer
Analysis
While this incident may be the first reported use of the ‘nearest neighbor attack,’ it’s likely that APT 28 and other advanced threat actors have used this attack vector before to compromise high-value targets, the incidents just haven’t been publicly reported.
This attack would have required significant resources and skill, indicating that the target was of very high interest to the Russian government.
It’s possible that APT 28 developed this technique in response to the disruption of its close access team by Dutch authorities in April 2018. The GRU’s close access team was responsible for covertly travelling to foreign countries and hacking targets via their Wi-Fi networks when remote attacks fail or are unlikely to succeed.
The team has been directly attributed to the compromise of the World Anti-Doping Agency (WADA) by compromising its members connecting to a hotel in Lausanne, Switzerland. The team was disrupted by Dutch authorities as they sat in a rental car, packed with high-end Wi-Fi hacking equipment, outside the Organization for the Prohibition of Chemical Weapons (OPCW). The OPCW was investigating the poisoning of Sergei Skripal in the UK and the possible use of chemical weapons in Syria, both issues of high interest to the Russian government at the time.
GRU close access team arriving at Amsterdam Airport, April, 2018.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from nation-state threat groups such as APT 28.
Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
This attack reflects the importance of MFA in protecting organizations against sophisticated attacks and the challenge for network administrators to balance security and user convenience. Had the organization also required MFA for Wi-Fi-connected users, this attack likely would have failed. However, legitimate users who must use MFA every time they want to log in would have been inconvenienced.
Field Effect recommends that governments and organizations in Ukraine, or those doing Ukraine-related work contrary to Russian interests, adopt a heightened cybersecurity posture given the threat posed by Russian state-sponsored cyber actors. We encourage all organizations to review the U.S. Cybersecurity & Infrastructure Security Agency (CISA) Shields Up program, which provides robust guidance for preparing, responding to, and mitigating the impacts of Russian state-sponsored cyberattacks.
