Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Wireless Networking Privacy Security

Russian Spies Jumped From One Network To Another Via Wi-Fi (wired.com) 18

"Steven Adair, of cybersecurity firm Veloxity, revealed at the Cyberwarcon security conference how Russian hackers were able to daisy-chain as many as three separate Wi-Fi networks in their efforts to attack victims," writes Longtime Slashdot reader smooth wombat. Wired reports: Adair says that Volexity first began investigating the breach of its DC customer's network in the first months of 2022, when the company saw signs of repeated intrusions into the customer's systems by hackers who had carefully covered their tracks. Volexity's analysts eventually traced the compromise to a hijacked user's account connecting to a Wi-Fi access point in a far end of the building, in a conference room with external-facing windows. Adair says he personally scoured the area looking for the source of that connection. "I went there to physically run down what it could be. We looked at smart TVs, looked for devices in closets. Is someone in the parking lot? Is it a printer?" he says. "We came up dry."

Only after the next intrusion, when Volexity managed to get more complete logs of the hackers' traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer's systems was leaking the name of the domain on which it was hosted -- in fact, the name of another organization just across the road. "At that point, it was 100 percent clear where it was coming from," Adair says. "It's not a car in the street. It's the building next door." With the cooperation of that neighbor, Volexity investigated that second organization's network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target's Wi-Fi, the hackers had used credentials they'd somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.

Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization's Wi-Fi from another network's devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. "Who knows how many devices or networks they compromised and were doing this on," says Adair. Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group -- Microsoft refers to the group as Forest Blizzard -- to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. "It was an exact one-to-one match," Adair says.

This discussion has been archived. No new comments can be posted.

Russian Spies Jumped From One Network To Another Via Wi-Fi

Comments Filter:
  • The hacking will stop now that they can just buy the information they want
    • While you intended this to be a joke, adversaries are likely doing exactly that: buying all the useful info they can get from the legal spying networks: Google, Facebook, etc. Much like state sanctioned backdoors into telco networks are begging to be exploited by adversaries...
  • That's clever, tricky, and innovative.

  • by couchslug ( 175151 ) on Friday November 22, 2024 @08:39PM (#64965937)

    Convenience will keep that avenue of attack open.

    • And what about new motherboards that are built with wifi? Look at Newegg site listing motherboards, most of them have wifi. What the future is going to look like with everything hooked to internet, especially smart tvs, while dumb tvs are getting harder to find.
      • Adverserial wardriving to build botnets of vulnerable iot devices will become a thing (if it isn't already). Wouldn't be surprised if it'll be done by exploiting wifi antennas on public transport / school busses, delivery vans, cars used for scanning for cars parked without valid parking tickets, etc.
      • by Entrope ( 68843 )

        Those motherboards generally come with antenna ports because you don't want the antenna itself on, or right next to, the motherboard. Even if the BIOS/UEFI for some reason doesn't have a way to turn off the Wi-Fi chip, you can put a terminating cap on the antenna port so that anything coming out of it just gets displayed as heat from a resistor. If this is a Windows box in an enterprise, domain policies can disable Wi-Fi.

        There are lots of ways to mitigate security risks from onboard Wi-Fi.

      • What I saw when I went looking was mostly M.2 WiFi slots, my motherboard has one. It leaves me the option to choose one or none, I went with the latter and use my AP to bridge.

      • by wwphx ( 225607 )
        I'm suspecting my next TV may just be a large monitor. The audio is driven through my Sony receiver anyway. But I refuse to own an internet-connected TV.
  • I remember the ad-hoc sound-card networking some hacker pulled off for low bandwidth communication.

  • Volexity .. has since tied the breach to the Russian hacker group known as Fancy Bear .. the group has been involved in notorious cases ranging from the breach of the Democratic National Committee [wired.com] in 2016

    The so-called DNC hack was an inside job. Going on the file date-and-time stamps, they were copied locally.

    DNC interim chair Donna Brazile: “There’s one person who stands to benefit from these criminal acts, and that’s Donald Trump
    • Brazile is an evil lying cheater. She gave Hillary debate questions ahead of time.

      Bernie Sanders was the biggest beneficiary of the DNC Leaks.

      DNC was broke and the Clinton Foundation gave them a bailout in exchange for rigging the primary against Bernie.

      The leaks proved that.

      He still simpped out and endorsed her.

  • Was it Vault 7 where spooks were caught quartering their soldier code in the peoples' home linksys routers for proxy attacks?

    Somebody correct me if that was a different leak.

"Nuclear war can ruin your whole compile." -- Karl Lehenbauer

Working...