A cyber-espionage group has compromised the computer systems of corporate executives by infecting the networks of the hotels where they typically stay and then serving up malware while they connected to the Internet, according to an investigation published by security firm Kaspersky Lab on Nov. 10.
The group, which Kaspersky dubbed “Darkhotel,” has successfully targeted CEOs, sales and marketing directors and top R&D staff traveling in the Asia-Pacific region. While most of the attacks appear to have targeted professionals in Japan, business people traveling in Taiwan and China have also been targeted, according to Kaspersky’s report.
By compromising hotel systems, the attackers are able to precisely identify targets and exploit their trust in the local network, Kurt Baumgartner, principal security researcher with Kaspersky Lab, told eWEEK.
“When an executive or a traveler of interest checks into a hotel, the attackers have some knowledge of their last name and the room number,” he said. “So this type of attack is more precise and more targeted than a watering-hole attack.”
The Darkhotel attacks are not the first time that attackers have taken aim at hotel networks. However, previous attacks often have focused on stealing payment-card data, rather than intellectual property. Hotel-related espionage efforts have typically required access to rooms, such as when Chinese agents reportedly implanted malware on the PCs of Dupont executives by gaining access to the safe of the hotel room in which they were staying.
The Darkhotel group appeared to have knowledge of when the targeted business person would arrive as well as their room number. The group would compromise the hotel network, infect the target systems and–after exfiltrating any data–delete any traces of their software, according to Baumgartner.
In fact, the attackers were very careful not to be detected, only attempting to exploit specific victims, which caused problems for Kaspersky in trying to track down the malware, according to the firm’s report.
“When visiting the same hotels, our honeypot research systems couldn’t attract a Darkhotel attack,” the report stated. “This data is inconclusive, but it points to misuse of check-in information.”
If successful, the Darkhotel attack steals users’ names and passwords for more than 30 different sites, including major U.S. Internet providers, such as Microsoft, Google and Yahoo as well as international Internet service providers, such as Yandex, based in Russia, and 126.com, based in China. The attackers’ nationality is not known, but a language setting in the code is Korean.
The targeted attacks through hotel networks appear to only be one way that the Darkhotel group operated.
Sometimes, the group uses unsophisticated, mass infections to spread malware, seeding Japanese peer-to-peer file sharing sites with Trojan horse programs embedded in pornographic files. The group also used spear-phishing to lure targets with subject lines dealing with nuclear energy and weapons capabilities. Finally, the Darkhotel group exploited zero-day vulnerabilities to infect targeted systems, according to Kaspersky.
Another strength of the Dark Hotel group is its ability to break weakly encrypted certificates and use them to fool the operating system’s defenses. Windows and Mac OS X both look for known developer signatures as one step in their defenses. The Darkhotel group appeared to have broken a number of 512-bit keys hashed using either SHA–1 or MD5, both considered too weak to be secure against modern attacks.
“We are confident that our Darkhotel threat actor fraudulently duplicated these certificates to sign its malware,” Kaspersky Labstated in its report. “These keys were not stolen.”