Remote risks and next-door networks: The anatomy of a nearest neighbor attack

In February 2022 Russian state threat group APT28, also called Fancy Bear, Forest Blizzard, and GrusomeLarch, attacked a U.S. company with ties to Ukraine. 

The motive was familiar: intelligence gathering. The method, however, was novel — a new approach that combined remote risks with next-door networks. Known as a nearest neighbor attack, it's a wake-up call for companies that lock digital doors but leave Wi-Fi windows open. 

In this piece, we'll break down the basics of a nearest neighbor attack, explore the APT28 compromise, and offer tips to help companies stay safe. 

What is a nearest neighbor attack?

A nearest neighbor attack doesn't target intended victims directly. Instead, malicious actors compromise the digital security of nearby businesses and then use Wi-Fi-enabled devices to detect and connect with target networks. 

This type of attack works because Wi-Fi is inherently local, with signals reaching only a short distance beyond a business's physical borders — just enough to be detected by devices next door. And while companies are increasingly diligent about public-facing protection, they're often less concerned with Wi-Fi networks given their smaller digital footprint. As a result, many Wi-Fi networks require only login and password credentials to access.

The result is a window of opportunity for attackers. Instead of trying to compromise well-protected corporate networks, they brute-force their way into poorly defended neighbors. Once inside, they find a dual-homed device — one that has both wired and wireless connections — and use this device to search for their target's Wi-Fi network. From there, they leverage stolen credentials to gain access and exfiltrate protected data.

From the perspective of potential victims, the attack is hard to detect and harder to track. Because Wi-Fi networks were accessed using legitimate credentials and there's no evidence of physical or digital tampering, IT teams must wait until attacks are in progress to capture signal data and determine the point of origin. 

Anatomy of the APT28 attack

Like most attackers, Russian state actors prefer the simplest path to compromise: buying or stealing access credentials. If this doesn't work — in the 2022 attack, the target network was protected by multifactor authentication (MFA) — they'll often pivot to local Wi-Fi compromise. Agents have been caught in the act with hidden antennas while attempting on-site hacks.  

To reduce their risk and cover their tracks, APT28 tried a different approach. Instead of hiding in cars or skulking around nearby parks, the attackers looked for nearby networks that did not use MFA. Then, they used credential-stuffing attacks to compromise these networks, locate dual-home devices, and access target Wi-Fi that was not protected by MFA. This allowed APT28 to use previously stolen credentials without worrying about additional security checks. 

As noted by Dark Reading, the attackers took a living-off-the-land approach to avoid detection. They created a customer PowerShell script to find and examine available Wi-Fi networks, and used Windows tools such as Cipher.exe to move laterally through networks. The result was an attack that seemingly came from inside the building but was carried out thousands of miles away.

Three ways to reduce next-door risk

Nearest neighbor attacks hijack next-door Wi-Fi networks to throw defenders off the trail. The longer it takes security teams to pinpoint the source of compromise, the more time malicious actors have to search through databases and steal critical data. 

Here are three ways to reduce the risk of negative neighbor interactions:

1. Use better passwords

As noted above, Russian attackers used credential stuffing to compromise nearby businesses. By using better passwords — CISA suggests passwords that contain at least 16 characters, are random, and are unique to one account — and regularly changing these passwords, businesses can reduce the risk of being a bad neighbor. 

2. Implement network-wide MFA

Wi-Fi without MFA gave malicious actors the access point they needed to use stolen credentials. By implementing multifactor authentication across corporate networks, companies can frustrate attacker efforts.

According to CISA, however, some types of MFA are better than others. For example, while text message (SMS) MFA provides more protection for users, these messages can be intercepted by attackers. App-based push notifications or one-time passwords (OTPs), meanwhile, offer improved defense. Phishing-resistant tools such as FIDO, which leverages public-key infrastructure, are considered the most secure. 

3. Create separate networks

Wi-Fi networks can act as lateral stepping stones for attackers to access wired connections, which in turn may allow access to protected resources. To reduce this risk, companies can build separate network environments. This means compromising Wi-Fi won't be enough — attackers will still need to pass MFA checks if they want access to wired networks. 

There goes the neighborhood

Good neighbors are polite, respectful and don't try to steal company secrets. Malicious actors, however, can now hijack poorly protected next-door networks to compromise Wi-Fi connections and evade digital defenses, adding an element of risk to otherwise peaceful neighborhoods.

Keeping digital streets safe means recognizing potential points of compromise, such as Wi-Fi unprotected by MFA or easily guessed passwords that can be used in credential stuffing attacks. By taking a whole-network approach to security that treats all components as equally and potentially insecure, companies can create consistent environments that leave attackers on the outside looking in.