A novel and unsettling pattern of operations attributed to the Russian APT tracked as GruesomeLarch shows how Wi-Fi can be weaponized as a proximity vector against high-value targets. Volexity’s investigation into what it calls the Nearest Neighbor Attack reveals an attacker tradecraft that daisy-chains compromises of physically adjacent organizations to gain entry to a target’s enterprise wireless network, even when the adversary is thousands of miles away.

At its core the Nearest Neighbor Attack exploited three assumptions. First, that Internet-facing services protected by multi factor authentication are sufficient to secure remote access. Second, that enterprise Wi-Fi, as a local-only access method, does not need the same protections as cloud services. Third, that adjacent buildings are irrelevant to the risk model for a given facility. In the incident Volexity investigated, password spray attacks validated credentials for a public-facing service. Those same credentials worked on the enterprise Wi-Fi, which had no MFA in place, allowing authentication via a compromised system in a neighboring building.

The attack chain was methodical. The actor conducted credential-stuffing and password-spray campaigns to collect valid usernames and passwords for a handful of employees. Where MFA blocked access to Internet-facing resources, the adversary pivoted to local network access by compromising nearby organizations. They located dual-homed systems at neighboring sites that had both wired Ethernet and a wireless adapter. From a compromised dual-homed host the intruder enumerated available SSIDs, authenticated to the target enterprise Wi-Fi using the stolen credentials, and moved laterally into the target network. The group used living-off-the-land techniques and native tools for lateral movement and anti forensics, including using Windows cipher.exe to overwrite deleted files.

Microsoft’s analysis of Forest Blizzard provides further context that ties the Nearest Neighbor Attack to a long running tooling set. Microsoft documented GooseEgg, a post compromise tool used to exploit a Windows Print Spooler privilege escalation vulnerability tracked as CVE-2022-38028. Microsoft observed GooseEgg in Forest Blizzard operations and described how the tool and associated artifacts appeared in incidents consistent with the behavior Volexity attributed to GruesomeLarch. The combination of specialized post compromise tooling and creative use of proximate networks is what makes this threat particularly concerning.

Media coverage has emphasized one operational consequence that matters for defense planners: the attacker regained access after initial remediation by finding a weakness in network segmentation. In the Volexity case the threat actor later leveraged a guest Wi-Fi that was believed to be isolated but was not fully segmented from the corporate wired network. That misconfiguration allowed the adversary to pivot back into the corporate environment and access targeted data. This underscores that assumptions about isolation must be validated by technical controls and testing.

Implications for bases and other hardened facilities are clear. Military bases, forward operating hubs, and defense contractors often sit in mixed-use urban environments with adjacent commercial, government, or residential buildings. Attackers need not be physically present at the base to exploit this proximity vector. Compromised contractors, nearby office tenants, or vendor offices can become staging grounds. For any facility where adjacent buildings exist, the effective attack surface includes those neighbors. Defensive postures that treat the wireless plane as incidental are now an unacceptable risk.

Practical mitigations you should implement now

1) Enforce strong 802.1X authentication across all enterprise SSIDs. Move to certificate based EAP methods such as EAP-TLS for device and user authentication. Credentials alone should not provide Wi-Fi access. Where possible supplement with device certificates and managed onboarding.

2) Apply zero trust principles for network access. Assume any authenticated session may be compromised. Require continuous device posture checks, micro segmentation, and least privilege for services reachable over Wi-Fi. Ensure guest or contractor networks cannot reach corporate assets by default.

3) Harden adjacent organization risk. Where bases share urban footprints with contractors or commercial tenants, conduct outreach and technical coordination. Encourage neighbors to adopt similar 802.1X standards and endpoint hygiene. Contractually require MFA, timely patching, and incident notification for colocated vendors.

4) Reduce dual homing and unnecessary wireless adapters on systems that also have wired access. Enforce group policy to disable Wi-Fi adapters on critical wired systems, and monitor for any exceptions. Audit systems that are dual homed and classify their risk.

5) Monitor for living-off-the-land behaviors and unusual wireless activity. Detect patterns like credential reuse across Wi-Fi and Internet services, unusual use of native tools such as cipher.exe for bulk overwrites, and cross building authentication. Use EDR telemetry, RADIUS/logging correlation, and wireless IDS to detect scanning and new client associations from unexpected MAC addresses.

6) Patch and prioritize known exploited vulnerabilities. The Print Spooler elevation CVE-2022-38028 was linked to GooseEgg tooling. Ensure systems in the support and administrative domains stay patched and follow KEV guidance where applicable.

Operational recommendations for defenders and commanders

  • Treat Wi-Fi as an operational domain. Include wireless attack scenarios in tabletop exercises and red team plans. Test guest isolation and verify that segmentation works under adversary tradecraft.

  • Improve situational awareness across the physical neighborhood. RF surveys, directional antennas, and wireless monitoring can help determine what neighbor SSIDs and devices are in range. If an outlier device appears, escalate and investigate the host and its owner.

  • Strengthen contractual and physical security controls for onsite vendors. Vet remote access controls and require logging and rapid incident reporting timelines. Insist on minimum security baselines for any organization operating within a shared footprint.

  • Build relationships with local network operators and building managers. Coordinated disclosure and joint remediation are faster and more effective when lines of communication exist before an incident.

Conclusion

GruesomeLarch’s Nearest Neighbor Attack is a reminder that threat actors adapt resourcefully to defensive measures. When strong protections exist at one attack surface, capable adversaries will simply find another. For bases and defense-related facilities the lesson is to stop treating Wi-Fi as an afterthought. Robust authentication, strict segmentation, neighborhood risk management, and detection tuned for living-off-the-land behavior are essential. The enemy does not need to be next door to use the neighbors as a bridge. Our defenses must be built with that assumption in mind.