Russian APT28 ‘Hacking Hotels To Steal Guests’ Passwords’

APT28, the Russian-linked hacking group also known as Fancy Bear, has been implicated in a scheme to steal information from travellers using hotels’ Wi-Fi connections.

Researchers said the group, best known for allegedly hacking the Democratic National Congress (DNC) during last year’s US presidential election campaign, used the notorious EternalBlue exploit to help spread its Wi-Fi malware.

NSA exploit

EternalBlue is amongst the exploits believed to have been developed by the US National Security Agency (NSA) for surveillance purposes and was leaked by the Shadow Brokers hacker group in April. In May it was used to spread the WannaCry ransomware and the following month the NotPetya malware.

The exploit allows malware to spread by exploiting flaws found in older versions of Windows, specifically Windows’ implementaiton of the Server Message Block (SMB) protocol.

Since at least July of this year APT28 is believed to have targeted companies in the hotel sector across Europe and the Middle East with targeted malicious emails that include an infected Microsoft Word document, security firm FireEye said.

When a malicious macro found in the document is successfully run it installs malware called Gamefish, which FireEye described as APT28’s “signature” code. The document was found in emails sent to hotels in at least seven European countries and one Middle Eastern country in early July, FireEye said.

APT28 then uses a version of EternalBlue to spread Gamefish across the target company’s network.

“This is the first time we have seen APT28 incorporate this exploit into their intrusions,” FireEye said in an advisory. “APT28’s already wide-ranging capabilities and tactics are continuing to grow and refine as the group expands its infection vectors.”

Password theft

The campaign involves deploying an open source tool called Responder, which facilitates an attack that tricks a user’s computer into sending usernames and hashed passwords to the attacker. The hashed passwords can then be decoded and used to access the user’s systems.

In a separate incident last autumn FireEye said APT28 gained access to a user’s systems with credentials likely to have been stolen using Responder via a hotel’s Wi-Fi network. In that attack, APT28 logged into the system 12 hours after the user accessed the hotel Wi-Fi network, possibly using the intervening time to crack a hashed password offline.

In the autumn 2016 attack APT28 deployed tools on the user’s machine, spread malware across the network and accessed the user’s Outlook Web Access (OWA) account, FireEye said.

The firm noted that other groups, such as the South Korea-based Fallout Team, otherwise known as DarkHotel, are also targeting travellers in hotels. But it said the incidents are unrelated, being carried out by two separate groups, each apparently representing the interests of their own country’s governments.

FireEye recommended travellers take extra security precautions when in foreign countries and avoid publicly accessible Wi-Fi networks when possible.

What do you know about the history of mobile messaging? Find out with our quiz!