Security Experts:

Connect with us

Hi, what are you looking for?



Russian Cyberspies Target Hotels in Europe

A notorious Russia-linked hacker group specializing in cyber espionage is believed to be behind an ongoing campaign targeting hotels in several European countries.

A notorious Russia-linked hacker group specializing in cyber espionage is believed to be behind an ongoing campaign targeting hotels in several European countries.

FireEye has linked the attacks with moderate confidence to APT28, a threat actor also known as Pawn Storm, Fancy Bear, Sofacy, Sednit and Strontium. The group is believed to have launched numerous high-profile attacks, including a campaign targeting last year’s presidential election in the United States.

While the recent attacks have targeted the networks of hotels, the security firm says there is some indication that the hackers may actually be looking to access the devices of government and business travelers via the guest Wi-Fi provided by these hotels.

FireEye has seen attacks targeting several companies in the hospitality sector, including hotels in seven European countries and one Middle Eastern country.

The attacks start with a spear phishing email sent to a hotel employee. The emails carry a document named “Hotel_Reservation_Form.doc,” which uses macros to decode a dropper that deploys GameFish, a piece of malware known to be used by APT28. This backdoor was used recently in a campaign launched by the threat group against Montenegro just as the country had been preparing to join NATO.

Once they gained access to the targeted hotel’s network, the hackers used the NSA-linked EternalBlue SMB exploit, which was also involved in the recent WannaCry and NotPetya outbreaks, to move laterally within the network. Researchers said this was the first time the group had used this exploit.

The cyberspies also used Responder, an open source penetration testing tool developed by Laurent Gaffie of SpiderLabs. They leveraged Responder for NetBIOS Name Service (NBT-NS) poisoning.

“This technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine. APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network,” FireEye researchers explained.

In one incident that occurred in 2016, a user connected to a hotel’s Wi-Fi and 12 hours later their device was accessed by APT28 using stolen credentials. The attackers started moving through the victim’s network and accessed their Outlook Web Access (OWA) account.

While these attacks can be carried out remotely, in this case the attacker appeared to be on the same network and physically close to the victim.

Kaspersky reported recently that APT28 has been using two zero-day vulnerabilities in targeted attacks, and it has started experimenting with new macro techniques.

These are not the only attacks apparently aimed at travelers. Other campaigns include DarkHotel, which some have linked to South Korea, Duqu 2.0, targeting the networks of European hotels hosting participants in Iranian nuclear negotiations, and according to some reports, high-profile people visiting Russia and China may have their devices accessed.

“Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, though actors may also collect information on the hotel as a means of facilitating operations,” FireEye said. “Business and government personnel who are traveling, especially in a foreign country, must often rely on less secure systems to conduct business than at their home office, or may be unfamiliar with the additional threats posed while abroad.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...