Only after the next intrusion, when Volexity managed to obtain more complete logs of the hackers’ traffic, did its analysts solve the mystery: the company discovered that the hijacked machine that the hackers were using to poke around its customers’ systems was leaking the name. of the domain on which it was hosted; in fact, the name of another organization across the street. “At that point, it was 100 percent clear where he was coming from,” Adair says. “It’s not a car on the street. “It’s the building next door.”
With the cooperation of that neighbor, Volexity investigated that second organization’s network and discovered that a certain laptop was the source of the street-hopping Wi-Fi intrusion. The hackers had penetrated that device, which was connected to a base connected to the local network via Ethernet, and then turned on its Wi-Fi, allowing it to act as a radio relay on the target network. Volexity discovered that to get into that target’s Wi-Fi, the hackers had used credentials they had somehow obtained online but apparently had been unable to exploit anywhere else, likely due to two-factor authentication.
Volexity eventually tracked the hackers on that second network to two possible intrusion points. The hackers appeared to have compromised a VPN device owned by the other organization. But they had also broken into the organization’s Wi-Fi since other network devices in the same building, suggesting that the hackers may have daisy-chained up to three networks via Wi-Fi to achieve their ultimate goal. “Who knows how many devices or networks they compromised and what they were doing this on,” Adair says.
In fact, even after Volexity kicked the hackers out of its customers’ networks, hackers tried again that spring to break in over Wi-Fi, this time attempting to access resources that were shared on the Wi-Fi network. of guests. “These guys were very persistent,” Adair says. However, he says Volexity was able to detect this next breach attempt and quickly blocked the intruders.
Volexity had assumed from the beginning of its investigation that the hackers were of Russian origin because they targeted individual employees of the Ukraine-focused client organization. Then, in April, two years after the original intrusion, Microsoft warned about a vulnerability in the Windows print queue which had been used by the Russian hacker group APT28 (Microsoft refers to the group as Forest Blizzard) to gain administrative privileges on target machines. The remains left on the first computer Volexity had analyzed in its client’s Wi-Fi breach matched that technique exactly. “It was an exact one-to-one match,” Adair says.