The security firm released a new report detailing why executives traveling in Asia might not want to log in to their hotel’s wireless network.
The so-called “Darkhotel” espionage campaign has been running for four years, stealing sensitive data from traveling corporate executives staying at luxury hotels in Asia. Kaspersky has studied the threat and released its findings today, as well as some tips on how to safeguard your internet security against such threats.
Darkhotel – How it works
Those behind Darkhotel wait for a victim to log in to a wireless network, submitting a room number and surname. They then prompt the user to install what appears to be a genuine update for common software, but is in fact a backdoor.
This backdoor software can then be used to collect data, record keystrokes, and extract cached passwords. Hackers often get away with sensitive information, including intellectual property, without the victim ever knowing.
“For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior,” said Kurt Baumgartner, principal security researcher at Kaspersky.
After stealing what they want, the hackers retreat from the network without leaving a trace.
“This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision,” Baumgartner said.
The attacks are concentrated in Japan, Taiwan, China, Russia and South Korea. Kaspersky has told travelers to be sure to log in to a Virtual Private Network (VPN) if they access public or semi-public Wi-Fi. The firm also suggests that any software updates should be treated as suspicious, and users should ensure that their antivirus package includes proactive defense rather than just basic antivirus protection.
Baumgartner has noticed an evolution in the modus operandi of hackers. “The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene,” he said, “where targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools.”