A Russian government-sponsored cyber-espionage group has been accused of using a leaked NSA hacking tool in attacks against one Middle Eastern and at least seven European hotels in order to spy on guests.
Why reinvent the wheel, or a hacking tool, when the NSA created such an effective one? The NSA’s EternalBlue was leaked online by the Shadow Brokers in April. Now the security firm FireEye says it has a “moderate confidence” that Fancy Bear, or APT28, the hacking group linked to the Russian government and accused of hacking the Democratic National Committee last year, added EternalBlue to its arsenal in order to spy on and to steal credentials from guests at European and Middle Eastern hotels.
In a campaign aimed at the hospitality industry, attackers leveraged a malicious document in spear-phishing emails. The “hostile hotel form,” which Microsoft Threat Intelligence Center General Manager John Lambert tweetedabout in July, appeared to be a hotel reservation document. If macros were allowed to run on the computers used by the hotel employees who opened it, then Fancy Bear’s Gamefish malware would be installed.
Fancy Bear, according to a report by FireEye, used “novel techniques involving the EternalBlue exploit and the open-source tool Responder to spread laterally through networks and likely target travelers. Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks.”
The Gamefish malware would download and run EternalBlue to spread to computers that were connected to corporate and guest Wi-Fi networks. After gaining access, Fancy Bear deployed Responder, which listens for “broadcasts from victim computers attempting to connect to network resources.” Responder, FireEye explained, “masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine.”
“It’s definitely a new technique” for Fancy Bear, FireEye’s cyber-espionage researcher Ben Read told Wired. “It’s a much more passive way to collect on people. You can just sit there and intercept stuff from the Wi-Fi traffic.”
While FireEye didn’t observe business travelers’ credentials being stolen via hotel Wi-Fi networks in July, the security firm cited a similar hotel attack by Fancy Bear in 2016.
In the 2016 incident, the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials. These 12 hours could have been used to crack a hashed password offline. After successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the victim's network, and accessed the victim's OWA account. The login originated from a computer on the same subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network.
The latest hotel attacks, FireEye added, are "the first time we have seen APT28 incorporate this exploit [EternalBlue] into their intrusions.” While the investigation is still going on, FireEye told Reuters it is “moderately confident” that Fancy Bear is behind the attacks. “We just don't have the smoking gun yet.”
The targeted hotels were not named, but they were described as the type where valuable guests would stay. FireEye told Wired, “These were not super expensive places, but also not the Holiday Inn. They’re the type of hotel a distinguished visitor would stay in when they’re on corporate travel or diplomatic business.”
FireEye wants travelers, such as business and government personnel, to be aware of the threats like having their information and credentials passively collected when connecting to a hotel’s Wi-Fi. While traveling abroad, high-value targets should “take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible.”
Wired suggested the safest approach for travelers is to bring their own hotspot and altogether skip connecting to the hotel’s Wi-Fi.