Author: Miranda

On December 17, 2024, Brian Contos spoke with Brett Walkenhorst, Bastille Networks’s Chief Technology Officer, recording a quick Ask Me Anything video about the recent wireless attack that Veloxity disclosed.

The conversation explores the “Nearest Neighbor Attack,” an innovative wireless attack strategy highlighting how attackers bypass traditional proximity-based security assumptions. It delves into the attack’s mechanics and implications and discusses how Bastille Networks’ solutions address these challenges.

Volexity states, “The Nearest Neighbor Attack effectively amounts to a close access operation, but the risk of being physically identified or detained has been removed. This attack has all the benefits of being in close physical proximity to the target while allowing the operator to be thousands of miles away.”

The Nearest Neighbor Attack exemplifies the ingenuity and persistence of modern cyber adversaries. It underscores the need for comprehensive wireless security solutions like Bastille Networks, which provide visibility, detection, and actionable responses to mitigate these evolving threats. By integrating seamlessly with existing systems, Bastille addresses critical gaps in wireless security and helps organizations stay ahead of attackers.

Watch the video to hear the full discussion.

A recent industrial espionage case in South Korea highlights how insider threats can leverage physical and wireless vulnerabilities to exfiltrate highly sensitive intellectual property. The incident, which South Korean prosecutors value at over $180 million in damages, demonstrates why organizations need comprehensive visibility into all potential data exfiltration channels, including personal cell phones.

The Incident

The Seoul Eastern District Prosecutors’ Office indicted a former Samsung Display researcher for allegedly stealing trade secrets related to automated factory operations and leaking them to a Chinese competitor. The researcher, who lived in China for Samsung Display, is accused of photographing at least 17 key documents for Samsung’s Digital Display IP and transmitting them directly to Chinese firm employees between November 2021 and May 2022.

The Security Gaps

This case exposes several critical vulnerabilities that many organizations still struggle to address:

1. Unauthorized Data Transmission: The suspect photographed and transmitted sensitive data directly to external parties without detection, using their mobile device, thus bypassing traditional network monitoring.
2. Physical-Digital Convergence: The attacker exploited the gap between physical security controls and digital security monitoring by photographing confidential information and wirelessly transmitting it.
3. Prolonged Exfiltration: The continuous data transmission over several months suggests a capability gap to detect anomalous wireless activity within secure areas.

The Impact

Prosecutors estimate the economic damage at 241.2 billion won (approximately $180 million), and experts suggest the technological gap created by this leak represents about ten years of R&D advantage. More concerning, during a May 2024 search of the employee’s residence, investigators discovered additional trade secrets beyond the 17 photographs that earlier investigations had missed.

Key Lessons for CISOs

This incident underscores why modern security programs must:

• Monitor all potential data exfiltration vulnerabilities, including the proximity of personal phones to restricted areas with sensitive information. 
• Maintain continuous visibility into wireless device activity within sensitive areas.
• Deploy solutions that can detect anomalous wireless transmissions in real-time.
• Correlate physical and digital security data for more effective threat detection.

The ability to detect and prevent wireless data exfiltration is no longer optional – it’s a critical requirement for protecting intellectual property in today’s threat landscape. Organizations must ensure complete visibility into their wireless airspace to identify potential insider threats before critical data leaves the building.

In a joint cybersecurity advisory released October 10th, 2024, the FBI, NSA, UK NCSC, and other Western intelligence agencies warned that Russia’s Foreign Intelligence Service (SVR) continues to successfully breach private sector and government networks worldwide using a combination of traditional network attacks and concerning new wireless intrusion techniques.

The Wireless Vulnerabilities

The advisory highlights 24 specific vulnerabilities that network defenders should remediate to protect themselves against active exploitation from SVR (also known as APT-29, Midnight Blizzard, and Cozy Bear). While many of the highlighted CVEs target traditional network infrastructure like Microsoft Exchange Server and Apache, three vulnerabilities specifically enable wireless attacks that can compromise devices without requiring direct network access:

1. The agencies highlight CVE-2023-24023, a vulnerability in Bluetooth pairing that allows attackers within wireless range to conduct man-in-the-middle attacks, downgrade encryption, and potentially intercept or inject communications between Bluetooth devices.

