A groundbreaking investigation released November 22, 2024, by Volexity details an alarming new attack vector dubbed the “Nearest Neighbor Attack.” This sophisticated technique allowed Russian state-sponsored attackers to breach a highly fortified target’s network, not by targeting it directly, but by compromising the wireless networking devices of adjacent companies in buildings within the transmitting range of their target.
The Attack Timeline
In February 2022, just before the Russian invasion of Ukraine, Volexity detected suspicious activity on a customer’s server (which the report referred to as Organization A) that would lead to one of their most fascinating investigations. The Russian APT group GruesomeLarch (APT28/Fancy Bear) had successfully infiltrated their target using a multi-stage attack that exploited fundamental weaknesses in how wireless networks operate:
Initial Compromise:
- To obtain valid credentials, the attackers first conducted password-spray attacks against Organization A’s public-facing services.
- While they could not use these credentials for remote access due to MFA requirements, the organization’s Wi-Fi network only required username/password authentication.
- This authentication setting created a critical security gap – but one the attackers couldn’t directly exploit from overseas.
The Neighbor Pivot:
- To bridge the physical distance gap, the attackers first compromised Organization B across the street from their target.
- Within Organization B’s network, they searched for and found systems with both wired ethernet and wireless network capabilities.
- Using these dual-homed systems, they could scan for and connect to nearby wireless networks using the stolen credentials.
- These systems gave them direct access to Organization A’s internal network, bypassing external security controls.
Maintaining Persistence:
- When the attackers lost initial access, they pivoted, compromising another nearby business, Organization C.
- They used Organization C’s systems to regain wireless access to Organization B and, ultimately, Organization A.
- Even after remediation efforts, they attempted another way into Organization A through the guest Wi-Fi network, which lacked proper segmentation from the corporate network.
- The attackers used the Windows Netsh utility to create port forwards, allowing them to pivot from guest wireless to internal systems.
Why This Attack Matters
This incident exposes a fundamental reality about wireless security that many organizations haven’t fully grasped: firewalls and IPS are insufficient. A network is exposed to the vulnerabilities of all the devices within its wireless airspace, whether or not the organization controls those assets. While companies have invested heavily in securing their internet-facing assets against outside attacks – in this case, credential and MFA security – attackers can exploit any wireless vulnerability inside the protected network to gain access. In this attack, they leveraged the wireless transmitters near the target and controlled those devices from thousands of miles away. This attack highlights a considerable security gap existing security controls struggle to bridge: attackers can leverage Wi-Fi and Bluetooth vulnerabilities affecting billions of devices globally to target hundreds of exposed and un-agentable IoT and wireless networking devices within a facility, compromising the organization’s security.
The Wireless Security Gap
Traditional security tools and practices have a massive blind spot when it comes to wireless threats:
- Firewalls and IPS/IPD can’t prevent attacks originating from within the network.
- Network monitoring tools see only devices connected to corporate networks, not those in the airspace, poised to attack.
- Endpoint protection can’t detect nearby unauthorized wireless devices and can’t protect the hundreds of un-agentable IoT and networking devices inside a protected network.
- Physical security can’t stop radio signals from reaching neighboring buildings.
- Wi-Fi security tools focus solely on Wi-Fi, missing other wireless protocols that attackers could exploit.
How Bastille Could Have Prevented This Attack
Bastille’s Wireless Airspace Defense platform uniquely positions itself to detect and prevent these sophisticated wireless attacks through:
- Complete Wireless Visibility:
- Continuously monitors protocols across the radio frequency spectrum commonly used for corporate wireless communications, between 25 MHz to 6 GHz
- Detects ALL wireless devices and connections in the surrounding airspace in a 5000 sq. ft. radius per sensor, not just those devices on corporate networks
- Provides Anomaly Alerting to malicious transmitting devices, whether across the street or on different office floors of the same building
- Alerts to any anomalous wireless connection within the airspace
- Provides visibility into Bluetooth, cellular, and other protocols beyond just Wi-Fi
- Precise Physical Location Tracking:
- Locates any transmitting device within 1-meter accuracy
- Immediately reveals suspicious connections coming from outside the monitored space, such as neighboring buildings
- Maps wireless activity to physical spaces for contextual threat analysis and integrates into existing SIEM, Zero-Trust, and XDR tools for centralized reporting
- Advanced Threat Detection:
- Provides AI-powered analysis of wireless traffic patterns
- Identifies anomalous behavior and unauthorized connections
- Alerts on suspicious device movements and connections
- Detects wireless bridges between networks that could indicate compromise
- Real-Time Response:
- Immediately alerts on wireless policy violations
- Finds real-time configuration vulnerabilities for wireless-enabled assets
- Captures forensic data for incident investigation
- Provides continuous monitoring to prevent attack recurrence
Critical Recommendations
This recent attack demonstrates that wireless security requires a fundamental shift in approach. Organizations should:
- Implement continuous monitoring of ALL wireless activity in their airspace
- Consider physical proximity when assessing wireless security risks
- Deploy solutions capable of detecting and locating unauthorized wireless activity
- Treat wireless networks with the same security rigor as other remote access methods
- Properly segment guest wireless networks from corporate resources
- Monitor for unexpected wireless bridges between networks
- Deploy solutions that can detect ALL wireless protocols, not just Wi-Fi
The Next Evolution of Zero Trust
As organizations increasingly adopt Zero-Trust architectures to enhance their security posture, expanding their focus beyond traditional network perimeters becomes critical. A Zero-Trust approach cannot be fully effective if it overlooks the invisible and often unmonitored wireless landscape, which includes everything from Wi-Fi to Bluetooth, cellular, and other RF protocols. These wireless channels can be potential vectors for unauthorized access, data exfiltration, or lateral movement.
Bastille addresses this significant blind spot by delivering comprehensive, 100% passive visibility into the entire wireless spectrum within an organization’s airspace. Its solution identifies and monitors every wireless device and connection—whether visible or hidden, authorized or unauthorized. This unparalleled capability not only enables organizations to detect and prevent potential wireless threats in real-time but also ensures compliance with Zero-Trust principles by securing all possible attack surfaces, including those beyond traditional wired and endpoint defenses.
By integrating Bastille’s technology, organizations gain the ability to enforce Zero-Trust policies within the wireless realm, ensuring a consistent and robust security framework that aligns with their overall cybersecurity strategy.