It can be kind of creepy walking into a dark hotel room when you don’t know where the lights are. But a new espionage campaign that’s been lurking in the shadows for at least four years is even creepier.
Dubbed “Darkhotel,” the campaign has been stealing sensitive data from corporate executives, typically from the U.S. and Asia who travel abroad. The Kaspersky Lab Global Research and Analysis Team just issued a report on the cyber-espionage operation, which reportedly never goes after the same target twice and deletes all traces of its work.
“For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior,” said Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab. “This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”
How Darkhotel Works
Here’s how Darkhotel works: The bad actor maintains an intrusion model set on hotel networks to gain access to systems that travelers think are secure and private. After the target connects to the hotel Wi-Fi network with his last name and room number, attackers trick the target into downloading and installing a backdoor by disguising malware as legitimate software, like Windows Messenger or Adobe Flash. When the target downloads the hotel “welcome package” it infects the machine with the spy software.
After the software is installed, attackers use the backdoor to download more malware, including a digitally-signed advanced keylogger, the Trojan Karba, and an information-stealing module. That makes it possible to collect data about the system, any anti-malware software installed, log all the victim’s keystrokes and even hunt for cached passwords and social media log-in credentials. After they get what they need, the attackers silently delete their malware and move on.
“The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene, where targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools,” said Baumgartner.
The Real Danger
Ken Westin, a security analyst from advanced cyber threat protection firm Tripwire, told us he tries to avoid using hotel Wi-Fi because hotels are target-rich environments for attackers to set up fake wireless networks.
“I have found that, in general, a lot of hotels fail to implement best practices when securing their Wi-Fi networks. I prefer to travel with a hotspot for Internet access and even then use a secure VPN,” he said. “Executives need to be particularly wary, especially when traveling overseas or attending conferences which announce their presence. Attackers targeting a specific person or industry may be present seeking ways to steal intellectual property, or other information that can benefit another company in business deals and provide an unfair advantage.”
Three Ways To Protect Yourself
Kaspersky agreed that any network you come upon while traveling, even semi-private ones in hotels, should be viewed as potentially dangerous. The good news is you can prevent these types of attacks, the firm offered, in three ways:
1. Choose a virtual private network (VPN) provider that will offer you an encrypted communication channel when accessing public or semi-public Wi-Fi.
2. When you are traveling, always consider software updates with suspicion. Also, confirm that the proposed update installer is signed by its vendor. If in doubt, wait until you can make that confirmation.
3. And, finally, make sure your Internet security solution includes proactive defense against new threats rather than just basic antivirus protection.