The Darkhotel hackers target business travelers
A group of hackers has been engaging in espionage over luxury hotel WiFi networks and launching malware attacks on corporate executives and entrepreneurs
The Darkhotel group targets business travelers
The cyber-espionage group, named Darkhotel by Kaspersky Lab, has repeatedly targeted executives traveling on business in the Asia-Pacific region, according to PCWorld. Darkhotel uploads malicious code into hotel Internet portals and waits for guests to login to the network. After a guest inputs their last name and room number, they are prompted to download a Trojan virus disguised as a software update. Once downloaded, the virus installs malware and begins to steal private information.
Kaspersky Lab researchers wrote in a report released on Monday that the Darkhotel seems to know who is going to certain hotels and what time they will arrive, which suggests a combination of cyber-espionage and real-life spying activities. Interestingly, after targeted guests leave the hotels, the hackers disable the code uploaded to the network in an effort to hide evidence of their breach.
"This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels," Kaspersky Lab said, according to PCWorld.
Authorities find the Darkhotel group interesting because of their use of both highly specialized and crude infiltration techniques. Cracking digital certificate keys and the use of zero-day vulnerabilities – the exploitation of software vulnerabilities that programmers have not yet had time to address – points to the work of highly experienced developers. On the other hand, the command-and-control infrastructure is backed up by weak server configurations and basic mistakes. The combination of advanced and basic methods of hacking has caused authorities to assume that different aspects of the job are performed by separate teams. Despite their inconsistent style, researches expect that the cyber attacks will continue to go on.
"Considering their well-resourced, advanced exploit development efforts and large, dynamic infrastructure, we expect more Darkhotel activity in the coming years," the Kaspersky Lab said in a blog post, according to PCWorld.
The Darkhotel group has been operating for 7 years
The highest number of attacks took place between August 2010 and 2012, but other hotel network hacks discovered in 2014 are currently under investigation. The Darkhotel group, also known as Tapaoux, is believed to have started operations in 2007 and has used several hacking techniques over the last 7 years including malware-injected downloads, zero-day vulnerabilities and phishing emails. The majority of attacks perpetrated by the Darkhotel, however, use valid digital certificates that are either stolen or copies of certificates with weak 512-bit RSA keys, according to the news source.
The hackers use malware tools that include a keylogger, Trojan viruses that gather system data, malware downloaders, USB-infecting viruses and other programs that steal information, reported ZDNet.
Kaspersky noted several antivirus programs that will detect infiltration tools used by the group and also mentioned that over 90 percent of malware infections caused by the Darkhotel group occurred in Italy, Greece, Pakistan, Lebanon, Serbia, Belgium, Mexico, Ireland, Germany, Indonesia, India, Hong Kong, the Philippines, South Korea, Kazakhstan, Singapore, United Arab Emirates and the United States.
"Those portals are now reviewed, cleaned and undergoing a further review and hardening process," the Kaspersky researchers added, according to PCWorld.
Targets of the hacker group spanned all industries, from finance to pharmaceuticals and even included individuals associated with defense and law-enforcement. Chief executives, senior vice presidents, sales and marketing staff and R&D executives were all fair game.
"[Darkhotel] never goes after the same target twice; they perform operations with surgical precision, getting all the valuable data they can from the first contact, deleting traces of their work and melting into the background to await the next high profile individual," the Kaspersky team said, reported ZDNet.