FireEye researchers believe a group linked to the Russian government and US election hacks, APT28, is targeting hotels in Europe and the Middle East.
A notorious group of Russian hackers are targeting hotel guests in Europe and the Middle East.
Researchers at security firm FireEye on Friday warned that hacking group APT28 is using a tool known to sniff user passwords from Wi-Fi traffic. They access hotel networks via spear phishing emails with attachments that might seem legitimate at first glance (Hotel_Reservation_Form.doc). But “successful execution of the macro within the malicious document results in the installation of APT28’s signature Gamefish malware,” FireEye says.
The malicious emails, which date back to at least July, have been sent to hotels in “at least seven European countries and one Middle Eastern country,” FireEye writes in a blog post. APT28 (aka Fancy Bear) is linked to the Russian government and US election hacks.
The malware is spread via a version of the EternalBlue exploit. If that name sounds familiar, it’s because it was the same one used in the recent WannaCry ransomware attacks. EternalBlue and other NSA hacking tools were leaked online last year by a group known as the Shadow Brokers, putting these powerful tools in the hands of anyone able to use them.
Once inside a network, the hackers seek out machines that control the hotel’s guest and internal Wi-Fi networks. Upon gaining access to these machines, the hackers deploy other tactics to steal usernames and hashed passwords that give them greater access to the victim network.
“No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network,” FireEye warned. In that case, the victim was compromised after connecting to a hotel Wi-Fi network.
“Travelers must be aware of the threats posed when traveling—especially to foreign countries—and take extra precautions to secure their systems and data,” FireEye wrote. “Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible.”