.gif)
'Darkhotel' targets CEOs using hotel Wi-Fi
Corporate executives travelling abroad in luxury hotels are the targets of a new 'Darkhotel' espionage campaign, according to a new report from security research firm Kaspersky.
Kaspersky Lab experts said they have researched the ‘Darkhotel’ espionage campaign for the last four years, following malicious hackers who have been stealing data from company executives while they stay in luxury hotels.
The hackers gain access to executives' computers when they connect to a hotel's wireless internet, the report said, and avoiding pursuing the same target twice.
According to Kaspersky,the group performs operations with surgical precision, obtaining all the valuable data they can from first contact, deleting traces of their work and "melting into the background" to await the next high profile individual.
The most recent travelling targets include top executives from the US and Asia doing business and investing in the APAC region; with CEOs, senior vice presidents, sales and marketing directors, and top R&D staff all targeted.
“For the past few years, Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior," Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab, said.
"This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.
Baumgartner said 'Darkhotel' maintains an effective intrusion set on hotel networks, providing ample access over the years to systems that were believed to be private and secure.
The attackers wait until after check-in when the victim connects to the hotel Wi-Fi network, submitting their room number and surname at login.
Once the user is in the compromised network, embedded iframes located within the login portals of the hotels are used to prompt them to download and install a backdoor that poses as one of several major software releases, including Google Toolbar, Adobe Flash and Windows Messenger.
The unsuspecting executive downloads this hotel ‘welcome package’, only to infect his or her machine with a backdoor - Darkhotel’s spying software.
Kaspersky said once on a system, the backdoor is used to further download more advanced stealing tools: a digitally-signed advanced keylogger, the Trojan ‘Karba’ and an information-stealing module, which then steals all keystrokes and hunts for private information, including cached passwords and login credentials.
Victims are targeted for sensitive information and confidential data - likely the intellectual property of the business entities they represent. After the operation, the attackers carefully delete their tools from the hotel network and go back into hiding.
“The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene, where targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools,” Mr Baumgartner said.
The attackers left a footprint in a string within their malicious code pointing to a Korean-speaking hacker, while the campaign has targeted thousands of victims worldwide, with 90 per cent of identified infections in Japan, Taiwan, China, Russia and Hong Kong, alongside smaller infection rates from victims in Germany, the USA, Indonesia, India, and Ireland.
Kaspersky Lab is currently working with relevant organisations to best mitigate the problem and says it recommends using a VPN when traveling, and to always regard software updates as suspicious. The company also says users should use two-factor authentication for e-mail and other confidential services.
For more information see Kaspersky's infographic, below.
Source : The Australian Business Review David Swan November 11th, 20014