2. The alert also suggests the SVR is exploiting CVE-2023-45866, a vulnerability that lets attackers within proximity of Bluetooth keyboards inject keystrokes and execute arbitrary commands on the connected computer – essentially giving them remote control of the machine through its wireless peripherals.

3. Third, and perhaps most concerning, is CVE-2023-40088, which enables remote code execution on Android devices through a “proximal/adjacent” Bluetooth attack without requiring any user interaction. This vulnerability means attackers only need to launch attacks from wireless transmitting devices within range of their target, not necessarily connected to the target’s network.

Attacker Strategy

The intelligence agencies note that SVR hackers are performing both targeted and opportunistic compromises of organizations by combining exploitation of traditional tactics like password spraying, supply chain compromise, and cloud account takeover with newer tactics. This hybrid approach lets them breach networks through conventional means and exploit wireless devices. The most concerning is how threat actors could hybridize these attacks – all of APT-29’s other profiled tactics are remote. As another Russian state-affiliated actor, APT-28, has shown with their Nearest Neighbor Attack, attackers thousands of miles away and outside an organization’s network security perimeter can control those devices launching wireless attacks remotely. Investigators found APT-28 remotely compromised the networks of nearby buildings and then launched wireless attacks from the devices on those neighboring networks. The alert does not specify that this is what APT-29 is doing. However, a joint cybersecurity advisory telling organizations around the globe to patch three separate proximal/adjacent wireless attack vectors suggests APT-29 can exploit these wireless attacks at scale.

“This activity is a global threat to the government and private sectors and requires thorough review of security controls, including prioritizing patches and keeping software up to date,” said Dave Luber, NSA’s Cybersecurity Director. The advisory states that SVR has “consistently targeted US, European, and global entities in the defense, technology, and finance sectors.”

The agencies strongly recommend organizations patch these vulnerabilities immediately, implement multi-factor authentication wherever possible, audit cloud accounts regularly, and, notably, “baseline authorized devices and apply additional scrutiny to systems accessing network resources that do not adhere to the baseline.” This recommendation suggests organizations need better visibility into what wireless devices are actually present in their facilities, not just what’s officially connected to their networks.

Why Wireless Airspace Defence

In the alert, the authoring agencies “recommend testing your existing security controls to assess how they perform against the techniques described in this advisory,” three of which are wireless attack techniques. 

Intelligence agencies have recently started highlighting other Russian hacking groups exploiting wireless vulnerabilities. In June 2024, the Health Sector Cybersecurity Coordination Center (HC3) of the Department of Health and Human Services released a cyber advisory on the Qilin Ransomware Group, which listed MITRE ATT&CK “T1011.001 – Exfiltration Over Other Network” as one of its tactics. Cybersecurity firm Volexity reported on the Nearest Neighbor Attack mentioned above in November 2024.

How To Protect Your Wireless Airspace

Organizations should review the full advisory for a complete list of vulnerabilities and detailed mitigation guidance. The key takeaway is that network defenders can no longer focus solely on protecting network perimeters – they must also actively monitor and secure the wireless airspace around their facilities, as sophisticated adversaries are increasingly exploiting these invisible attack vectors.

Contact Bastille today to learn how your organization can protect against these and other wireless vulnerabilities.

 NSA Issues Updated Guidance on Russian SVR Cyber Operations > National Security Agency/Central Security Service > Press Release View 
 Russian APT’s “Nearest Neighbor Attack” Reveals Critical Security Gap: An Organization’s Wireless Airspace – Bastille
https://media.defense.gov/2024/Oct/09/2003562611/-1/-1/0/CSA-UPDATE-ON-SVR-CYBER-OPS.PDF

Joint reports from Microsoft Threat Intelligence and Black Lotus Labs disclose details of a years-long hacking campaign by the Russian FSB-linked group Secret Blizzard. Through a sophisticated multi-stage campaign, the group successfully compromised and repurposed Pakistani cyber operations infrastructure in Afghanistan and Indian networks, through a sophisticated multi-stage campaign.

