Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Wednesday November 27, @07:28PM   Printer-friendly
from the tinfoil-hats-for-skyscrapers dept.

In a first, Russia's APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street:

For determined hackers, sitting in a car outside a target's building and using radio equipment to breach its Wi-Fi network has long been an effective but risky technique. These risks became all too clear when spies working for Russia's GRU military intelligence agency were caught red-handed on a city street in the Netherlands in 2018 using an antenna hidden in their car's trunk to try to hack into the Wi-Fi of the Organization for the Prohibition of Chemical Weapons.

Since that incident, however, that same unit of Russian military hackers appears to have developed a new and far safer Wi-Fi hacking technique: Instead of venturing into radio range of their target, they found another vulnerable network in a building across the street, remotely hacked into a laptop in that neighboring building, and used that computer's antenna to break into the Wi-Fi network of their intended victim—a radio-hacking trick that never even required leaving Russian soil.

At the Cyberwarcon security conference in Arlington, Virginia, today, cybersecurity researcher Steven Adair will reveal how his firm, Volexity, discovered that unprecedented Wi-Fi hacking technique—what the firm is calling a "nearest neighbor attack"—while investigating a network breach targeting a customer in Washington, DC, in 2022. Volexity, which declined to name its DC customer, has since tied the breach to the Russian hacker group known as Fancy Bear, APT28, or Unit 26165. Part of Russia's GRU military intelligence agency, the group has been involved in notorious cases ranging from the breach of the Democratic National Committee in 2016 to the botched Wi-Fi hacking operation in which four of its members were arrested in the Netherlands in 2018.

In this newly revealed case from early 2022, Volexity ultimately discovered not only that the Russian hackers had jumped to the target network via Wi-Fi from a different compromised network across the street, but also that this prior breach had also potentially been carried out over Wi-Fi from yet another network in the same building—a kind of "daisy-chaining" of network breaches via Wi-Fi, as Adair describes it.

[...] Adair argues, though, that the case should serve as a broader warning about cybersecurity threats to Wi-Fi for high-value targets—and not just from the usual suspects loitering in the parking lot or the lobby. "Now we know that a motivated nation-state is doing this and has done it," says Adair, "It puts on the radar that Wi-Fi security has to be ramped up a good bit." He suggests organizations that might be the target of similar remote Wi-Fi attacks consider limiting the range of their Wi-Fi, changing the network's name to make it less obvious to potential intruders, or introducing other authentication security measures to limit access to employees.

[...] Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group—Microsoft refers to the group as Forest Blizzard—to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. "It was an exact one-to-one match," Adair says.

[...] The switch to hacking via Wi-Fi from a remotely compromised device rather than physically placing a spy nearby represents a logical next step following the GRU's operational security disaster in 2018, when its hackers were caught in a car in The Hague attempting to hack the Organization for the Prohibition of Chemical Weapons in response to the OPCW's investigation of the attempted assassination of GRU defector Sergei Skripal. In that incident, the APT28 team was arrested and their devices were seized, revealing their travel around the world from Brazil to Malaysia to carry out similar close-access attacks.

"If a target is important enough, they're willing to send people in person. But you don't have to do that if you can come up with an alternative like what we're seeing here," Hultquist says. "This is potentially a major improvement for those operations, and it's something we'll probably see more of—if we haven't already."


Original Submission

This discussion was created by hubie (1068) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Informative) by JoeMerchant on Wednesday November 27, @08:32PM (7 children)

    by JoeMerchant (3937) on Wednesday November 27, @08:32PM (#1383584)

    I mean, in the realm of "wasn't that obvious?" I don't think this even comes close to the "obvious once you've seen it" level of clever - this is pretty much straight up: "any idiot should have seen this coming." territory, or do I expect too much of our CyberSecurity Red Team / Blue Team members?

