high_confidence

APT28 Nearest Neighbor Campaign

[APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051) was conducted by [APT28](https://attack.mitre.org/groups/G0007) from early February 2022 to November 2024 against organizations and individuals with expertise on Ukraine. APT28 primarily leveraged living-off-the-land techniques, while leveraging the zero-day exploitation of CVE-2022-38028. Notably, APT28 leveraged Wi-Fi networks in close proximity to the intended target to gain initial access to the victim environment. By daisy-chaining multiple compromised organizations nearby the intended target, APT28 discovered dual-homed systems (with both a wired and wireless network connection) to enable Wi-Fi and use compromised credentials to connect to the victim network.(Citation: Nearest Neighbor Volexity)

Start date

1 February 2022

End date

1 November 2024

Techniques

Attributed actors

APT28· primary

Techniques (18)

collection2

T1074.001Local Data Staging

T1560.001Archive via Utility

command-and-control1

T1090.001Internal Proxy

credential-access3

T1003.002Security Account Manager

T1110.003Password Spraying

T1003.003NTDS

defense-impairment1

T1686.003Windows Host Firewall

discovery1

T1016.002Wi-Fi Discovery

execution2

T1059.003Windows Command Shell

T1059.001PowerShell

exfiltration1

T1567Exfiltration Over Web Service

impact1

T1561.001Disk Content Wipe

initial-access1

T1669Wi-Fi Networks

lateral-movement2

T1021.001Remote Desktop Protocol

T1021.002SMB/Windows Admin Shares

resource-development1

T1584Compromise Infrastructure

stealth2

T1140Deobfuscate/Decode Files or Information

T1006Direct Volume Access

Indicators of compromise

No IOCs linked to this campaign yet.