In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever worked. The investigation began when an alert from a custom detection signature Volexity had deployed at a customer site (“Organization A”) indicated a threat actor had compromised a server on the customer’s network. While Volexity quickly investigated the threat activity, more questions were raised than answers due to a very motivated and skilled advanced persistent threat (APT) actor, who was using a novel attack vector Volexity had not previously encountered.
Key Takeaways
  • Russian APT GruesomeLarch deployed a new attack technique leveraging Wi-Fi networks in close proximity to the intended target.
  • The threat actor primarily leveraged living-off-the-land techniques.
  • A zero-day privilege escalation was used to further gain access.
  • Ukrainian-related work and projects were targeted in this attack, just ahead of Russian Invasion of Ukraine.