Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

03:45 PM
Connect Directly

Korean-Speaking Cyberspies Targeting Corporate Execs Via Hotel Networks

Researchers unmask the inner workings of "Darkhotel," a unique seven-year-old cyber espionage campaign against C-level executives from various nations as they travel in the Asia-Pacific region.

Corporate executives from around the world are being individually tracked and targeted on the road in an intriguing cyber espionage attack campaign where the attackers know the hotels their targets are staying and stage attacks from the establishments' networks.

More than a couple of dozen hotels' physical and WiFi networks in the Asia-Pacific region have been infiltrated by the so-called Darkhotel or Tapaoux hacker group, which appears to be Korean-speaking, according to findings shared today by Kaspersky Lab. More than 90% of the victim organizations have been from Japan, Taiwan, China, Russia, and Hong Kong, though the researchers also have found some German, American, Indonesian, Indian, and Irish execs who have been affected. Japan has the heaviest volume of victims, and just under two dozen executives so far have been confirmed as victims, according to Kaspersky researchers.

The attackers employ a mix of highly targeted and botnet-type techniques, infecting hotel networks and then waging their attacks from those locations when specific execs -- some CEOs, senior vice presidents, sales and marketing directors, and R&D execs from major companies -- check into their hotels. The botnets are for surveillance, DDoS, or downloading more sophisticated information-stealing malware on to their victims' machines. The attacks via hotel networks have been under way for at least four years and are still ongoing, according to Kaspersky, but the group has been waging other forms of attack for at least seven years.

"Multiple hotels in multiple countries in the APAC as of right now" are being hit by Darkhotel, says Kurt Baumgartner, principal security researcher at Kaspersky Lab, who would not name the victims or hotels involved. "But our investigation is ongoing, and we have a strong belief that it is [occurring] elsewhere" outside the Asia-Pacific region, as well.

Baumgartner says a keylogger used in the attacks appears to be written by a Korean-speaking developer, and the data discovered on the command and control servers used in the attacks have Korean language in the data strings. "You've got a number of individuals involved here who are Korean-speaking and the attacks are happening in the APAC region." He stopped short of confirming the attackers were a Korean nation-state.

And when they infect a Korean-speaking target, the attackers delete the malware -- an indication that they are avoiding friendly fire.

Hotel networks and WiFi -- like any public WiFi -- is notoriously risky. Tom Kellermann, chief cyber security officer at Trend Micro, says hotel wireless networks have been under siege by criminals and spies for a long time. "Travelers should be tremendously dubious of hotel, train, and airport WiFi. These locations have become the ideal hunting grounds for opportunists and nation-states alike. This campaign represents nothing new."

CrowdStrike issued a related warning today about hotel networks and other WiFi to participants in the upcoming G20 Global Leaders Summit, which will be held Nov. 15 and 16 in Brisbane, Australia. With hotels in Brisbane at capacity, many attendees will be lodging outside the city and be shuttled to and from the meetings, leaving them at risk during their travel back and forth, says CrowdStrike's Adam Meyers. In its advisory, CrowdStrike says that the likelihood of attacks via "social engineering, shoulder surfing, or certain Wi-Fi and mobile attacks (exploiting hotel networks, for example)" increases due to the travel.

The Darkhotel gang pushes infected Adobe Flash, Google Toolbar, or Windows Messenger updates to a targeted exec when he or she logs into the hotel's physical or WiFi network. If the exec downloads the update, a backdoor gets planted on the machine. The Adobe Flash update, for example, is actually digitally signed so that it will appear legitimate.

"They used some heavy math which was pretty impressive at the time to sign their malware with their weak [512-bit key] certificates. Now they are outright stealing legitimate 2,048-bit certificates from legitimate organizations... to sign their malware," Baumgartner says.

The attackers also download the Karba Trojan with an information-stealing module and other malware to conduct reconnaissance on the executive's machine, looking for AV software, cached browser and email passwords, and any other sensitive information. The attackers infect each victim only once, and they delete any trace of their activity after they've pilfered what they want from the victim. Kaspersky recently discovered attacks against US and Asian execs traveling on business in the APAC region for investment or other purposes. So far, Darkhotel appears to be targeting execs in government, defense, and non-governmental organizations.

