The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access

Volexity investigated a February 2022 intrusion that it attributes with high confidence to the Russian APT GruesomeLarch (APT28). The attacker performed credential-spraying against an Internet-facing service to obtain domain credentials (bypassing MFA-free Wi‑Fi), then compromised neighboring organizations and dual-homed hosts to authenticate to the victim’s enterprise Wi‑Fi — a technique Volexity calls the "Nearest Neighbor Attack." The intruder used living‑off‑the‑land techniques and a post‑compromise toolset (GooseEgg/CVE-2022-38028 artifacts) to dump registry hives and attempt to extract AD data (ntds.dit) via VSS, securely erased artifacts with Cipher.exe, staged/exfiltrated data, and leveraged netsh portproxy pivots; Volexity provides detection and mitigation recommendations including stricter Wi‑Fi controls, MFA/certificate authentication, and monitoring for the described behaviors.