Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

03:45 PM
Connect Directly

Korean-Speaking Cyberspies Targeting Corporate Execs Via Hotel Networks

Researchers unmask the inner workings of "Darkhotel," a unique seven-year-old cyber espionage campaign against C-level executives from various nations as they travel in the Asia-Pacific region.

Corporate executives from around the world are being individually tracked and targeted on the road in an intriguing cyber espionage attack campaign where the attackers know the hotels their targets are staying and stage attacks from the establishments' networks.

More than a couple of dozen hotels' physical and WiFi networks in the Asia-Pacific region have been infiltrated by the so-called Darkhotel or Tapaoux hacker group, which appears to be Korean-speaking, according to findings shared today by Kaspersky Lab. More than 90% of the victim organizations have been from Japan, Taiwan, China, Russia, and Hong Kong, though the researchers also have found some German, American, Indonesian, Indian, and Irish execs who have been affected. Japan has the heaviest volume of victims, and just under two dozen executives so far have been confirmed as victims, according to Kaspersky researchers.

The attackers employ a mix of highly targeted and botnet-type techniques, infecting hotel networks and then waging their attacks from those locations when specific execs -- some CEOs, senior vice presidents, sales and marketing directors, and R&D execs from major companies -- check into their hotels. The botnets are for surveillance, DDoS, or downloading more sophisticated information-stealing malware on to their victims' machines. The attacks via hotel networks have been under way for at least four years and are still ongoing, according to Kaspersky, but the group has been waging other forms of attack for at least seven years.

"Multiple hotels in multiple countries in the APAC as of right now" are being hit by Darkhotel, says Kurt Baumgartner, principal security researcher at Kaspersky Lab, who would not name the victims or hotels involved. "But our investigation is ongoing, and we have a strong belief that it is [occurring] elsewhere" outside the Asia-Pacific region, as well.

Baumgartner says a keylogger used in the attacks appears to be written by a Korean-speaking developer, and the data discovered on the command and control servers used in the attacks have Korean language in the data strings. "You've got a number of individuals involved here who are Korean-speaking and the attacks are happening in the APAC region." He stopped short of confirming the attackers were a Korean nation-state.

And when they infect a Korean-speaking target, the attackers delete the malware -- an indication that they are avoiding friendly fire.

Hotel networks and WiFi -- like any public WiFi -- is notoriously risky. Tom Kellermann, chief cyber security officer at Trend Micro, says hotel wireless networks have been under siege by criminals and spies for a long time. "Travelers should be tremendously dubious of hotel, train, and airport WiFi. These locations have become the ideal hunting grounds for opportunists and nation-states alike. This campaign represents nothing new."

CrowdStrike issued a related warning today about hotel networks and other WiFi to participants in the upcoming G20 Global Leaders Summit, which will be held Nov. 15 and 16 in Brisbane, Australia. With hotels in Brisbane at capacity, many attendees will be lodging outside the city and be shuttled to and from the meetings, leaving them at risk during their travel back and forth, says CrowdStrike's Adam Meyers. In its advisory, CrowdStrike says that the likelihood of attacks via "social engineering, shoulder surfing, or certain Wi-Fi and mobile attacks (exploiting hotel networks, for example)" increases due to the travel.

The Darkhotel gang pushes infected Adobe Flash, Google Toolbar, or Windows Messenger updates to a targeted exec when he or she logs into the hotel's physical or WiFi network. If the exec downloads the update, a backdoor gets planted on the machine. The Adobe Flash update, for example, is actually digitally signed so that it will appear legitimate.

"They used some heavy math which was pretty impressive at the time to sign their malware with their weak [512-bit key] certificates. Now they are outright stealing legitimate 2,048-bit certificates from legitimate organizations... to sign their malware," Baumgartner says.

