APT28 hackers are leveraging NSA Hacking tool to spy on Hotels guests

According to FireEye, the notorious Russia-linked APT28 group is behind an ongoing campaign targeting hotels in several European countries.

According to FireEye, the notorious Russia-linked APT28 group (Pawn Storm, Fancy Bear, Sofacy, Sednit and Strontium) is behind an ongoing campaign targeting hotels in several European countries.

The researchers observed many attacks targeting the networks of hotels to gain access the devices of government and business travelers via the guest Wi-Fi.

The hackers targeted several companies in the hospitality sector, including hotels in seven European countries and at least one in the Middle Eastern country.

The attack chain starts with a spear phishing email sent to a hotel employee, the messages use weaponized document named “Hotel_Reservation_Form.doc.” The embedded macros decode a dropper that delivers the GameFish malware. Experts noticed that the backdoor is the same used by the APT28 in a recent campaign that targeted Montenegro after the state officially joined NATO alliance despite the strong opposition from Russian Government that threatened to retaliate.

Once the hackers accessed the target network, they used the NSA-linked EternalBlue SMB exploit for lateral movements. According to the malware researchers at FireEye, this is the first time APT28 hackers had used this NSA exploit.

“APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers. Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks. No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network.” reads the analysis published by FireEye.

The APT28 hackers also used the open source penetration testing tool Responder for NetBIOS Name Service (NBT-NS) poisoning.

“Upon gaining access to the machines connected to corporate and guest Wi-Fi networks, APT28 deployed Responder. Responder facilitates NetBIOS Name Service (NBT-NS) poisoning.

This technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine. APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network,” continues FireEye.

The researchers reported details about an intrusion occurred in 2016, a user connected to a hotel’s Wi-Fi and 12 hours later APT28 hackers used stolen credentials to access his network and his Outlook Web Access (OWA) account.

This isn’t the first time hackers targeted travelers, the most important case is represented by the DarkHotel APT. The APT group targeted European hotels hosting participants in Iranian nuclear negotiations, and according to some reports, hackers spied on high-profile people visiting Russia and China.

“Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, though actors may also collect information on the hotel as a means of facilitating operations,” FireEye said. “Business and government personnel who are traveling, especially in a foreign country, must often rely on less secure systems to conduct business than at their home office, or may be unfamiliar with the additional threats posed while abroad.”