Darkhotel APT hackers campaign 'followed' global CEOs using hotel networks

Chinese 'hotel crew' pwns networks for state surveillance

A state-backed espionage group has spent years targeting senior executives from large global companies using a specialised Advanced Persistent Threat (APT) that can follow and steal data from them as they move around the globe from hotel to hotel, Kaspersky has revealed.

Dubbed 'Darkhotel' by the security firm in honour of this ability, the campaign has a number of unusual characteristics but it is the ability to 'follow' people that is the most curious and appears to explain a number of attacks on hotel guests in recent years that were previously thought to be unconnected.

This is pretty precise targeting but on a huge scale. Targets connecting through hotel Wi-Fi were prompted to install malware disguised as legitimate updates, which was based on remotely compromising the hotel's web, admin and possibly, Kaspersky Lab speculates, back office hotel systems.

So the attackers knew the day their named target was going to connect through the target hotel network, plus their room number. They then deleted signs of the attack afterwards while still being able to reactivate it at a later date should that be necessary.

The payload was keylogging that set out to steal logins to a range of web services and any other passwords it can grab from browser caches and email clients. This was and is clearly a tool designed to boost intelligence-gathering elsewhere.

The attacks used forged and stolen certificates (hacked thanks to 'weak' 512 bit RSA keys) to make the malware appear genuine, as well as a range of Flash zero-day exploits, including ones designed to beat the better security built into Windows 8.1.

Beyond the targeting and the long time period of the attacks and malware development, the ability to attack certificates and wield zero-day flaws at will is a sure sign that the attackers have had state resources at their disposal.

Interestingly, despite some smarts, the sophistication level isn't always top drawer, which points towards China rather than the US or Russia. The victim list is another hint at that too.

"Overall, victims in our sinkhole logs and KSN data were found across the globe, with the majority in Japan, Taiwan, China, Russia, Korea and Hong Kong," (in that order) noted Kaspersky Lab's researchers.

US executives were on the list but far below the prevalence for targeting Japanese CEOs and managers. And the attackers seem to go after almost everyone with the right job title, with sectors hit including electronics, finance, manufacturing, pharma, cosmetics, chemicals, automotive, defence, law, military and even NGOs - the last one has been an obsession for Chinese actors.

The Darkhotel suite of malware tools - a clutch of Trojans including Tapaoux, pioneer, Karba, and Nemim - could be traced back to 2006 or 2007 but the hotel attacks seem to date from 2012, Kaspersky said.

"Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behaviour," said Kaspersky Lab's principal security researcher, Kurt Baumgartner.

"This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision."

Exactly why hotels were used to stage the attacks is not clear although it could be that the individuals are simply less well defended when they travel. Although Asian targets were foremost, the attackers could easily re-purpose the attacks to point at executives from other countries, he suggested.

The MO of following VIPs using hotels bookings is unusual but not unknown - in 2013 it was revealed that Britain's GCHQ has a software system that does just that for global diplomats. The idea that the same approach could be adapted for business leaders is no stretch.

Could it be defended against? Using a hotel's capitive portal, no. If that's compromised even a VPN or HTTPS connection can be undermined. For time time being, the only answer appears to be 3G/4G if such a thing is available or a publlic Wi-F system that steers away from hotel infrastructure.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetsecuritykaspersky lab

More about AdvancedAPTGCHQKasperskyRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts