Undercover Bytes: Packet Sniffing in Cyber Espionage

Undercover, underaged, under pressure – and caught at the nerve center of European intelligence. On a quiet day in August 2025, two Dutch teens were arrested for spying on behalf of pro-Kremlin hackers. One was seen using a “Wi-Fi sniffer” in front of Europol and Eurojust headquarters and the Canadian Embassy. Both were recruited on social media.

Packet sniffing – the silent interception of network data – is increasingly leveraged in cyber spying, especially for stealing credentials. 

At barely 17, these teens have become part of the new army engaged in gray zone espionage. But what exactly are gray zone operations and what does packet sniffing have to do with it? Below, we pull back the curtain on how packet sniffing works, its legal boundaries, how hackers exploit it, and what you can do to stay safe. 

How does packet sniffing work?  

In a nutshell, packet sniffing works by using a tool – either hardware or software – to capture data packets (small chunks of information) as they travel through a network: 

• Packet sniffers can be used in two modes: unfiltered, where all data is captured, or filtered, where only specific data is captured. 

• They function in both wired and wireless networks. 

• Modern packet sniffers perform two functions: capturing and analyzing data to detect unauthorized activity or network issues (when used for legitimate purposes) 

Now, here’s where things get interesting: gray zone operations. 

These are subversive actions used to weaken adversaries, without triggering open warfare.  

They rely on covert tactics like packet sniffing to intercept data from high-value targets. Such tactics are favored by rogue nation states, as seen in the Dutch incident. This is an illegal use of packet sniffing. 

In 2025, Kremlin-based groups are recruiting teens and complete novices for gray zone espionage operations.  

Why? Because teens are the perfect cover: digitally savvy, easily manipulated, and often in need of money. Packet sniffing by minors unaware of the geopolitical stakes offers plausible deniability. It’s a politically convenient enterprise, as young, untrained recruits with no formal ties to the Kremlin can be disavowed easily.  

That said, Trey Ford (chief strategy and trust officer at Bugcrowd) says there’s one sign parents and concerned adults can watch for if a teen is involved in such activity: a sudden, unexplained windfall or new, expensive gadgets with no explanations for how they were acquired.  

Is packet sniffing eavesdropping? 

Yes, packet sniffing is absolutely considered eavesdropping. It involves capturing data in transit to intercept messages, login credentials, or browser traffic. 

In modern warfare, packet sniffing has become a silent but powerful weapon in the hands of threat groups like APT28.  

The group has mastered the art of network sniffing as part of its cyber espionage operations. In a 2017 campaign, it deployed the open-source tool Responder to poison a target network’s NetBIOS Name Service (NBNS). 

Here’s how NBNS poisoning complements packet sniffing in cyber espionage: When a computer in a legacy Windows network (versions up to Windows ME) wants to resolve a NetBIOS name to an IP address, locate a resource, or initiate a BIOS session for file sharing, it sends a broadcast request over NetBIOS. 

Attackers running a tool like Responder “responds” with false information, tricking the target device into connecting to their machine instead of the legitimate one. 

Once the target device is connected, packet sniffing kicks in to harvest sensitive data like usernames and hashed passwords that can be cracked offline to reveal the original plaintext credentials.  

In the 2017 campaign, APT28 combined multiple techniques to spy on guests at hotels in seven (7) European countries and one Middle Eastern country: 

• First, the attackers used spear phishing emails (with malicious Office files) to deliver the GAMEFISH remote access trojan to victim devices. This gave them persistent access without victims knowing. 

• Next, they used Responder to perform NetBIOS Name Service (NBNS) poisoning, tricking victim devices into communicating with their own servers. 

• The group then used packet sniffers to harvest hashed credentials. 

• Finally, they deployed the EternalBlue exploit for lateral movement and privilege escalation within the breached hotel networks. 

Essentially, packet sniffing is eavesdropping that raises no alarms. The intelligence gathered is priceless, the risks minimal, and the operation almost impossible to trace conclusively.  

In the hands of nation-state groups like APT28, it's rewriting the rules of espionage, one intercepted packet at a time.   

Is packet sniffing legal?  

It depends. When used with explicit permission for network management, it’s legal.  

Unauthorized interception of data, however, is illegal in most jurisdictions, including under laws like the U.S. Wiretap Act (Title 1 of the Electronic Communications Privacy Act). 

Ethically and legally, packet sniffing must respect privacy and consent.  

That said, the U.S. Wiretap Act may not fully protect you if someone is packet sniffing on a “publicly available” network. This is because the courts have ruled that data traveling over public or unsecured Wi-Fi networks is “open” and unencrypted and therefore, not subject to wiretap protections. 

When data is encrypted or transmitted over secured networks, however, the Wiretap Act’s protections still apply. This highlights the importance of security measures like using VPNs, HTTPS websites, and multi-factor authentication (MFA) to protect your data. 

LastPass supports a variety of MFA methods as well as advanced options like FIDO2MFA (passkeys and hardware security keys). This flexibility allows you to implement the best authentication method for your lifestyle.  

Have a business? Unlock FIDO2 MFA with Business Max, which comes with SaaS Monitoring + SaaS Protect. Remember: One stolen credential (obtained by sniffers) can put your business at risk of ransomware, data exfiltration, or sabotage.  

Today, you can easily uncover rogue logins and take total control of your SaaS footprint with a free trial of Business Max (no credit card required).  

While you’re at it, read how Axxor (a global manufacturer) is safeguarding its operations worldwide with SaaS Monitoring + SaaS Protect.

How do hackers use packet sniffing? 

Hackers use packet sniffers to: 

• Capture login credentials and session cookies 

• Gather intelligence from private communications like emails, texts, and chat messages 

• Steal personal info such as credit card numbers, SSNs, and bank account numbers 

As mentioned, nation states are weaponizing the simple act of packet capture – sniffing network traffic – to conduct advanced espionage campaigns. In this game of shadows, knowledge is power. 

In 2015, Sandworm Team used the sophisticated BlackEnergy trojan to attack the Ukraine power grid.  

With BlackEnergy’s network sniffer module, Sandworm was able to harvest the credentials needed to access Ukrainian industrial control systems (ICS) and remotely shut down substations. Between 2022 and 2023, continued attacks led to a 51% decline in the generation, transmission, and distribution of electricity, leading to rolling blackouts for Ukrainian citizens. 

And in 2017, Sandworm’s gray zone tactics unleashed the NotPetya worm on the world, crippling Ukrainian infrastructure and locking 90% of workstations in the country’s second-largest bank.  

From Ukraine, NotPetya tore across networks worldwide, completely paralyzing operations at FedEx, Merck, and Maersk (the world’s largest shipping & logistics company).  

At its busiest East Coast terminal in Port Elizabeth, New Jersey, hundreds of Maersk 18-wheelers couldn’t move because the gate systems and scheduling software coordinating pickups, deliveries, and gate access were completely disabled. 

Meanwhile, the Electronic Data Interchange files which tell terminal operators the exact contents of cargo holds were completely wiped away. The same scene played out at 17 Maersk terminals, from Los Angeles to Rotterdam (Netherlands) and Mumbai (India). 

No cargo manifests meant no way to prioritize unloading and routing. 

So, containers with temperature-sensitive cargo – like produce, dairy, seafood, and pharmaceuticals – sat idle for days, leading to massive food spoilage, waste, and financial loss. The result? Emptier shelves and higher prices for consumers, due to delays.  

In the end, Maersk had to rebuild 4,000 servers and 45,000 PCs to get operations back on track.  

Fast forward to 2025. 

APT33, heavily active in the United States and Saudi Arabia, uses SniffPass for credential harvesting. It has attacked at least 50 organizations in the manufacturing, telecoms, military, and energy sectors in both countries. 

Similarly, Salt Typhoon (UNC2286) uses network sniffing techniques to extract sensitive credentials and operational information, particularly within industrial control environments.  