The attackers also download the Karba Trojan with an information-stealing module and other malware to conduct reconnaissance on the executive's machine, looking for AV software, cached browser and email passwords, and any other sensitive information. The attackers infect each victim only once, and they delete any trace of their activity after they've pilfered what they want from the victim. Kaspersky recently discovered attacks against US and Asian execs traveling on business in the APAC region for investment or other purposes. So far, Darkhotel appears to be targeting execs in government, defense, and non-governmental organizations.

"These guys are professional, well-organized, and methodical," Baumgartner says. "They know what they're after. They don't need to go after a victim again" once they've accessed what they need.

The cyber espionage gang also previously used spearphishing attacks and poisoning of peer-to-peer networks to hit their targets.

In another unusual strategy, one of the downloaders delays command and control communications by the infected machine for 180 days. "If a special file exists on the system, the module will not start calling back to the C&C server until the special file is 180 days old," Kaspersky says in its detailed report on Darkhotel.

"We've seen delays of five days, maybe a week. But we don't see 180 days," Baumgartner says. "That may be so that when an executive returns to his [office] and his laptop gets inspected, they don't want any outbound traffic. They've already gotten what they wanted and don't need to look for anything."

Kaspersky recommends using a VPN on WiFi or other networks on the road, and to be suspicious of any application updates that pop up.

But Ian Pratt, co-founder and executive vice president of products at Bromium, says a VPN can't necessarily prevent a WiFi-borne attack.

"Most WiFi networks require you to successfully sign in to a captive portal page before they will allow you external access. In many cases it is the sign-in page itself that is malicious, and by the time the user has entered their surname and room number they will have been delivered an exploit tailored to their machine and compromised," Pratt says. "Bringing a VPN up at this point plays directly into the attackers' hands, bringing the infection onto the enterprise network."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/26/2014 | 5:17:30 PM
More confirmation....
Interesting perspective on the DarkHotel threat. The OpenDNS research team also recently unveiled some of their findings on the Labs blog. We've had a couple of researchers investigate on the matter. Glad to see we are not the only ones!
User Rank: Ninja
11/12/2014 | 8:39:21 AM
Re: Very dangerous
Good point. I think we are at a point where if you are a corporate exec travelling abroad on business  you should assume that there will be efforts to compromise your devices
User Rank: Apprentice
11/12/2014 | 6:23:57 AM
I don't know much about encryption to be honest  but i do know it is important and can save your data from loss and that is why i use encryption. Data protection is the software i use for encryption. Good software.
User Rank: Ninja
11/11/2014 | 1:48:28 AM
Portable Satellite Terminals
It's time corporate execs stepped out of the hotel network world and into satellite broadband, particularly private satellite access.  It's surprising that, at the salaries many execs command and the revenue these companies are generating, portable satellite terminals are not more common.  Encrypted satellite access with high-speed Internet access is readily available.

Of course, while travelling, it's not uncommon for people to not want certain traffic to be going over their company network, so no matter how hard you try to secure your exec's line, you may still fail depending on what their extra-curricular Internet activities are.  Their choice, but the wrong one.

Which leads me to the assertion that execs who want to travel and use any type of electronic equipment to do business need to be locked down and locked out.  That is, if they want to access the Internet on a company device, then it has to be over secure satellite broadband, on a device that will not access certain sites or allow certain types of traffic.  If they want the extra-curricular stuff, they'll just have to find another device to do it on.

This is nothing shocking - I see wireless connections all the time at hotels that are named so close to the real network that you could easily make the mistake.  All the shadow has to do is emulate the password scheme (generally your room number or last name) or allow anything to act as a password, and they have you.  Tip to the wise:  Stay off all public networks while travelling, lock down your execs' devices, and encrypt all traffic and local data, just for the extra oomph. 
User Rank: Ninja
11/10/2014 | 6:10:13 PM
Very dangerous
The discovery doesn't surprise me, the practice is old and it is managed by cyber spies and cyber criminals for a long time. Like Kurt Baumgartner, I'm surprised by the Darkhotel APT's indiscriminate backdoor spreading.

I have many doubts regarding the real origin of the specific APT
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.