IHG attackers phished employee to deploy destructive wiper

A couple from Vietnam who claim to be behind a destructive wiper cyber attack on hotel operator IHG told the BBC how they orchestrated their operation

The attackers who broke into the systems of multinational hospitality operator IHG Hotels & Resorts at the beginning of September 2022 have claimed they attempted to stage a ransomware attack but instead used a data wiper malware to wreak havoc.

The attack rendered parts of IHG’s customer-facing website inoperable for a time, causing disruption to online bookings and a number of other applications, although the organisation’s site is now functioning normally.

A spokesperson said: “We prioritised the recovery of our booking channels and revenue-generating systems and were able to get those back up and running in a short period of time.

“Our security measures following the unauthorised activity in our technology systems are continuing,” they said. “We are working closely with our technology suppliers and external specialists have also been engaged to investigate the incident. At this time, we have not identified any evidence of unauthorised access to guest data. We remain focused on supporting our hotels and owners.”

The attackers, who purport to be a Vietnamese couple, go by the moniker TeaPea. They contacted the BBC late last week to share their story, and told the broadcaster they had planned to encrypt IHG’s data with ransomware, but the IT team managed to isolate its servers before they were able to do so.

They said they thought it would be funnier to perform a damaging wiper attack, erasing the victim’s data instead.

TeaPea shared screengrabs of various compromised IHG systems, including its Outlook and Microsoft Teams instances, as proof of their activity. UK-based IHG, which operates chains including Crowne Plaza, Holiday Inn, Intercontinental and Kimpton, confirmed the shared images were legitimate.

Read more about recent cyber attacks

The BBC additionally reported that TeaPea accessed IHG through a phishing attack against an employee who they tricked into giving up multifactor authentication (MFA) tokens.

They were also supposedly able to easily find login details for IHG’s internal password vault, and claimed the password for this was Qwerty1234. This information gave them deeper access to IHG’s systems.

Data wipers are a subset of malwares that erase – or wipe – data, including documents and other files, and programs on their target systems.

While in this case, IHG’s attackers appear to have operated on their own initiative, the ultimate goal of a wiper – to make it impossible for an organisation to carry out its functions by rendering its systems inoperable – makes them highly attractive as an option for state-backed advanced persistent threat (APT) groups.

Some of the most famous incidents of recent years include the 2014 cyber attack on Sony Pictures by North Korea’s Lazarus group, which used a variant of a wiper known as Shamoon against its victim.

Meanwhile, the June 2017 NotPetya incident, which primarily targeted Ukraine but ultimately had global impacts, manifested as a series of ransomware attacks but in fact contained a data wiper component.

More recently, a series of novel data wipers were deployed by Russian threat actors against targets in Ukraine to soften them up ahead of the invasion. One of these wipers, WhisperGate, acted similarly to NotPetya in that it was disguised as ransomware.

Read more on Data breach incident management and recovery

Data Center
Data Management