Fancy Bear aka APT28 - the notorious hacking group linked to the Russian government and allegedly responsible for the 2016 US election hacks - infected networks of at least seven European and one Middle Eastern hotel in last month.
The hacking group has been linked to the Russian government by several independent cybersecurity firms and is now apparently using the leaked NSA exploits to target hotels. Dumped online, the NSA hacking tool used by APT28 was part of the Shadow Brokers' initial data dump earlier this year, after which they started a subscription model. The group now only shares these stolen tools and exploits with those who pay for their monthly services.
According to FireEye, an American cybersecurity research firm, Fancy Bear has been using booby-trapped documents to hack hotels in an attempt to spy on their guests. While the firm hasn't named the hotels, they added that the hackers have only targeted international chains where "you would expect distinguished visitors to stay at."
"The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit."
FireEye explained the latest Fancy Bear campaign in a blog post published Friday. The alleged Russian hackers started the attack by sending a document that looked like a guest form to multiple companies in the hospitality industry. Embedded with macros, the document was designed to install "APT28’s signature GAMEFISH malware" on the victim's computer.
Once the target computer was infected, the hackers moved through hotel networks using ETERNALBLUE, one of the exploits that were stolen from the NSA and dumped by the Shadow Brokers in April. This is the same exploit that has been massively used since its leak, including in both the WannaCry and NotPetya ransomware outbreaks. "This is the first time we have seen APT28 incorporate this exploit into their intrusions," the security firm wrote.
Hotel networks are becoming a favorite among government hackers
For a long time now, state-backed hackers have focused their efforts on penetrating hotel networks to target their A-list guests. "Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself," researchers noted.
"Business and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad."
While it may be a first for Fancy Bear to use the NSA hacking tool, the group has targeted hotels in the past as well. In 2016, the group targeted a victim when they connected to a hotel WiFi network. Stealing their credentials, APT28 then logged into the target machine remotely using stolen credentials. "After successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the victim's network, and accessed the victim's OWA account," FireEye writes. "The login originated from a computer on the same subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network."
However, APT28 isn't the only state-backed hacking group targeting hotels and their guests. The South Korean DarkHotel group targeting Asian hotels and Israeli spies' use of Duqu malware to hack into a hotel where attendees of the nuclear talks between Iran and others were staying are only some of the known cyber espionage campaigns focused on the hospitality industry.