"These guys are professional, well-organized, and methodical," Baumgartner says. "They know what they're after. They don't need to go after a victim again" once they've accessed what they need.

Darkhotel Victims
(Image: Kaspersky Lab)
(Image: Kaspersky Lab)

The cyber espionage gang also previously used spearphishing attacks and poisoning of peer-to-peer networks to hit their targets.

In another unusual strategy, one of the downloaders delays command and control communications by the infected machine for 180 days. "If a special file exists on the system, the module will not start calling back to the C&C server until the special file is 180 days old," Kaspersky says in its detailed report on Darkhotel.

"We've seen delays of five days, maybe a week. But we don't see 180 days," Baumgartner says. "That may be so that when an executive returns to his [office] and his laptop gets inspected, they don't want any outbound traffic. They've already gotten what they wanted and don't need to look for anything."

Kaspersky recommends using a VPN on WiFi or other networks on the road, and to be suspicious of any application updates that pop up.

But Ian Pratt, co-founder and executive vice president of products at Bromium, says a VPN can't necessarily prevent a WiFi-borne attack.

"Most WiFi networks require you to successfully sign in to a captive portal page before they will allow you external access. In many cases it is the sign-in page itself that is malicious, and by the time the user has entered their surname and room number they will have been delivered an exploit tailored to their machine and compromised," Pratt says. "Bringing a VPN up at this point plays directly into the attackers' hands, bringing the infection onto the enterprise network."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/26/2014 | 5:17:30 PM
More confirmation....
Interesting perspective on the DarkHotel threat. The OpenDNS research team also recently unveiled some of their findings on the Labs blog. We've had a couple of researchers investigate on the matter. Glad to see we are not the only ones!
User Rank: Ninja
11/12/2014 | 8:39:21 AM
Re: Very dangerous
Good point. I think we are at a point where if you are a corporate exec travelling abroad on business  you should assume that there will be efforts to compromise your devices
User Rank: Apprentice
11/12/2014 | 6:23:57 AM
I don't know much about encryption to be honest  but i do know it is important and can save your data from loss and that is why i use encryption. Data protection is the software i use for encryption. Good software.
User Rank: Ninja
11/11/2014 | 1:48:28 AM
Portable Satellite Terminals
It's time corporate execs stepped out of the hotel network world and into satellite broadband, particularly private satellite access.  It's surprising that, at the salaries many execs command and the revenue these companies are generating, portable satellite terminals are not more common.  Encrypted satellite access with high-speed Internet access is readily available.

Of course, while travelling, it's not uncommon for people to not want certain traffic to be going over their company network, so no matter how hard you try to secure your exec's line, you may still fail depending on what their extra-curricular Internet activities are.  Their choice, but the wrong one.

Which leads me to the assertion that execs who want to travel and use any type of electronic equipment to do business need to be locked down and locked out.  That is, if they want to access the Internet on a company device, then it has to be over secure satellite broadband, on a device that will not access certain sites or allow certain types of traffic.  If they want the extra-curricular stuff, they'll just have to find another device to do it on.

This is nothing shocking - I see wireless connections all the time at hotels that are named so close to the real network that you could easily make the mistake.  All the shadow has to do is emulate the password scheme (generally your room number or last name) or allow anything to act as a password, and they have you.  Tip to the wise:  Stay off all public networks while travelling, lock down your execs' devices, and encrypt all traffic and local data, just for the extra oomph. 
User Rank: Ninja
11/10/2014 | 6:10:13 PM
Very dangerous
The discovery doesn't surprise me, the practice is old and it is managed by cyber spies and cyber criminals for a long time. Like Kurt Baumgartner, I'm surprised by the Darkhotel APT's indiscriminate backdoor spreading.

I have many doubts regarding the real origin of the specific APT
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.