A Russian APT Group Takes Creativity to a New Level
A Russian threat group named GruesomeLarch, better known as Fancy Bear or APT28, which is widely associated with state-sponsored espionage operations, reached a new level of sophistication in an effort to infiltrate a victim’s corporate network.
In February 2022, shortly before Russia invaded Ukraine, the group launched an operation that gave them full access to the victim’s environment by exploiting physically nearby corporate Wi-Fi networks.
This technique is known as a Nearest Neighbor Attack, where attackers compromise a nearby organization first and use it as a bridge to reach their actual target.
Breaking In Through Wi-Fi and Weak Authentication
How did they do it?
The group used a technique known as password spraying, where attackers attempt large numbers of username and password combinations against public-facing services until a valid set of credentials is found.
The victim’s corporate Wi-Fi network did not require MFA, allowing connections using username and password alone.
After successfully obtaining valid Wi-Fi credentials, the attackers hit their first obstacle. Due to physical distance, they could not connect directly to the network.
Fancy Bear did not give up. Using pre-attack intelligence collection, they mapped all nearby companies with offices located close to the victim. They then breached those adjacent organizations.
Inside these neighboring networks, the infrastructure allowed for wired access to the internal network as well as Wi-Fi adapters that could scan for nearby wireless signals.
This meant the attackers could use these adapters to detect and connect to surrounding Wi-Fi networks, including the victim’s.
The group repeated the password spraying technique on the neighboring companies, obtained additional credentials, and leveraged the deployed Wi-Fi adapters to scan the area until they reached the victim’s Wi-Fi signal.
Using the credentials from the initial breach and access through the “middle company,” they managed to compromise the primary target, acting as if they were an ISP relaying communication between the user and the destination server.
What the Attackers Actually Did Inside the Network
The incident response team later discovered a malicious file named servtask.bat, designed to extract sensitive data from the Windows Registry and compress it into a ZIP file in an attempt to evade EDR detection.
The attackers also used a built-in Windows tool called cipher.exe, which enables secure deletion of files to prevent forensic recovery.
After deeper analysis, investigators identified connections to the victim and the neighboring companies coming from Wi-Fi adapters with similar MAC addresses.
This immediately indicated that the same operator had compromised multiple organizations in coordinated time frames, revealing both the attack method and the attribution to Russia.
Tools like GooseEgg and servtask.bat, both previously associated with APT28 operations, further strengthened the connection to the group.
A Sobering Look at Cross-Organization Espionage
This is not the first time we have heard about state-backed threat groups conducting cross-border espionage.
However, this case is notable because it involved innocent, unrelated “white” organizations that had no involvement with the operation or the conflict.
They were simply chess pieces on a board controlled by players who did not know them and did not care about the collateral damage.
It is a strong reminder of how far state-sponsored APT groups are willing to go and how creative they can become when a target is important enough.