Darkhotel APT hackers campaign 'followed' global CEOs using hotel networks

Chinese 'hotel crew' pwns networks for state surveillance

A state-backed espionage group has spent years targeting senior executives from large global companies using a specialised Advanced Persistent Threat (APT) that can follow and steal data from them as they move around the globe from hotel to hotel, Kaspersky has revealed.

Dubbed 'Darkhotel' by the security firm in honour of this ability, the campaign has a number of unusual characteristics but it is the ability to 'follow' people that is the most curious and appears to explain a number of attacks on hotel guests in recent years that were previously thought to be unconnected.

This is pretty precise targeting but on a huge scale. Targets connecting through hotel Wi-Fi were prompted to install malware disguised as legitimate updates, which was based on remotely compromising the hotel's web, admin and possibly, Kaspersky Lab speculates, back office hotel systems.

So the attackers knew the day their named target was going to connect through the target hotel network, plus their room number. They then deleted signs of the attack afterwards while still being able to reactivate it at a later date should that be necessary.

The payload was keylogging that set out to steal logins to a range of web services and any other passwords it can grab from browser caches and email clients. This was and is clearly a tool designed to boost intelligence-gathering elsewhere.

The attacks used forged and stolen certificates (hacked thanks to 'weak' 512 bit RSA keys) to make the malware appear genuine, as well as a range of Flash zero-day exploits, including ones designed to beat the better security built into Windows 8.1.

Beyond the targeting and the long time period of the attacks and malware development, the ability to attack certificates and wield zero-day flaws at will is a sure sign that the attackers have had state resources at their disposal.

Interestingly, despite some smarts, the sophistication level isn't always top drawer, which points towards China rather than the US or Russia. The victim list is another hint at that too.

"Overall, victims in our sinkhole logs and KSN data were found across the globe, with the majority in Japan, Taiwan, China, Russia, Korea and Hong Kong," (in that order) noted Kaspersky Lab's researchers.

US executives were on the list but far below the prevalence for targeting Japanese CEOs and managers. And the attackers seem to go after almost everyone with the right job title, with sectors hit including electronics, finance, manufacturing, pharma, cosmetics, chemicals, automotive, defence, law, military and even NGOs - the last one has been an obsession for Chinese actors.

The Darkhotel suite of malware tools - a clutch of Trojans including Tapaoux, pioneer, Karba, and Nemim - could be traced back to 2006 or 2007 but the hotel attacks seem to date from 2012, Kaspersky said.

"Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behaviour," said Kaspersky Lab's principal security researcher, Kurt Baumgartner.

"This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision."

Exactly why hotels were used to stage the attacks is not clear although it could be that the individuals are simply less well defended when they travel. Although Asian targets were foremost, the attackers could easily re-purpose the attacks to point at executives from other countries, he suggested.

The MO of following VIPs using hotels bookings is unusual but not unknown - in 2013 it was revealed that Britain's GCHQ has a software system that does just that for global diplomats. The idea that the same approach could be adapted for business leaders is no stretch.

Could it be defended against? Using a hotel's capitive portal, no. If that's compromised even a VPN or HTTPS connection can be undermined. For time time being, the only answer appears to be 3G/4G if such a thing is available or a publlic Wi-F system that steers away from hotel infrastructure.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetsecuritykaspersky lab

More about AdvancedAPTGCHQKasperskyRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

More videos

Blog Posts