Darkhotel Attackers Target CEOs
Hackers have developed a scheme to steal sensitive information from top executives by penetrating the Wi-Fi networks of luxury hotels, security researchers said Monday.
Dubbed the "Darkhotel APT," the threat actors use three different malware distribution methods, including malicious Wi-Fi networks, booby-trapped P2P torrents, and highly customized spear phishing, Kaspersky Lab noted in research paper.
Kaspersky said about 90 percent of the infections appear to be located in Japan, Taiwan, China, Russia and South Korea, but that the executives targeted include those traveling from the United States and other countries.
"The more interesting traveling targets include top executives from the US and Asia doing business and investment in the (Asia-Pacific) region."
The attackers’ methods include the use of zero-day exploits to target executives in spear-phishing attacks as well as a kernel-mode keystroke logger to siphon data from victim machines. They also managed to crack weak digital signing keys to generate certificates for signing their malware, in order to make malicious files appear to be legitimate software.
“Obviously, we’re not dealing with an average actor,” says Raiu. “This is a top-class threat actor. Their ability to do the kernel-mode key logger is rare, the reverse engineering of the certificate, the leveraging of zero days—that puts them in a special category.”
These types of attacks were first recorded in 2007, but activity spiked in August 2010 and has continued through to this year, the research found. Executives from electronics makers, pharmaceutical companies and military organizations were among the targets.
The key-logging tool's code is written in Korean, but Kaspersky said this did not necessarily mean the hackers were from Korea. It was also difficult at this stage in the investigation to tell if the attacks were state-backed, Raiu added.
The number of hotels that have been hit is also unknown. So far the researchers have found fewer than a dozen hotels with infection indicators. “Maybe there are some hotels that … use to be infected and we just cannot learn about that because there are no traces,” the network-management executive says.
The company worked with Kaspersky to scour all of the hotel servers it manages for any traces of malware and are “fairly confident that the malware doesn’t sit on any hotel server today.” But that is just one network-management company. Presumably, the DarkHotel operation is still active on other networks.