    --
    🌻🌻 [google.com]
    • (Score: 3, Insightful) by Anonymous Coward on Wednesday November 27, @08:49PM (3 children)

      by Anonymous Coward on Wednesday November 27, @08:49PM (#1383587)

      Wifi has always been known to be an attack vector, and it's always been best practice not to have it, and if you need it, do your absolute damned best to confine it to your premises and airgap it from the important parts of your network. Nobody likes to listen to security best practices when it becomes inconvenient though.

      • (Score: 2) by JoeMerchant on Wednesday November 27, @09:06PM

        by JoeMerchant (3937) on Wednesday November 27, @09:06PM (#1383590)
      • (Score: 3, Interesting) by Tork on Wednesday November 27, @09:42PM (1 child)

        by Tork (3914) Subscriber Badge on Wednesday November 27, @09:42PM (#1383597)
        I haven't worked at a place where the wifi actually got you onto the company network in more than a decade. (Closer to two...) It was internet and that's it. If you were privileged you could get VPN credentials. I've purposefully veered away from that because I never want to be a suspect. This article has justified my paranoia.
        --
        🏳️‍🌈 Proud Ally 🏳️‍🌈
        • (Score: 3, Interesting) by JoeMerchant on Thursday November 28, @07:28PM

          by JoeMerchant (3937) on Thursday November 28, @07:28PM (#1383674)

          In our place, VPN gets you in from anywhere...

          The main wifi on site is internet only, but the various "local convenience networks...???"

          Zero trust should be coming, which would actually mean that being "in" the VPN or physical campus networks shouldn't give any additional privileges not granted to Internet based users.

          --
          🌻🌻 [google.com]
    • (Score: 2) by corey on Wednesday November 27, @09:22PM (2 children)

      by corey (2202) on Wednesday November 27, @09:22PM (#1383595)

      I didn’t think a single wireless NIC could be used in two WLANs at the same time. Unless a laptop was plugged into a docking station or directly into a wired LAN, use that as the pipe in to the machine, then use the WLAN NIC to access the neighbours WLAN.

      > to try to hack into the Wi-Fi of the Organization for the Prohibition of Chemical Weapons

      Wouldn’t expect much more from the Russians…

      • (Score: 2) by JoeMerchant on Wednesday November 27, @10:13PM

        by JoeMerchant (3937) on Wednesday November 27, @10:13PM (#1383600)

        All they needed was a machine they could own, in any fashion, that was equipped with WiFi that could reach the target network.

        The easy way is when a PC (like the one I'm typing on right now) is wired to the LAN but also equipped with WiFi...

        From there, you can get more creative - jump into a "servant" via WiFi on its normal network, then have your agent drop that network connection and connect to the target network... often times, the target network will still be internet connected but since you are "inside" you have now breached the firewall/NAT.

        I believe even WPA2 can be cracked, eventually, just by sitting and listening to the traffic - though when the WiFi password is: 12345678 it goes a little faster.

        --
        🌻🌻 [google.com]
      • (Score: 3, Informative) by aafcac on Thursday November 28, @12:28AM

        by aafcac (17646) on Thursday November 28, @12:28AM (#1383608)

        My WAP operates on more than one spectrum at the same time, I don't see why it couldn't be set up for one of those to be connected to a different network.

  • (Score: 5, Touché) by Frosty Piss on Wednesday November 27, @09:08PM

    by Frosty Piss (4971) on Wednesday November 27, @09:08PM (#1383592)

    Those pesky Russian spies, if not them than the COMMUNIST CHINESE... Lord knows Americans would never stoop so low...

  • (Score: 2) by Geotti on Wednesday November 27, @11:17PM (1 child)

    by Geotti (1146) on Wednesday November 27, @11:17PM (#1383602) Journal

    ... laptop wifies you.

    • (Score: 2) by c0lo on Thursday November 28, @07:48AM

      by c0lo (156) Subscriber Badge on Thursday November 28, @07:48AM (#1383623) Journal

      Yeah, those rusky wifeys and their sites.

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(1)