Menu
Cyberespionage group targets traveling execs through hotel networks

Cyberespionage group targets traveling execs through hotel networks

The group infects the network access Web portals used by hotels and business centers to target specific guests

For the past four years a group of sophisticated hackers has compromised the networks of luxury hotels to launch malware attacks against corporate executives and entrepreneurs traveling on business in the Asia-Pacific region.

The cyberespionage group, which researchers from Kaspersky Lab dubbed Darkhotel, operates by injecting malicious code into the Web portals used by hotel guests to log in to the local network and access the Internet, typically by inputting their last name and room number.

The infections are typically brief and are meant to target only specific guests by prompting them to download trojanized updates for popular software applications. The rogue software updates deploy malware implants that then download and install digitally-signed information-stealing programs.

"This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels," the Kaspersky Lab researchers said in a report released Monday. The attackers lie in wait until the travelers arrive and connect to the Internet, the researchers said.

After the victims check out of the hotel, the attackers disable the malicious code injected into the hotel's network portal and hide their tracks.

"Those portals are now reviewed, cleaned and undergoing a further review and hardening process," the Kaspersky researchers said.

The Darkhotel group is interesting because it uses a combination of both highly targeted and non-targeted, botnet-style attacks. The cracking of digital certificate keys combined with the use of zero-day vulnerabilities suggests a highly sophisticated team of developers. However, its command-and-control infrastructure is full of weak server configurations and basic mistakes suggesting that a less skilled team is in charge of it.

"Considering their well-resourced, advanced exploit development efforts and large, dynamic infrastructure, we expect more Darkhotel activity in the coming years," the Kaspersky Lab researchers said in a blog post.

The largest volume of attacks via hotel networks took place between August 2010 and 2013, but incidents were also recorded in 2014 and are currently being investigated.

The group, which is also known as Tapaoux, is believed to have been operating since at least 2007 and has also used other attack techniques over the years including spear-phishing emails with attachments or links that exploited zero-day vulnerabilities in Flash Player and Internet Explorer, and the distribution of malware via poisoned downloads on peer-to-peer networks.

Most of the malicious components used by the Darkhotel attackers are signed with valid digital certificates, either duplicated certificates whose weak 512-bit RSA keys they cracked or certificates that they stole from their rightful owners.

The group's malware toolset includes a malware downloader; a keylogger; a Trojan program that gathers system information; an information stealer component that collects passwords stored in browsers and other sensitive data; and a file-infecting virus that spreads via USB drives and network shares. These tools are detected as Tapaoux, Pioneer, Karba and Nemim, among other names, the Kaspersky researchers said.

Over 90 percent of malware infections associated with the Darkhotel group were detected in Japan, Taiwan, China, Russia and Korea. However infections were also found in the U.S., the United Arab Emirates, Singapore, Kazakhstan, South Korea, the Philippines, Hong Kong, India, Indonesia, Germany, Ireland, Mexico, Belgium, Serbia, Lebanon, Pakistan, Greece, Italy and other countries.

The targets were from a wide array of industries, including electronics manufacturing, finance, pharmaceuticals, and others. They also included individuals in defense and law-enforcement.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securityExploits / vulnerabilitiesspywaremalwarekaspersky lab

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments