Full Report
KEY TAKEAWAYS Russian APT GruesomeLarch deployed a new attack technique leveraging Wi-Fi networks in close proximity to the intended target. The threat actor primarily leveraged living-off-the-land techniques. A zero-day privilege escalation was used to further gain access. Ukrainian-related work and projects were targeted in this attack, just ahead of Russian Invasion of Ukraine. In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever worked. The investigation began when an alert from a custom detection signature Volexity had deployed at a customer site (“Organization A”) indicated a threat actor had compromised a server on the customer’s network. While Volexity quickly investigated the threat activity, more questions were raised than answers due to a very motivated and skilled advanced persistent threat (APT) actor, who was using a novel attack vector Volexity […] The post The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access appeared first on Volexity.
Analysis Summary
# Threat Actor: GruesomeLarch (APT28)
## Attribution & Identity
**Attribution:** Russian APT.
**Known Aliases and Associated Groups:** APT28, Forest Blizzard, Sofacy, Fancy Bear.
## Activity Summary
The threat actor, GruesomeLarch, conducted a sophisticated operation targeting "Organization A" starting around February 2022, just before the Russian invasion of Ukraine. The primary objective was intelligence gathering related to Ukrainian work and projects. The attack was notable for employing a novel technique termed the "Nearest Neighbor Attack" to gain access to the target's enterprise Wi-Fi network from thousands of miles away. GruesomeLarch successfully compromised "Organization A" using this method.
## Tactics, Techniques & Procedures
- **Novel Attack Vector:** Utilized the "Nearest Neighbor Attack," involving compromising geographically proximate organizations to gain access to the target's Wi-Fi network.
- **Credential Harvesting:** Executed password-spray attacks against public-facing services to validate user credentials.
- **Living Off the Land (LotL):** Primarily leveraged built-in system tools to conduct activity and evade detection by EDR solutions, avoiding the deployment of custom malware in some phases.
- **Execution:** Observed execution of batch files (`servtask.bat`) from non-standard locations like the root of `C:\ProgramData\`.
- **Privilege Escalation:** Used a zero-day vulnerability for privilege escalation after gaining initial access.
- **Lateral Movement:** Committed lateral movement within compromised adjacent networks to find dual-homed systems.
- **Wi-Fi Hijacking:** Accessed a dual-homed system (wired and wireless connections) within a neighbor organization and used its Wi-Fi adapter to connect to the intended target’s Enterprise Wi-Fi SSID.
## Targeting
- **Sectors:** Not explicitly stated, but the nature of the intelligence gathering suggests government, defense, research, or technology sectors involved in Ukrainian projects.
- **Geography:** Targeting Organization A, which was geographically distant from the actual threat actor's location (thousands of miles away). The initial compromises occurred on organizations in *close proximity* to Organization A.
- **Victims:** "Organization A" (the primary target) and multiple unnamed organizations in the physical vicinity of Organization A used as stepping stones.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly detailed as the actor focused on LotL techniques, but exploitation of a zero-day for privilege escalation occurred.
- **Infrastructure (C2, domains, IPs):** No specific C2 domains, IPs, or URLs were mentioned in the provided context.
## Implications
GruesomeLarch demonstrated exceptional operational sophistication by creating and successfully executing the "Nearest Neighbor Attack." This technique bypasses common reliance on external-facing authentication measures (like MFA on VPNs/Email) by abusing low-security controls specifically on enterprise Wi-Fi networks. The ability to pivot through nearby, less-secure organizations highlights a critical blind spot in perimeter defense strategies focused purely on digital boundaries. The timing of the activity suggests state-sponsored intelligence collection related to geopolitical events (Invasion of Ukraine).
## Mitigations
- Harden access requirements for Wi-Fi networks by applying Multi-Factor Authentication (MFA) or using certificate-based solutions, treating Wi-Fi access with the same rigor as VPNs.
- Create separate, segmented networking environments for Wi-Fi and Ethernet-wired networks, especially where wired networks grant access to sensitive resources.
- Monitor and alert on anomalous use of Living-Off-the-Land utilities such as `netsh` and `Cipher.exe`.
- Create custom detection rules to look for file execution from non-standard locations, such as the root of `C:\ProgramData\`.
- Monitor network traffic between devices for internal file transfers (via SMB) containing data typically targeted for exfiltration (e.g., credential data, registry hives, `ntds.dit`).