According to a report released today by U.S. cyber-security firm FireEye, a well-known Russian cyber-espionage group has used an NSA exploit known as ETERNALBLUE as part of a complex set of hacks it carried out starting July this year. The DarkHotel group was the first to carry out such attacks, hence its name, since 2011 and up until 2016.
FireEye has claimed to have found a malicious document named "Hotel_Reservation_Form.doc", sent in spear phishing emails to multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country. But "successful execution of the macro within the malicious document results in the installation of APT28's signature Gamefish malware", FireEye says.
Researchers believe that a team of believed-Russian hackers that struck the Democratic National Convention is now using leaked NSA hacking tools in attacks. Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks.
Although no guest credentials were observed being stolen at the compromised hotels, the researchers said in previous cases APT28 has gained initial access to a victim's network via credentials likely stolen from a hotel Wi-Fi network.
Police release CCTV of 83-year-old dog walker stabbed to death
He said officers also wanted to hear from delivery drivers who may have been in the area and to obtain dash-cam footage. The father of two was attacked in woodland and suffered "multiple wounds" including to his head and neck.
In the 2016 incident, the victim was compromised after connecting to a hotel Wi-Fi network. Once in control of these machines, the malware deploys an open source Responder tool, allowing it to steal any credentials sent over the wireless network. It then spreads across networks via EternalBlue and spoofs pages the user brings up to collect usernames and passwords. "This is the first time we have seen APT28 incorporate this exploit into their intrusions", the security firm wrote.
Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, though actors may also collect information on the hotel as a means of facilitating operations.
This was the first time APT28 used ETERNALBLUE, but this isn't the first time that APT28 targeted hotels.
These incidents show a novel infection vector being used by APT28.
"Business and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while overseas". "Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible", they said.
"It is imperative that IT teams from all businesses across all industries ensure that the version of Windows that they are using is not vulnerable to EternalBlue and, if so, take the necessary steps to remediate it", he said.