Posted on August 12, 2017 at 5:27 PM
According to a new report from security firm FireEye, a Russian hacker group known as APT28 or Fancy Bear has been targeting their victims due to their connections to hacked hotel wifi networks since last fall. The security firm has closely watched the group’s attacks, including the breach of the Democratic National Committee prior to last year’s election.
FireEye says that the hackers in question started using EternalBlue, which is a leaked NSA hacking tool, in order to spread their control of hotel networks once they got the initial foothold via phishing. As it seems, the hackers are able to collect victim computers’ usernames and passwords without making any noise once they take control of the wifi with a trick that doesn’t even require users to actively type them when signed onto the hotel network.
Ben Read, the leader of the FireEye’s espionage research team, says that this is a new technique for the hacker group. He said that this is a more passive way to collect data since all you need to do is sit and intercept data from the wi-fi traffic.
The first time that the security firm has seen evidence of Fancy Bear possibly targeting hotels was in the fall of last year when they analyzed a breach that started on one corporate employee’s computer. They managed to trace the infection to the fact that the victim used a hotel wi-fi network while traveling – 12 hours after the person had connected, their credentials have been used to connect to the same wi-fi and got in their computer, installed malware and accessed their Outlook data. This means that the hacker was on the same network, checking the transferred data to intercept victim’s credentials.
A series of similar attacks have been noticed last month by FireEye in the hotels across the Europe and one in the Middle East. The attackers used phishing emails to get into the network, then used the access they granted themselves to start up the NSA hacking tool which allowed them to spread control through the hotel’s network due to a vulnerability in Microsoft’s so-called server message block protocol.
The hacker would then use Responder, a network-hacking tool that helped them to monitor traffic as well as make computers give out their users’ credentials without leaving any trace behind.
FireEye says that the hotels’ which networks have been targeted were moderately high-end, but they still don’t know if the hackers had specific people in mind when putting their plan into action. The company’s analysts couldn’t confirm any individual victims whose credentials were stolen from the target hotels.
FireEye says they are pretty confident that Fancy Bear is behind the hacks of the last fall and past month. They made this conclusion based on two pieces of malware usually connected to Fancy Bear – GameFish and XTunnel.
The security firm says that if it turns out that it is Fancy Bear that is behind this, these hacks are the first confirmation that the Russian hackers are using the NSA hacking tools that leaked in the ShadowBrokers’ scandal.
This would also showcase a new evolution of the Fancy Bear group’s techniques.
But if we look at it more broadly, these types of hacks have happened before via more sophisticated hackers. DarkHotel for example, believed to be directed by the North Korea, happened in 2014. The Duqu 2.0 malware, as far as we know work of Israeli hackers, was found in the networks of European hotels hosting Iranian nuclear negotiations in 2015.
All of these should serve as a reminder for travelers that might carry sensitive information with them not to mess with hotel networks. Even with the use of VPN, your private credentials could still be reachable for Responder to exploit. The safest approach, for anyone that has a big secret to keep is to have your own wireless hotspot and avoid the hotel’s network like plague.