In a recent cybersecurity incident, Volexity uncovered significant insights into a sophisticated intrusion that targeted one of its clients. The investigation initiated after a subsequent breach allowed Volexity to gather more comprehensive logs of the hackers’ activities, ultimately leading to the identification of the source of the attack. Analysts determined that the hackers exploited a hijacked machine which was revealing the name of its host domain, specifically linked to an organization located just across the street. “At that point, it was 100 percent clear where it was coming from,” remarked Volexity’s Adair. “It’s not a car in the street. It’s the building next door.”
Working in collaboration with the neighboring organization, Volexity analyzed their network and identified a specific laptop that acted as the entry point for the intrusion. The attackers had compromised this device, which was connected to the local network via Ethernet but also enabled Wi-Fi. This configuration allowed the laptop to serve as a relay, transmitting data to the target network. It was determined that the hackers leveraged credentials obtained from the internet to gain access to the target’s Wi-Fi, a clear indication of their strategic planning, particularly as they faced challenges with two-factor authentication during prior attempts.
Further investigation revealed that the hackers had potentially breached two different points within the neighbor’s network. Not only did they appear to have accessed a VPN appliance belonging to the organization, but they also infiltrated the organization’s Wi-Fi through devices connected to yet another network in the same building. This suggested a complex operation where the attackers might have daisy-chained through as many as three networks to reach their ultimate objective. “Who knows how many devices or networks they compromised and were doing this on,” Adair commented, underscoring the extent of the threat.
Even after Volexity removed the hackers from their client’s network, they were not deterred. In the spring, the attackers attempted another breach via the guest Wi-Fi network, this time targeting shared resources. Volexity’s detection capabilities proved effective, enabling them to quickly neutralize this latest intrusion attempt. Adair described the persistence of the hackers as notable, highlighting the ongoing risk posed by sophisticated cybercriminals.
Initially, Volexity had suspected the hackers to be of Russian origin, largely due to their focus on staff members of an organization involved with Ukraine. Two years following the initial breach, Microsoft issued a warning regarding a vulnerability in Windows’ print spooler that had been exploited by Russia’s APT28 hacking group, also known as Forest Blizzard. Remarkably, the tactics used in this established attack mirrored techniques found on the first compromised device identified during Volexity’s investigation. “It was an exact one-to-one match,” Adair stated, indicating the connection between the groups.
The tactics and techniques observed align closely with the MITRE ATT&CK framework, suggesting the potential use of initial access methods through compromised devices, persistence via establishing control over multiple networks, and privilege escalation tactics to gain administrative access. This complex intrusion highlights the necessity for organizations to remain vigilant and proactive in their cybersecurity measures. Given the intricate nature of modern cyber threats, maintaining robust defenses is paramount for business owners aiming to protect their data and organizational integrity.
