It started with an alert, like most cybersecurity issues. Organization A was just another client, conducting their daily operations, until Volexity’s detection system flagged something odd. A file had been written and executed. Not the kind you’d expect—this one was in C:\ProgramData.
The file was called servtask.bat. It exported sensitive registry hives—SAM, security, system—zipped them into an archive and sat there as if nothing significant had happened. The commands weren’t flashy, but they worked. The presence of this file sent Volexity’s team scrambling for answers.
They found something new: a style of attack that involved hacking into the target organization and hopping through neighboring networks. They named it the Nearest Neighbor Attack because that’s exactly what it was.
Fancy Bear isn’t new to this. If you’ve heard of them, it’s because they’re linked to the Russian GRU—their military intelligence agency. They’ve been around for years, hacking NATO, phishing journalists, and breaking into the Democratic National Committee.
But this wasn’t a copy-paste campaign targeting a new victim. This was different. They weren’t just after Organization A. They were targeting Ukrainian-related projects. The timing was right before Russia’s invasion of Ukraine.
The attack didn’t start at Organization A. It was clever to target nearby networks—businesses in the same physical space as the target. Why break down a heavily secured door when you can use the neighbor’s Wi-Fi?
February 4, 2022, Volexity first saw the busy batch file, servtask.bat. Commands like reg save hklm\sam and Compress-Archive were not random. This file exported sensitive data for exfiltration.
Then came the digging. Volexity found more files—DefragmentSrv.bat, wayzgoose52.dll. Each had its role, from escalating privileges to moving laterally across the network. Just as they started piecing things together, the trail disappeared. The attackers used Cipher.exe, a built-in Windows tool, to erase their tracks. Files, logs—gone.
Something didn’t add up. The breach didn’t come from the front door but the Wi-Fi network. Analysis revealed that the attackers accessed a dual-homed system in a neighboring organization. This device had both a wired and a wireless connection, making it a bridge into Organization A’s network.
It wasn’t just luck. The attackers brute-forced credentials using password spraying and exploited Organization A’s Wi-Fi, which didn’t require multi-factor authentication. Once they had valid credentials, proximity was all they needed. They didn’t need to be inside the building—just close enough to connect.
Here’s how it worked. The attackers didn’t try to break into Organization A directly. They targeted nearby businesses—any company close enough to share physical space with their target. These networks were the first step in a series of access points.
Their first stop was Organization B, across the street. There, the attackers found a dual-homed system—one with a wired connection to Organization B’s internal network and a wireless adapter for nearby Wi-Fi. This was the key. They used the wired connection to control the system remotely and scanned for Wi-Fi networks.
Once they spotted Organization A’s Wi-Fi, they tried logging in using credentials harvested from a password-spraying attack. The Wi-Fi didn’t have multi-factor authentication (MFA), unlike Organization A’s external systems. A valid username and password were enough.
After they connected, they needed to be close enough to exploit Wi-Fi vulnerabilities to access Organization A’s internal network without entering the building.
The tools weren’t groundbreaking, but they were effective. They started with scripts and batch files like servtask.bat, which handled the demanding work once they gained access.
Here’s what servtask.bat did: it ran commands to export critical registry hives from the compromised system and compress them into a ZIP file. Commands like:
reg save hklm\sam C:\ProgramData\sam.savereg save hklm\security C:\ProgramData\security.savereg save hklm\system C:\ProgramData\system.savePowershell -c "Get-ChildItem C:\ProgramData\sam.save, C:\ProgramData\security.save, C:\ProgramData\system.save ^| Compress-Archive -DestinationPath C:\ProgramData\out.zip"The ZIP file contained everything the attackers needed to escalate their access further into the network.
Then came the cleanup. They used Cipher.exe, a built-in Windows tool, to securely delete files and directories. Everything they touched was erased, making it hard for investigators to piece together what happened.
On Organization B’s dual-homed system, they deployed PowerShell scripts with embedded C# code to scan for nearby Wi-Fi networks. Once they identified Organization A’s SSID, the scripts attempted to connect automatically using the stolen credentials.
They didn’t need fancy malware or zero-day exploits. They used what was available—weak Wi-Fi security, dual-homed systems, and previously gathered credentials.
Tracking this down wasn’t simple. The attackers erased a lot, but some traces were too hard to cover.
Volexity examined Organization A’s Wi-Fi controller logs, which showed unusual activity—connections to access points near a conference room on the building’s edge, close to the windows. That detail ruled out someone inside the office. Whoever was behind this operated from outside.
Next, they checked RADIUS authentication logs, revealing a MAC address and user account that didn’t belong to anyone in Organization A. The same MAC address appeared in earlier logs tied to a different user account from January. That account had been locked after a password reset, but by February, the attackers returned with fresh credentials.
The breakthrough came when Volexity matched the MAC address to a system in Organization B. Forensic analysis showed that this had been compromised using RDP and stolen privileged credentials. Once inside, the attackers used the system’s Wi-Fi adapter to connect to Organization A’s network.
Volexity found evidence that the attackers used another nearby company, Organization C, to extend their reach. Each step brought them closer to their final target, turning a local Wi-Fi network into a bridge for a larger attack.
Ultimately, it came down to proximity and patience. The attackers didn’t just rely on technical expertise—they used their environment. By compromising neighboring organizations and leveraging dual-homed systems, they turned a hard target into an easy one.
Organization A wasn’t in their servers or firewalls—it was in the gaps around them. Weak Wi-Fi security, dual-homed devices, and the assumption that danger was distant rather than close. The Nearest Neighbor Attack proved that physical proximity and well-planned execution could dismantle a well-secured network.
Volexity pieced together what they could from the logs, but there were limits. Files erased with Cipher.exe and systems wiped clean left parts of the story untold. What they uncovered was enough to show a methodical, innovative approach to cyber espionage.
This wasn’t just a breach. It was a lesson in layered vulnerabilities and how exploiting them creates opportunities for attackers. Fancy Bear didn’t walk through the front door. They didn’t have to.
Adair, S. (2024, November 22). The Nearest Neighbor attack: How a Russian APT weaponized nearby Wi-Fi networks for covert access. Volexity. https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, Group G0007 | MITRE ATT&CK®. (n.d.). https://attack.mitre.org/groups/G0007/
Volexity’s Steven Adair on Russian Wi-Fi hacks, memory forensics, appliance 0days and network inspectability - Security Conversations. (2024, December 28). Security Conversations. https://securityconversations.com/episode/volexitys-steven-adair-on-russian-wi-fi-hacks-memory-forensics-appliance-0days-and-network-inspectability/
.png)
Listen Now