In cyberspace no one will hear you scream. It is a silent war that takes place on the networks and which can make a difference on the real battlefields. At the beginning of February 2022, just before the invasion of Ukraine by Russian forces, hackers linked to unit 26165 of Russian military intelligence, the GRU, gradually managed to infiltrate the heart of a company whose activity is considered sensitive in Washington (United States).
Their objective: espionage with the collection of data from experts and secret projects involving Ukraine. The group behind the cyberattack has been identified as GruesomeLarch, otherwise known as APT28 (Forest BlizzardBlizzardSofacy, Fancy Bear). A group of Russian hackers including Futura has already mentioned the escapades on numerous occasions. Meticulous, the method is original although laborious. The operators took small steps, weaving their way towards their target through a succession of company Wi-Fi networks.
The elements of this operation have just been revealed by the company Volexity, which published its investigation on the subject more than two years after the invasion. The infiltration would never have been detected if the company had not deployed a detection module at one of its clients. It is from this that the investigators were able to develop the path of this sneaky attack and unprecedented in the way it proceeded.
The “near neighborhood” attack
To advance towards their target, the pirates first entered a computercomputer poorly protected. It was through this vector that they were able to activate a Wi-Fi connection. From this, they managed to connect to another Wi-Fi network whose security was faulty. It is with this network that the group connected to that of the target company. The irony is that the latter was simply located on the other side of the street. In other words, the hackers progressed slowly, but surely, through networks to achieve their goal, without leaving any trace of their passage.
At the time, Volexity managed to neutralize the attack, but the hackers returned to attack via networks already hacked and even by taking other routes, such as that of a VPNVPN corrupt. It is this very particular practice with a clear objective which made it possible to attribute this attack to this ATP28 group, whose methods can only be inspired by the Kremlin. History does not say whether the data collected could have been of any use in furthering Russia’s war aims.