The Heart of The Investigation: Hardware Hack

While tracking the activity of Pakistani state-affiliated group “Storm-0156”, Black Lotus Labs researchers discovered a C2 server designed to control a suite of deployed Hak5 commercial pen-testing devices remotely. Hak5 sells a variety of disguised penetration testing implant tools that rely on wireless or physical device access to compromise a target. Many of these tools have independent wireless antennas that allow remote C2 control via Hak5 software. Researchers observed Storm-0156’s server (with Hak5’s Commercial C2 Software Banner) with incredibly high data flow from several targets, including the Indian Ministry of Foreign Affairs office in Europe, an Indian national defense organization, and several other government bodies. This activity suggests that Storm-0156 had deployed Hak5 implants on these networks. Black Lotus Labs researchers assume that the group chose Hak5 devices because of the advantage of this attack vector: these wireless and close-access attacks bypass standard EDR/XDR protections. 

The Russian Takeover

What came next was surprising: Every Storm-0156 C2 node used in this operation began communicating with 3 VPS IPs associated with the Russian FSB-linked group “Secret Blizzard” (also known as Turla). As the investigation of Storm-0156’s campaigns progressed, researchers discovered Russia’s Secret Blizzard had compromised 33 command-and-control server nodes used for their Indian and Afghanistan cyber operations campaigns.

Expansion of Operations

The Russian actors didn’t stop at simply monitoring Pakistani operations. By mid-2023, they had:

• Infiltrated Pakistani operators’ workstations
• Deployed their custom malware (“TwoDash” and “Statuezy”) into the networks of the Afghan Government Ministry and Intelligence Agencies
• Acquired control of additional hacking tools used by other threat actors, including “Waiscot” and “CrimsonRAT”
• Began retargeting Indian networks compromised by Storm-0156

Impact:

While current reports do not disclose further details on Secret Blizzard’s recent campaigns, they already highlight some key strategic implications.

Until the recent Nearest Neighbor Attack alerted the world to the reality of remote wireless attacks, cybersecurity professionals had discounted their organization’s wireless and cyber-physical vulnerabilities. Despite these attacks having many inherent advantages in avoiding EDR/XDR detection, organizations tolerated an increasing debt of wireless and cyber-physical vulnerabilities because they assumed attackers needed “Close Access” to exploit them. The events of 2024 have made clear, however, that attackers are actively leveraging an organization’s lack of wireless airspace visibility in their attack strategy. In the past 6 months, reports on Qilin group, APT-28, APT-29, and Storm-0156 have profiled their use of wireless attack vectors in cyber operations. As we see from the compromised C2 server in this attack, or APT-28’s Nearest Neighbor Attack, attackers can exploit these wireless vulnerabilities remotely.

How Bastille Can Help:

Bastille Networks’ Wireless Airspace Defense would 

• Immediately identify the location and anomalous connections of any Hak5 wireless device.
• Implement continuous wireless monitoring to detect unauthorized devices and connections
• Detect and locate all other wireless implants in real-time
• Create alerts for anomalous wireless behavior that could indicate compromised infrastructure
• Maintain comprehensive wireless device inventory

Now, more than ever, the ability to detect, locate, and raise alerts on unauthorized wireless devices and connections is a critical security requirement as adversaries increasingly leverage wireless attack methods to bypass traditional defenses.

Americans should stop unencrypted texting on their iPhones or Androids

Executive Summary

A confluence of troubling developments has emerged as U.S. officials reveal that Chinese state hackers remain deeply embedded in telecommunications systems. Meanwhile, due to the ongoing breach, the FBI and CISA have taken the unprecedented step of warning Americans to abandon standard text and voice messaging in favor of encrypted communications. This move represents a fundamental shift in how organizations approach personal and corporate wireless device security.

