Forest Blizzard, a threat group associated with Russia’s GRU military intelligence service, repeatedly breached a US-based organization via compromised computer systems of nearby firms, which they leveraged to authenticate to the target’s enterprise Wi-Fi network.
The repeated attacks
Volexity, a company that specializes in helping organizations detect the presence of and boot out nation-state level intruders from their systems and networks, said that the attackers were first spotted on a server on the target US organization’s network in early February 2022, when trying to exfitrate sensitive registry hives after having gained access by logging in (over RDP) with an unprivileged user account.
Their investigation revealed that prior to this, the attackers mounted password spraying attacks against the organization’s internet-facing webservices to discover valid login credentials. But, they couldn’t use them directly, because multi-factor authentication (MFA) was implemented.
“The Enterprise Wi-Fi network, however, did not require MFA and only required a user’s valid domain username and password to authenticate. Meanwhile, the threat actor was halfway around the world and could not actually connect to [the target organization’s] Enterprise Wi-Fi network,” Volexity’s Sean Koessel, Steven Adair and Tom Lancaster shared.
They solved the problem by:
- Breaching a nearby organization’s system
- Moving laterally within that organization to find accessible systems that are connected to the network via a wired Ethernet connection and have a Wi-Fi adapter
- Using that Wi-Fi adapter to connect to the target organization’s Wi-Fi and authenticate to it by using credentials they previous compromised via password spraying.
That nearby organization was breached by leveraging stolen VPN credentials – they had no MFA enabled on those accounts. The attackers also used the previously described technique to jump on this second organization’s enterprise Wi-Fi from a compromised system of a third nearby organization.
And after getting booted out, the attackers returned and compromised a system connected to the targeted organization’s guest Wi-Fi network, which ended up not being completely isolated from the corporate wired network.
“Using the Nearest Neighbor Attack method, the attacker was able to daisy-chain their way from organization to organization without ever deploying malware, using only valid user credentials as their access method. The attacker then focused on using living-of-the-land techniques to avoid deploying malware and to evade detection by EDR products,” the company noted.
The group used Windows’ built-in tools like VSSAdmin, to create a volume shadow copy, and Cipher, to overwrite deleted files they have written to disk during the attack.
Orgs, secure your Wi-Fi
In 2024, after Microsoft shared information about a post-compromise tool named GooseEgg that the group had used in other attacks, Volexity was able to tie this intrusions to Forest Blizzard (aka APT28, aka GruesomeLarch).
With this clever attack method, the group was able to connect to the target organization’s enterprise Wi-Fi network without one of their members having to be physically near enough to do it.
“A significant amount of effort over the last several years has been placed on attack surface reduction where Internet-facing services have been secured with MFA or removed altogether. This attack was possible due to a lower level of security controls on targeted Wi-Fi systems than other resources, such as email or VPN,” Volexity explained.
