A highly sophisticated hacking incident that surfaced last year at the 2024 Cyberwarcon conference in Arlington, Virginia, recounts one of the boldest attacks by state-sponsored cyber attackers.
In a 2022 breach orchestrated by hackers linked to Russia's GRU, a highly advanced daisy-chain attack exploited neighboring Wi-Fi networks to breach into the system of a high-value target.
How the GruesomeLarch Hack Proceeded
According to Bleeping Computer, the hackers allegedly of the group called GruesomeLarch, have ties to the infamous Fancy Bear and have launched their attack after traditional methods failed. Their operation started with attempts at credential stuffing on a web service platform utilized by the victim's employees. Although they managed to compromise several passwords, their advancement was derailed by two-factor authentication (2FA).
The determined attackers, targeting Wi-Fi-enabled devices in adjacent buildings, compromised these devices to gain access to the target's network.
In an interesting oversight, the accounts were protected on web services using 2FA but were not using 2FA on the Wi-Fi network, revealing an important security vulnerability.
Exploiting a Zero-Day Vulnerability
They managed to control the neighboring devices by exploiting the unpatched zero-day vulnerability in the Print Spooler of Microsoft Windows. This vulnerability reported active in early 2022, provided them with a door to attack. Once inside one of the neighboring networks, they applied the same strategy with the second adjacent system, hence reaching the target's primary Wi-Fi network.
"This is a fascinating attack where a foreign adversary essentially conducted a close access operation while being physically quite far away," Steven Adair, a researcher and the president of Volexity, wrote in an email.
Adair added that the hackers were able to attack and discovered that there's a technique to infiltrate the Wi-Fi without being caught.
Lessons from the 2022 Cyber Breach
It should be noted that this incident shows how one security oversight—it had not implemented 2FA on the Wi-Fi network—can undo an otherwise strong defense.
Ars Technica reports that the assumption of organizations about proximity-based attacks is often that they are less likely and that strict security enforcement doesn't have to be implemented over internal networks. GruesomeLarch exploited that gap and outmaneuvered defenses using advanced persistence techniques.
Threat of APT Groups
GruesomeLarch is part of a larger group of the Advanced Persistent Threat (APT) groups, like APT28 and Fancy Bear, which are alleged to be linked with the GRU. These threats uniquely concentrate on finding and utilizing vulnerabilities and remain persistently menacing for the global cybersecurity landscape.
With a lot of things going on the internet, there's a need for every network to take care of Wi-Fi. There should be tighter security when handling these things in order to remove security threats.
- Cybersecurity researchers note that organizations need to take the following steps below:
- Expand 2FA protections across all internal networks and internal Wi-Fi.
- Apply software patches regularly for vulnerabilities, like the one in the Print Spooler process.
- Conduct proximity threat assessments for critical systems.
- Train employees to recognize and mitigate credential-stuffing risks so they can solve the problems first-hand.
