APT28 Mounts Spy Campaign Using Hotel Networks

As the last push of the summer travel season gets underway, an espionage campaign targeting the hospitality sector, likely by Russian actor APT28, is threatening high-value visitors to hotels throughout Europe and the Middle East.

According to FireEye, the effort dates back to July and involves several notable techniques, like sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.

APT28, also known as the US election-hacking group Fancy Bear, is likely affiliated with the Kremlin, and FireEye said that its hospitality-related activities are likely very specific.

“Cyber-espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, though actors may also collect information on the hotel as a means of facilitating operations,” FireEye noted in a blog. “Business and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad.”

FireEye said that it has “moderate confidence” in the attribution, based on the tools the bad actors are using. “[We have] uncovered a malicious document sent in spear phishing emails to multiple companies in the hospitality industry,” FireEye researchers explained in a blog. “Successful execution of the macro within the malicious document results in the installation of APT28’s signature GAMEFISH malware.”

The malicious document—Hotel_Reservation_Form.doc—installs a dropper. Once inside the network of a hospitality company, APT28 seeks out machines that controlled both guest and internal Wi-Fi networks and installs the Responder malware.

“Responder facilitates NetBIOS Name Service (NBT-NS) poisoning,” FireEye explained. “This technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine. APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network.”

To spread through the hospitality company’s network, APT28 also is using a version of the EternalBlue SMB exploit.

APT28 isn’t the only group targeting travelers.

“South Korea-nexus Fallout Team (aka Darkhotel) has used spoofed software updates on infected Wi-Fi networks in Asian hotels, and Duqu 2.0 malware has been found on the networks of European hotels used by participants in the Iranian nuclear negotiations,” FireEye said. “Additionally, open sources have reported for several years that in Russia and China, high-profile hotel guests may expect their hotel rooms to be accessed and their laptops and other electronic devices accessed.”

What’s Hot on Infosecurity Magazine?