Salt Typhoon has infiltrated no fewer than nine (9) U.S. telecoms. In 2024, the group managed to obtain call recordings from all major U.S. presidential campaigns. 

It’s clear modern espionage is predominantly cyber espionage, where intercepted secrets can initiate cascading failures across critical infrastructure and undermine national security.  

And supply chain shortages aren’t the only risks here. 

Think blackouts, water shortages, disrupted cellular and internet services, delays in emergency care. Packet sniffing isn’t just a remote threat: It puts your life - and millions of lives - at risk. 

What is promiscuous mode in packet sniffing?  

It’s a setting on network interface cards that allows a device to capture all data packets on a network segment, not just those addressed to it. This passive sniffing mode allows attackers to see all network traffic, making it a crucial tool for spying, data exfiltration, and sabotage of critical infrastructure. 

Can packet sniffing be detected? 

Detection is difficult but possible, depending on the type of sniffing.  

Active sniffing (which manipulates network traffic, like in ARP spoofing and DNS spoofing) can be detected via unusual traffic patterns. 

However, passive sniffing is very hard to detect without tools like network scanners, signature-based and anomaly-based intrusion detection systems (IDS), or host-based intrusion detection systems (HIDS).  

Advanced threat groups like Sandworm and APT28 often start with passive sniffing to identify and capture NTLM hashes. They need just one intercepted hash to authenticate as a legitimate user.  

Once inside the system, the attackers use credential-dumping tools like Mimikatz to extract yet more NTLM hashes from memory. The target is hashes tied to admin or service accounts, which enable them to escalate privileges, move laterally, deploy malware, and sabotage systems. 

How to protect against packet sniffing 

They say the biggest threats are the ones you don’t see coming. Packet sniffing is exactly that, a “ghost” in your network siphoning data without a single alarm going off.  

That’s why it’s a favored tactic in the world of gray zone operations. 

However, there are ways to protect yourself. This easy-to-read table highlights all the layered defense strategies that empower you to take back control and secure your data.  

 

Tool/strategy	How it helps	Who it helps
LastPass Business Max (SSO, FIDO2 MFA, SaaS Monitoring, Saas Protect)	-SSO centralizes authentication and reduces the number of credentials exposed   -FIDO2 MFA (passkeys and hardware keys) adds biometric authentication as another layer of protection   -SaaS monitoring tracks logins across all corporate apps   -SaaS Protect blocks high-risk logins and alerts users to weak credentials in real-time	Organizations in sensitive industries like manufacturing, financial services, and healthcare
VPN (virtual private network)	-Encrypts data end-to-end, making intercepted packets unreadable	General users and organizations
Network segmentation and ACLs (access control lists)	-Restricts lateral pathways by segmenting network, so if attackers breach one segment, they can’t easily pivot to another   -ACLs enforce the principle of least privilege, where users are only given access to what they need and nothing more. This means attackers must work harder to escalate privileges	Network security teams in organizations
Firewall and antivirus software	-Firewalls like Palo Alto Networks NGFW can decrypt and inspect traffic for signs of sniffing or exfiltration. It can also block sniffing-related tactics like ARP spoofing and DNS spoofing   -Antivirus can detect and remove malicious sniffing software	All users, especially enterprises
IDS, EDR, and Wi-Fi sniffers	-IDS (intrusion detection systems) like Snort and Suricata can detect sniffing signatures   -EDR (endpoint detection & response) can block sniffing tools   -Wi-Fi sniffers provide wireless traffic visibility by detecting rogue access points. Essentially, they can flag unauthorized scanning from non-whitelisted devices near sensitive buildings	Network administrators in critical infrastructure and sensitive industries
Encryption protocols (SSL/TLS, SSH, HTTPS, SFTP)	-Secures data packets by encrypting contents, ensuring that information can’t be deciphered by sniffers even if captured	Website owners, system administrators, users sending sensitive data
Avoid public or unsecured Wi-Fi networks	-Reduces exposure as public Wi-Fi is a prime target for sniffing attacks	All users
Penetration testers	-Ethical hackers can simulate sniffing attacks to uncover vulnerabilities like weak segmentation or misconfigured ACLs   -They can also evaluate how effective endpoint defenses (EDR/HIDS) and firewalls are	Organizations with critical infrastructure
Keep software and firmware updated	-Patches security vulnerabilities that could be exploited by sniffers to infiltrate your network	All users, IT teams

 

FAQs: Packet sniffing 

Can I get hacked by packet sniffing? 

