Travellers beware! Do not open the back door to the Darkhotel.
via Flickr © andrewrennie (CC BY-SA 2.0)
Not only are guests routinely ripped-off by the extortionate and disproportional prices some hotels charge for slow and limited Internet access, but also they could easily become victim to a clever cyber-criminal toolkit that uses WiFi and a 'backdoor' to trick travellers into downloading spyware.
A new report from Kapersky Labs reveals that senior executives who have to travel a lot for business purposes (and which of them doesn't?) are the target group of a sophisticated scam by cyber-criminals who are out to steal intellectual property and sensitive and secret business information. They do it by conning individuals into downloading the well-disguised malicious spyware, "Darkhotel."
Kapersky's global research and analysis team spent four years tracking what is known as an Advanced Persistent Threat (APT). Kurt Baumgartner, principal security researcher at Kapersky Labs, warns that the Darkhotel spyware toolkit goes ‘well beyond typical cyber-criminal behaviour and adds that the hackers are clever, punctilious, very careful and incredibly stealthy in how they mount and disguise their attacks."
Mr. Baumgartner says this "elite hacking crew" never strike the same victim twice, gain all the data and information they can in a very short time immediately after first contact and then exit the hotel network without leaving a trace that that have ever been there.
He adds, "For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cyber-criminal behaviour. This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”
A Darkhotel toolkit attack is inaugurated when a guest first connects to a hotel's WiFi network. When the unwitting individual is online the spyware tricks him or her into downloading a backdoor which, to all intents and purposes, is identical to legitimate software such as Adobe Flash, Google Toolbar or Windows Messenger.
Once the backdoor is open and the malware is in place, the device being targeted, whether a laptop computer, tablet or smartphone, is infected by various nasties from a comprehensive toolkit (such as a key logger, a trojan and a module designed to steal data, etc.). These modules then hunt through the device memory, services and apps and elsewhere looking for cached passwords ands log-in details. It's grimly efficient and it works on Chrome, Facebook, Firefox, Gmail Notifier, Google, Internet Explorer, Twitter and Yahoo.
Little is known about the team behind the design and proliferation of the Darkhotel toolkit other than the individuals involved seem to be Korean-speaking males operating from an unknown location.
A strange and murky threat
Kapersky Labs says the toolkit works "with surgical precision" and is so good that it can break-in to private and secure Wi-Fi networks with impunity. The research report adds that the Darkhotel spyware comprises an “unusually murky, long-standing and well-resourced threat actor exhibiting a strange combination of characteristics.”
Unsurprisingly, the Darkhotel toolkit is being used to target senior executives from the US, Europe and Asia. Apparently it is most prevalent in Asia where, for seven years now, it has been lurking on the networks of a large number of five star hotels. When attacks are discovered (and few are) they are often traced back to cyber criminals operating from China, Japan and Russia.
Kapersky Labs, which sell products that can both detect and neutralise programs used by the Darkhotel toolkit, advises all executives in general, and especially those travelling in Asia, to be particularly aware of insecure networks and always to regard hotel networks as almost certainly suspect and probably dangerous.
The company also recommends that, when travelling, executives should take with them a different, stripped-down version of the device and software they would normally use back at home base to minimise chances of infection and the theft of sensitive data.
Kapersky Labs further advises that travelling executives should not download software updates when they are on the road and that they should use a trusted VPN and encrypted communications channels if connecting to public or even, allegedly, private WiFi networks.
The report also reveals that Darkgotel attacks, although always aimed at targeted individuals, can become inconsistent and diffuse.
Kurt Baumgartner again: "The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene, where targeted attacks are used to compromise high-profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoS-ing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools."
Interesting - but not much of a comfort really is it? In fact, the whole thing is downright scary.