Russian Hackers Use Game-Changing Wi-Fi Hacking Technique to Breach US Networks

Russian military spies have employed an innovative technique using neighboring Wi-Fi systems to breach secure networks in an unprecedented hacking operation dating to 2022, according to recent reports.

The Kremlin’s notorious APT28 hacking group, also known as Fancy Bear and Unit 26165, is a GRU intelligence operation that has advanced its methods, bypassing traditional close-access operations and remotely hacking into sensitive systems from a building across the street.

The discovery was made by cybersecurity researchers at Volexity, who traced the attack back to early 2022 while investigating a breach involving one of their customers in Washington, D.C., according to Wired. This new Wi-Fi hacking method, dubbed a “nearest neighbor attack,” has raised alarm among cybersecurity experts, revealing a far more sophisticated and remote form of espionage than previous attempts.

“This is the first case we’ve worked where you have an attacker that’s extremely far away and essentially broke into other organizations in the US in physical proximity to the intended target, then pivoted over Wi-Fi to get into the target network across the street,” Steven Adair, founder of Volexity, told Wired. The method essentially allowed the hackers to infiltrate their target’s network without ever having to physically approach the building or use risky radio equipment.

Other Topics of Interest

Foreign Troops May Be Deployed to Ukraine to Monitor Potential Ceasefire: Reports

Radio Liberty revealed that discussions are underway about deploying French and British troops to monitor a potential demarcation line as one possible scenario.

The attack marks a significant leap in espionage tactics, with APT28 circumventing the risks associated with traditional close-access methods. Instead of sitting outside a target’s building and using radio equipment to breach Wi-Fi, as the group had done in past operations, the hackers found a far more stealthy approach. They infiltrated a nearby network, compromised a laptop, and used it as a relay to break into the intended victim’s Wi-Fi. This method allowed them to breach sensitive systems without leaving Russian soil, a stark departure from previous, more risky operations.

The breach came to light in early 2022, when Volexity began investigating repeated intrusions into one of their customer's networks. After months of following breadcrumbs left behind by the hackers, Volexity’s analysts discovered that the compromised machine had been accessing a Wi-Fi network from an office building across the street. “At that point, it was 100% clear where it was coming from,” said Adair. “It’s not a car in the street. It’s the building next door.”

With the cooperation of the neighboring organization, Volexity’s team traced the attack back to a laptop that had been compromised. The hackers had turned the laptop’s Wi-Fi antenna into a relay, using it to jump from one compromised network to another, ultimately breaching the target’s Wi-Fi. The method showed that the hackers had “daisy-chained” several networks together, a technique that had never been seen before in this type of espionage.

According to Adair, the hackers had compromised the Wi-Fi of the second organization by exploiting credentials they had obtained from online sources. However, due to two-factor authentication, they had been unable to use the credentials on other networks. It appears that the attackers had also exploited a VPN appliance on the second network, making the breach even more sophisticated. “Who knows how many devices or networks they compromised and were doing this on,” Adair noted.

Even after the hackers were evicted from the victim's network, they attempted to regain access in the spring of 2022. Volexity discovered that the hackers had tried to exploit a guest Wi-Fi network, but their persistence was thwarted when the intrusion attempt was quickly detected and blocked.

The investigation into the breach also led to the confirmation that Russian hackers were behind the attack. Microsoft's analysis of remnants left on the victim's computer matched techniques previously used by APT28. The group had exploited a vulnerability in Windows' print spooler system to gain administrative access, an attack method known to be associated with Russia’s GRU. “It was an exact one-to-one match,” Adair said, tying the breach directly to the GRU’s cyber operations.

John Hultquist, founder of Cyberwarcon and a threat intelligence leader at Mandiant, called the "nearest neighbor attack" a natural evolution of APT28’s previous close-access tactics. In the past, the GRU had relied on physically infiltrating target networks by sending agents to hack into Wi-Fi systems from nearby locations. Hultquist noted that the shift to remotely compromised devices is a logical step in the group’s strategy. “This is essentially a close-access op like they’ve done in the past, but without the close access,” he said.

The GRU’s switch to remote Wi-Fi hacks represents a shift in tactics, especially after the public exposure of their failed operation in 2018. In that year, four members of the APT28 group were caught attempting to hack into the Organization for the Prohibition of Chemical Weapons in The Hague using a hidden antenna in their car. The incident, which led to arrests and the seizure of the hackers' devices, highlighted the risks associated with physically getting too close to a target. As Hultquist pointed out, “If a target is important enough, they’re willing to send people in person. But you don’t have to do that if you can come up with an alternative like what we’re seeing here.”

This new method could prove to be a game-changer for cyber-espionage operations, making it much easier and safer for attackers to breach high-value targets without ever leaving their home country. As cybersecurity experts warn, organizations facing such sophisticated threats need to bolster their Wi-Fi security measures. In light of this evolving threat landscape, Adair’s advice is clear: “Wi-Fi security has to be ramped up a good bit.”

The attack on the Washington, D.C. network is just the latest example of the growing sophistication of Russia’s cyber capabilities. As the GRU’s methods continue to evolve, this breach serves as a stark reminder that the line between physical and digital espionage is increasingly blurred—and the stakes, especially for high-value targets, have never been higher.