An infamous cyber-espionage group was discovered by security analysts exploiting the same spy tools behind the WannaCry and NotPetya ransomware attacks.
Cyber security researchers from FireEye divulged in a blog post that an alleged Russian group is targeting travelers and hotels across Europe and the Middle East to steal data. The post read:
“FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East.”Hackers now use #EternalBlue exploit to infiltrate hotel guest networks!Click To Tweet
APT28, also know as Sofacy, Sednit, Pawn Storm, and Fancy Bear, was found attempting to steal credentials from high-value guests of European and Middle Eastern hotels through their WiFi networks.
Russians Use NSA Spy Tools to Steal Information
Fancy Bear is an infamous hacking organization which many security firms have linked to Russian intelligence. The said group is believed to have been operating since around 2007. They have been accused of hacking the Democratic National Committee and the Clinton campaign in an attempt to influence the 2016 United States Presidential election.
According to FireEye, the hacking campaign launched by Fancy Bear exploits EternalBlue, a vulnerability that takes advantage of a version of Windows’ Server Message Block (SMB) networking protocol to infiltrate networks.
It should be remembered that EternalBlue, together with other spy tools, were leaked in April by the infamous Shadow Brokers hacking group. These tools that were designed to target Windows PCs and servers were said to be used by U.S. intelligence services and the National Security Agency to conduct surveillance.
Experts also believed that several hacking groups are using the NSA spy tools to boost their malware. However, this is the first time that a cyber criminal organization was actually spotted in the act.
In a statement to ZDNet, Cristiana Brafman Kittner, Senior Analyst at FireEye said:
“This is the first time we have seen APT28 incorporate this exploit into their intrusions, and as far as we believe, the variant used was based on the public version.”
The Attack Process Using Spy Tools
According to threat analysts, the hacking attack starts with email phishing. FireEye apparently discovered “malicious document sent in spear phishing emails to multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country in early July.”
Once the macro within the malicious document is successfully executed, APT28’s signature Gamefish malware will be installed in the computer. Once Gamefish is installed, it will use the spy tool EternalBlue to find machines that control both administrative WiFi and guest networks.
After gaining access to the said machines, the malware will then deploy an open source Responder tool to steal information sent over the wireless network.
The post from FireEye stated that no guest credentials were stolen at the compromised hotels. However, they cited an incident in Fall 2016 when APT28 gained initial access to a victim’s network via credentials allegedly stolen from a hotel WiFi network.
This is not the first time that hackers targeted hotel guests. It was reported that a South Korean hacking group known as Fallout Team or DarkHotel, carried out a separate but similar attack against Asian hotels to acquire information from top executives of large global companies during their business trips.
U.S travelers are advised to refrain from using hotel WiFi and other public networks, especially in foreign lands. Instead, security experts suggest using mobile device hotspot to gain Internet access.