Yes, attackers can use packet sniffing to steal information traveling over your network. This includes login credentials, account numbers, and private messages.  

If your data isn’t properly encrypted, attackers can gain unauthorized access to your accounts. In 2025, threat groups from the Big Four nations continue to use packet sniffing as part of their cyber reconnaissance and infiltration campaigns. 

Can HTTPS packets be sniffed? 

HTTPS packets can be captured by packet sniffers, but the data inside them is encrypted. This means attackers can’t see actual communications.  

However, they can see metadata like source and destination IP addresses, port numbers, and packet size or TTL (time-to-live) info, which is the set time a packet is set to exist inside a network before it’s discarded.  

Can SSL packets be sniffed? 

Like HTTPS, SSL-encrypted packets can be intercepted but the contents are encrypted. However, older SSL versions can be vulnerable to sniffing attacks, where attackers exploit weaknesses to decrypt the data.  

Thus, using the latest TLS version (TLS 1.3 as of this writing) and modern certificate management techniques are critical to improving resistance against SSL sniffing attacks. 

What can a packet sniffer see? 

A packet sniffer can capture all data packets traveling through any network segment it has access to. For unencrypted packets, the sniffer can see and read the full content. This includes metadata (source and destination IP addresses, packet size, protocols being used) and actual contents like emails, texts, passwords, and files transferred. 

However, encrypted packets reveal only metadata, not actual communications.  

Can packet sniffing detect rogue devices? 

General packet sniffing on a wired network won’t directly detect rogue devices. When people talk about “rogue devices,” they often mean unauthorized wireless devices. 

To gather intelligence near sensitive locations, threat groups may use Wi-Fi pineapples (devices set up to act as “evil twins” or rogue access points that mimic the location’s legitimate network). APT28, for example, has used Wi-Fi pineapples to capture credentials or plant espionage-oriented malware. 

These pineapples often broadcast many network names (SSIDs) from a single MAC address – to increase the chances a target device will connect to them. By using Wi-Fi sniffers, you can scan for this type of unusual broadcast activity and stop reconnaissance attacks. 

Note: Wi-Fi sniffers can be used by both attackers and organizations. The key difference lies in intent and authorization. Legitimate use is always authorized and non-malicious.  

 

Sources 

https://cybernews.com/security/netherlands-teenagers-arrest-spying-russia/

https://allaboutcookies.org/what-is-packet-sniffing

https://www.reuters.com/investigates/special-report/europe-espionage-teen-spy/

https://attack.mitre.org/groups/G0007/

https://attack.mitre.org/campaigns/C0028/

https://attack.mitre.org/techniques/T1040/

https://www.security.com/threat-intelligence/elfin-apt33-espionage

https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/

https://www.dni.gov/files/ODNI/documents/assessments/NIC-Unclassified-Updated-IC-Gray-Zone-Lexicon-July2024.pdf

https://blog.talosintelligence.com/salt-typhoon-analysis/

https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

https://www.hackthebox.com/blog/salt-typhoon-apt-us-telecom-espionage-attack-analysis

https://www.computerweekly.com/news/450424310/Russian-cyber-espionage-group-targeting-hotel-Wi-Fi

https://www.cigionline.org/articles/danger-critical-infrastructure-interdependency/

https://dev.to/terminaltools/understanding-packet-sniffing-risks-uses-and-how-to-protect-your-data-4cfc