T1669: Wi-Fi Networks
Adversaries may gain initial access to target systems by connecting to wireless networks. They may accomplish this by exploiting open Wi-Fi networks used by target devices or by accessing secured Wi-Fi networks — requiring Valid Accounts — belonging to a target organization.[1][2] Establishing a connection to a Wi-Fi access point requires a certain level of proximity to both discover and maintain a stable network connection.
Adversaries may establish a wireless connection through various methods, such as by physically positioning themselves near a Wi-Fi network to conduct close access operations. To bypass the need for physical proximity, adversaries may attempt to remotely compromise nearby third-party systems that have both wired and wireless network connections available (i.e., dual-homed systems). These third-party compromised devices can then serve as a bridge to connect to a target’s Wi-Fi network.[2]
Once an initial wireless connection is achieved, adversaries may leverage this access for follow-on activities in the victim network or further targeting of specific devices on the network. Adversaries may perform Network Sniffing or Adversary-in-the-Middle activities for Credential Access or Discovery.
Analyst context for executives and security teams
Wi-Fi Networks (T1669) matters because it turns physical or nearby wireless reach into an initial-access path. An attacker does not necessarily need to start on the corporate LAN or VPN; they may connect to an open or organization-secured wireless network, use valid accounts where required, or abuse a nearby dual-homed third-party system as a bridge. For leaders, this makes wireless exposure, identity controls, and network segmentation part of incident readiness—not just facilities or network engineering hygiene.
Executive priority
Prioritize this technique where business operations depend on office wireless networks, shared buildings, nearby tenants, or environments where wireless access can reach sensitive internal systems. The key management question is whether Wi-Fi access is treated with the same control rigor as remote access: strong identity, segmentation, encryption, monitoring, and evidence for audit or incident response. Because ATT&CK places this under Initial Access and links it to follow-on credential access and discovery behaviors, gaps can affect business continuity and containment speed.
Technical view
SOC, network, identity, and IR teams should validate whether wireless access events can be correlated with endpoint, network-device, and authentication telemetry across Linux, Windows, macOS, and network devices. Since no official ATT&CK detection text is provided, detection engineering should focus on the related detection strategy DET0536 and on local evidence: unusual wireless associations, unexpected devices or accounts joining secured Wi-Fi, activity from wireless segments toward internal services, and signs of follow-on Network Sniffing or Adversary-in-the-Middle behavior where telemetry supports it. The relationship context also highlights Valid Accounts as relevant when secured Wi-Fi is accessed, so authentication review is central.
Likely telemetry
- Wireless access point/controller association and disassociation logs
- Network device logs from switches, routers, firewalls, and wireless infrastructure
- Authentication logs for Wi-Fi access, including account, device, and MFA-related evidence where applicable
- DHCP, DNS, and IP address assignment records for wireless segments
- Network flow or firewall telemetry between wireless segments and internal systems
Detection direction
- Confirm whether DET0536 or equivalent local analytics are implemented and mapped to T1669.
- Baseline normal wireless clients, accounts, locations, and access times so anomalous associations are reviewable.
- Correlate Wi-Fi authentication, device identity, DHCP/DNS, and network flow data; single-source wireless logs may not prove malicious access.
- Tune for false positives from roaming users, device refreshes, guest networks, and shared workspaces.
- Look for wireless-origin traffic reaching sensitive internal systems, especially where segmentation should prevent it.
Mitigation priorities
- Apply network segmentation so Wi-Fi access does not provide broad reach to critical assets or management networks.
- Require strong authentication controls, including MFA where applicable, for access to critical systems and services reachable after wireless access.
- Encrypt sensitive information in transit and at rest so wireless access alone does not expose high-value data.
- Separate guest, corporate, administrative, and sensitive operational networks with enforced access control policies.
- Maintain asset and identity accountability for wireless clients so unknown devices and unexpected accounts can be investigated quickly.
Analyst notes and limits
The supplied ATT&CK relationships identify DET0536 as a detection strategy and M1030 Network Segmentation, M1032 Multi-factor Authentication, and M1041 Encrypt Sensitive Information as mitigations. The object also cites APT28 and the APT28 Nearest Neighbor Campaign as using this technique, but this summary does not infer current activity or customer exposure from those references. The practical takeaway is to treat wireless access as an initial-access surface that must be governed, monitored, and segmented like other entry points.
Official ATT&CK detection guidance for this object is not provided in the supplied fields. Specific analytics, thresholds, and control effectiveness depend on local wireless architecture, identity design, logging coverage, and whether nearby third-party or dual-homed systems are relevant to the environment.
Wi-Fi Networks
Adversaries may gain initial access to target systems by connecting to wireless networks. They may accomplish this by exploiting open Wi-Fi networks used by target devices or by accessing secured Wi-Fi networks — requiring Valid Accounts — belonging to a target organization.[1][2] Establishing a connection to a Wi-Fi access point requires a certain level of proximity to both discover and maintain a stable network connection.
Adversaries may establish a wireless connection through various methods, such as by physically positioning themselves near a Wi-Fi network to conduct close access operations. To bypass the need for physical proximity, adversaries may attempt to remotely compromise nearby third-party systems that have both wired and wireless network connections available (i.e., dual-homed systems). These third-party compromised devices can then serve as a bridge to connect to a target’s Wi-Fi network.[2]
Once an initial wireless connection is achieved, adversaries may leverage this access for follow-on activities in the victim network or further targeting of specific devices on the network. Adversaries may perform Network Sniffing or Adversary-in-the-Middle activities for Credential Access or Discovery.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
C0051: APT28 Nearest Neighbor Campaign
APT28 Nearest Neighbor Campaign was conducted by APT28 from early February 2022 to November 2024 against organizations and individuals with expertise on Ukraine. APT28 primarily leveraged living-off-the-land techniques, while leveraging the zero-day exploitation of CVE-2022-38028. Notably, APT28 leveraged Wi-Fi networks in close proximity to the intended target to gain initial access to the victim environment. By daisy-chaining multiple compromised organizations nearby the intended target, APT28 discovered dual-homed systems (with both a wired and wireless network connection) to enable Wi-Fi and use compromised credentials to connect to the victim network.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 85d9f29173ff… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DOJ GRU Charges 2018
U.S. Department of Justice. (2018, October 4). U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations. Retrieved February 25, 2025.
Open source URL -
[2]
Nearest Neighbor Volexity
Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
Open source URL -
[3]
mitre-attack T1669Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.