Light has been shed on a specialized brand of cybercrime in the form of surveillance conducted through luxury hotel Wi-Fi, designed to spy on unwary business travelers.
According to research released by security firm Kaspersky, a cyberespionage campaign dubbed Darkhotel has been targeting the unwary for at least four years — and is still alive and kicking today.
Kaspersky says that individuals are targeted when they stay in luxury hotels, and includes executives from the US and Asia traveling within the APAC region, whether they be CEOs, senior vice presidents, sales and marketing staff or R&D executives. Among victims identified by the security company were executives from the financial industry, pharmaceuticals and technology companies, as well as the military, police and contractors.
The security team also claim that the crew "never goes after the same target twice; they perform operations with surgical precision, getting all the valuable data they can from the first contact, deleting traces of their work and melting into the background to await the next high profile individual."
The Darkhotel campaigners maintain a steady, intrusive presence on hotel networks, waiting until a victim checks in to the hotel's Wi-Fi. The cybercriminal then sees the executive in the compromised network and tricks them into downloading and installing a backdoor which masquerades as an update for legitimate software, such as Google Toolbar, Adobe Flash or Windows Messenger. This "welcome package" then infects the victim's machine with spying software.
Once installed, the backdoor can be used to download additional tools, including keyloggers and information-stealing modules. Aside from passwords being stolen and recorded keystrokes, the hackers are able to lift sensitive, corporate information. After this data is taken, the attackers delete their tools — hiding their presence — and go back to lurking and awaiting their next victim.
Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab, said:
For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior. This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.
Kaspersky is working with hotel chains to mitigate the threat, and suggests that traveling executives use a VPN, up-to-date security software and treat updates as suspicious.