A notorious Russia-linked hacker group specializing in cyber espionage is believed to be behind an ongoing campaign targeting hotels in several European countries.
FireEye has linked the attacks with moderate confidence to APT28, a threat actor also known as Pawn Storm, Fancy Bear, Sofacy, Sednit and Strontium. The group is believed to have launched numerous high-profile attacks, including a campaign targeting last year’s presidential election in the United States.
While the recent attacks have targeted the networks of hotels, the security firm says there is some indication that the hackers may actually be looking to access the devices of government and business travelers via the guest Wi-Fi provided by these hotels.
FireEye has seen attacks targeting several companies in the hospitality sector, including hotels in seven European countries and one Middle Eastern country.
The attacks start with a spear phishing email sent to a hotel employee. The emails carry a document named “Hotel_Reservation_Form.doc,” which uses macros to decode a dropper that deploys GameFish, a piece of malware known to be used by APT28. This backdoor was used recently in a campaign launched by the threat group against Montenegro just as the country had been preparing to join NATO.
Once they gained access to the targeted hotel’s network, the hackers used the NSA-linked EternalBlue SMB exploit, which was also involved in the recent WannaCry and NotPetya outbreaks, to move laterally within the network. Researchers said this was the first time the group had used this exploit.
The cyberspies also used Responder, an open source penetration testing tool developed by Laurent Gaffie of SpiderLabs. They leveraged Responder for NetBIOS Name Service (NBT-NS) poisoning.
“This technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine. APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network,” FireEye researchers explained.
In one incident that occurred in 2016, a user connected to a hotel’s Wi-Fi and 12 hours later their device was accessed by APT28 using stolen credentials. The attackers started moving through the victim’s network and accessed their Outlook Web Access (OWA) account.
While these attacks can be carried out remotely, in this case the attacker appeared to be on the same network and physically close to the victim.
Kaspersky reported recently that APT28 has been using two zero-day vulnerabilities in targeted attacks, and it has started experimenting with new macro techniques.
These are not the only attacks apparently aimed at travelers. Other campaigns include DarkHotel, which some have linked to South Korea, Duqu 2.0, targeting the networks of European hotels hosting participants in Iranian nuclear negotiations, and according to some reports, high-profile people visiting Russia and China may have their devices accessed.
“Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, though actors may also collect information on the hotel as a means of facilitating operations,” FireEye said. “Business and government personnel who are traveling, especially in a foreign country, must often rely on less secure systems to conduct business than at their home office, or may be unfamiliar with the additional threats posed while abroad.”
