Volexity details Russia's novel 'Nearest Neighbor Attack'

Volexity discovered that a Russian nation-state group breached a victim organization by compromising nearby Wi-Fi networks and exploiting a previously known vulnerability to gain intel on Ukraine.

In a new report published Friday, Volexity researchers detailed how they uncovered a "novel attack vector" during a month-and-a-half-long incident response (IR) investigation for an unnamed customer organization in Washington, D.C. Researchers attributed the attack to the infamous Russian nation-state group it tracks as GruesomeLarch, otherwise known as Fancy Bear.

During the attack, GruesomeLarch piggybacked off neighborhood buildings' Wi-Fi networks to spy on the victim organization, referred to as "Organization A" in the report. The attack began just prior to Russia's invasion of Ukraine, and Volexity concluded that GruesomeLarch's motive was stealing data related to Ukraine projects.

Volexity observed many techniques that were previously unseen and dubbed the revolutionary attack style as the "Nearest Neighbor Attack." Volexity founder Steven Adair contributed to the report and presented the research Friday during Cyberwarcon 2024.

"The threat actor accomplished this by daisy-chaining their approach to compromise multiple organizations in close proximity to their intended target, Organization A. This was done by a threat actor who was thousands of miles away and an ocean apart from the victim," Volexity wrote in the report.

Volexity said GruesomeLarch accomplished the attack by conducting password spray attacks to obtain valid credentials that belonged to three employees. While the organization protected its public services with MFA, the threat actors learned that they could use the compromised credentials on the enterprise network Wi-Fi, which lacked MFA. However, Volexity noted that the attackers were located thousands of miles away, which proved challenging but not impossible.

"To overcome this hurdle, the threat actor worked to compromise other organizations who were in buildings within close proximity to Organization A's office. Their strategy was to breach another organization, and then move laterally within that organization to find systems they could access that were dual-homed, (i.e., having both a wired and wireless network connection)," the report said. "Once successful in this endeavor, having found a system that was connected to the network via a wired Ethernet connection, the threat actor would access the system and use its Wi-Fi adapter."

Further analysis showed that GruesomeLarch successfully breached more than one organization located near the victim organization. Volexity added that the threat actors compromised a dual-homed system, which connects to more than one device at a time, at the nearby organization and used that to connect to the victim organization's enterprise Wi-Fi network.

The report emphasized that the attack worked only because the victim organization did not implement MFA on the Wi-Fi network. Additionally, one of the organizations used to breach the targeted victim did not implement MFA on its VPN, which the attackers used to gain initial access.

While the threat actor laid low for one month, and Volexity believed remediation steps were working, GruesomeLarch was not done yet. It compromised the target organization's guest Wi-Fi network, rather than the enterprise Wi-Fi network, to regain access.

"While the Guest Wi-Fi network had been believed to be completely isolated from the corporate wired network, where the high-value targeted data resided, there was one system that was accessible from both the Wi-Fi network and the corporate wired network. Armed with the credentials of an account that had not been reset, and the fact that the Wi-Fi network was not completely isolated, the attacker was able to pivot back into the corporate wired network and ultimately regain access to the high-value targeted data," the report said.