Cyber criminals target corporate executives while they are travelling to steal sensitive data, researchers at security firm Kaspersky Lab have revealed.
The researchers uncovered a cyber espionage campaign, which they believe has been active for the past four years, focusing on C-level executives connecting to corporate data using hotel Wi-Fi networks.
Dubbed “Darkhotel”, the espionage campaign infects hotel networks with spying software that in turn infect the computers of targeted executives as soon as they connect to the hotel Wi-Fi network.
The executives are tricked into installing information-stealing malware by disguising it as an update for legitimate software such as Adobe Flash or Windows Messenger.
The Darkhotel malware is designed to search the targeted executives’ computers for sensitive corporate data as well as cached passwords and login credentials.
The malware can record keystrokes to steal passwords as they are entered by executives accessing corporate IT systems.
How to defend against Darkhotel
- Use a Virtual Private Network (VPN) to get an encrypted communication channel when accessing public or semi-public Wi-Fi;
- When travelling, always regard software updates as suspicious. Confirm that the proposed update installer is signed by the appropriate vendor.
- Make sure your Internet security solution includes proactive defence against new threats rather than just basic antivirus protection.
The cyber criminals behind Darkhotel do not go after the same target twice and perform operations with “surgical precision” to get valuable data from the first contact, the researchers have found.
After the operation, the attackers carefully delete their tools from the hotel network and go back into hiding, the researchers have found.
The most recent targets of Darkhotel include top executives from the US and Asia conducting business and investing in the Asia-Pacific region.
Research and development staff have also been targeted by the still-active cyber espionage campaign, warned Kaspersky Lab.
“For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behaviour,” said Kurt Baumgartner, principal security researcher at Kaspersky Lab.
“This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision,” he said.
More on cyber espionage
- Researchers uncover sophisticated cyber espionage campaign
- US charges Chinese military officers with cyber espionage
- UK among targets of 'Mask' advanced cyber espionage campaign
- NSA involved in industrial espionage, says Snowden
- Researchers uncover Indian cyber espionage network
- Researchers uncover advanced cyber espionage campaign
- Targeted cyber espionage on the increase, McAfee warns
- IT manufacturers fight cyber espionage risks in the supply chain
- Norway’s Telenor hit by cyber espionage campaign
- Security Think Tank: Five steps to protect IP from cyber espionage
However, Baumgartner said Darkhotel malicious activity can be inconsistent, spreading the malware indiscriminately alongside highly targeted attacks.
“The mix of targeted and indiscriminate attacks is becoming more and more common in the advanced persistent threat APT scene, where targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as carrying out distributed denial of service (DDoS) attacks against hostile parties or simply upgrading interesting victims to more sophisticated espionage tools,” he said.
According to Kaspersky Lab, any network, even semi-private ones in hotels, should be viewed as potentially dangerous.
The security firm said it is working with hotel chains to mitigate the threat and has updated its products to detect and neutralise the malicious software used by the Darkhotel operation.