Security Market Segment LS
Monday, 10 November 2014 20:52

VIDEO: Kaspersky Lab exposes cyber espionage in luxury hotels Featured


Russian IT security supremos, Kaspersky Lab, has exposed a four-year ‘Darkhotel’ espionage campaign by a ‘threat actor’ who is actively stealing information from top-level executives and who doesn’t pursue the same target twice.

It’s not just James Bond who gets spied upon in hotels, but selected corporate executives travelling abroad and staying in luxury hotels.

Kaspersky Lab’s SecureList security researchers, who are extremely active in uncovering major malware, virus, cybercrime and cyberterrorist threats, have discovered the ‘Parkhotel’ espionage campaign has lurked in the shadows for at least four years.

Even more worryingly, the group behind ‘Darkhotel’ avoids pursuing the same target twice and ‘performs operations with surgical precision, obtaining all the valuable data they can from first contact, deleting traces of their work and melting into the background to await the next high profile individual.’

Astoundingly for major corporations, Kaspersky Lab reports ‘the most recent travelling targets include top executives from the US and Asia doing business and investing in the APAC region; with CEOs, senior vice presidents, sales and marketing directors, and top R&D staff targeted.’

Kurt Baumgartner, Principal Security Research at Kaspersky Lab said: “For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behaviour.”

“This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”

So, how does the hotel attack work?

Kaspersky Lab explains that ‘the Darkhotel actor maintains an effective intrusion set on hotel networks, providing ample access over the years to systems that were believed to be private and secure.’

‘The attackers wait until after check-in when the victim connects to the hotel Wi-Fi network, submitting their room number and surname at login.’

‘Once the user is in the compromised network, embedded iframes located within the login portals of the hotels are used to prompt them to download and install a backdoor that poses as one of several major software releases, including Google Toolbar, Adobe Flash and Windows Messenger.’
‘The unsuspecting executive downloads this hotel ‘welcome package’, only to infect his machine with a backdoor - Darkhotel’s spying software.’

Then the truly stunning stuff happens!  

 Kaspersky Lab says that, ‘Once on a system, the backdoor is used to further download more advanced stealing tools: a digitally-signed advanced keylogger, the Trojan ‘Karba’ and an information-stealing module.’

‘These tools collect data about the system and the anti-malware software installed on it, stealing all keystrokes, and hunting for private information, including cached passwords and login credentials.’

‘Victims are targeted for sensitive information and confidential data - likely the intellectual property of the business entities they represent. After the operation, the attackers carefully delete their tools from the hotel network and go back into hiding.’

The attackers are using spear-phishng emails with zero-day exploits to infiltrate organisations including ‘Defense Industrial Base (DIB), government and Non-Governmental Organisations (NGOs), very large electronics manufacturing, investment capital and private equity, pharmaceuticals, cosmetics and chemicals manufacturing offshoring and sales, automotive manufacturer offshoring services, automotive assembly, distribution, sales, and services, and law enforcement and military services.

There’s also sexual-content based malware being spread via Japanese p2p networks, part of a ‘large RAR archive that purports to offer sexual content, but installs a backdoor Trojan that allows attackers to perform a mass surveillance campaign’, with this ‘Darkhotel package downloaded over 30,000 times in less than six months.’

Baumgartner added “The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene, where targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools.”

It appears the threat actor is Korean, due to a ‘footprint in a string within their malicious code pointing to a Korean-speaking actor’.

The campaign has targeted thousands of victims worldwide, with 90 per cent of identified infections in Japan, Taiwan, China, Russia and Hong Kong, alongside smaller infection rates from victims in Germany, the USA, Indonesia, India, and Ireland.
Kaspersky Lab says it is currently working with relevant organisations to best mitigate the problem. Kaspersky Lab’s products detect and neutralise the malicious programs and their variants used by the Darkhotel toolkit.
So, how does an executive - or anyone - reduce their exposure to attacks?

Kaspersky Lab says that, when traveling, any network, even semi-private ones in hotels, should be viewed as potentially dangerous.

To prevent this, Kaspersky Lab has the following tips:
- Choose a Virtual Private Network (VPN) provider – you will get an encrypted communication channel  when accessing public or semi-public Wi-Fi

- When traveling, always regard software updates as suspicious. Confirm that the proposed update installer is signed by the appropriate vendor.

- Make sure your Internet security solution includes proactive defence against new threats rather than just basic antivirus protection

- Use two-factor authentication for e-mail and other confidential services.

- Use strong, unique passwords for each resource you access.
Kaspersky Lab’s SecureList site here has even more information and detail on the DarkHotel ‘APT’ or advanced persistent threat.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Alex Zaharov-Reutt

One of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.



Recent Comments