The Ongoing Breach

The Salt Typhoon breach of most U.S. telecommunications providers, initially disclosed to have targeted the presidential campaigns of both Donald Trump and Kamala Harris, now appears to be just a part of an ongoing “broad and significant cyber espionage campaign,” according to CISA Executive Assistant Director Jeff Greene.  Greene confirmed the telecommunications compromise is “ongoing and likely larger in scale than previously understood.” “We cannot say with certainty that the adversary has been evicted because we still don’t know the scope of what they’re doing,” said Greene. Senior FBI officials believe the investigation timeline to uncover Salt Typhoon’s full presence in these systems will be “measured in years.”

So far, the investigation has confirmed that attackers  gained access to:

• Individual voice call audio and text message content
• Bulk customer call metadata and communication patterns
• Law enforcement surveillance request data

FBI warns Americans to stop sending texts

In light of the ongoing breach, CISA and FBI officials have urged Americans to “use encrypted apps for all their communications.” In the press briefing, Greene added, “Our suggestion, what we have told folks internally, is not new here: encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible.”

Enterprise IP Targeted

Following Tuesday’s media briefing, Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, addressed reporters on Wednesday, stating they now believe that Chinese-state affiliated actors had, in addition to targeting people of political interest to the Chinese government, targeted key enterprise IP. “We believe this is intended as a Chinese espionage program focused, again, on key government officials, key corporate IP, so that will determine which telecoms were often targeted, and how many were compromised as well.” In the same address, Neuberger reiterated that Chinese-state affiliated actors are still in U.S. telecom networks and stated the breach has likely persisted for the last 1-2 years. Neuberger also revealed that officials now believe these attacks have impacted the telecommunications providers of multiple countries in the EU and the Indo-Pacific region, in addition to at least eight telco providers in the U.S.

Enterprise Impact Assessment

U.S. official’s broad warning of this breach’s potential impact on Americans exposes a critical enterprise security gap that demands immediate attention:

It doesn’t matter if it’s a personal or enterprise-controlled device. Smartphones record an incredible variety of information from their environment and transmit it over networks your organization does not control.

Organizations should establish policies to prevent personal or enterprise cell phones from being near sensitive information that could be (unknowingly) exfiltrated via the device’s voice, camera, or messaging capabilities.

1. Communication Security Organizations must reevaluate their wireless communication security, particularly:

• Executive communications protocols
• Sensitive business discussions
• Cross-border communications

2. Threat Detection Capabilities Traditional network monitoring may miss wireless-based threats, necessitating:

• Continuous wireless spectrum monitoring for real-time, precise wireless device location reporting integration into existing SIEM and physical security systems to enforce device policy near sensitive locations
• Real-time anomaly detection
• Enhanced visibility into wireless device behavior

Strategic Implications 

“We need to do some hard thinking long-term on what this means and how we’re going to secure our networks,” acknowledged CISA officials. This crisis represents more than just another data breach – it demonstrates fundamental vulnerabilities in how modern enterprises communicate.

The combination of compromised carrier networks and inherently insecure messaging platforms creates an urgent need for organizations to implement comprehensive wireless security monitoring. Without the ability to detect anomalous cellular activity, device presence, unauthorized connections, and potential compromises, enterprises remain blind to sophisticated attacks that bypass traditional security controls.

How Bastille Can Solve This Problem

Bastille Networks’ Wireless Airspace Defense Sensor Arrays allow organizations real-time visibility and anomaly reporting into the wireless devices transmitting in their environment. 

Bastille integrates into your existing SIEM solution and provides complete visibility alerting for:

• Unauthorized cellular devices that could be exfiltrating sensitive information
• Rogue access points that could intercept wireless traffic
• Bluetooth connections that could create unauthorized data channels
• Malicious wireless connections to your network infrastructure, like those seen with the recent APT28 Nearest-Neighbor attack

Contact Bastille today to learn how your organization can secure the vulnerabilities in your wireless airspace attack surface.