Get the latest tech news

The Nearest Neighbor Attack

In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever worked. The investigation began when an alert from a custom detection signature Volexity had deployed at a customer site (“Organization A”) indicated a threat actor had compromised a server on the customer’s network. While Volexity quickly investigated the threat activity, more questions were raised than answers due to a very motivated and skilled advanced persistent threat (APT) actor, who was using a novel attack vector Volexity had not previously encountered.

At the end of the investigation, Volexity would tie the breach to a Russian threat actor it tracks as GruesomeLarch (publicly known as APT28, Forest Blizzard, Sofacy, Fancy Bear, among other names). This blog post aims to shed light on the tactics, techniques, and procedures (TTPs) Volexity observed during its incident investigation, and to provide a detailed look at how the Nearest Neighbor Attack worked and ways to mitigate against it. This immediately put the Volexity threat detection & response team on high alert, as they could see sensitive registry hives were being exported and compressed into a ZIP file.

Get the Android app