Darkhotel APT: An Elite Spying Group Targeting Executives

Kaspersky Lab researchers shared the news of a new APT group, named “Darkhotel,” that infiltrated many hotel networks over the years. The report indicates the Darkhotel crew was active for at least four years. These hackers, Kaspersky notes, are extremely skilled, performing attacks with “surgical precision.” Never going after the same target twice. The hackers know what they want, they obtain all the valuable data during the first contact, delete all traces, disappear, and wait for the next prey.

HOW DOES IT WORK?

The Darkhotel maintains an undetected presence on a hotel’s network, even on systems thought to be safe and secure. When an executive logs in to the hotel’s wifi network, he is asked to provide the room number and the last name. Once that’s done, the attackers can see his presence on the network and the attack can begin. They first trick him into downloading a software update, such as Adobe Flash Player plugin update or a Google updates, that installed a backdoor on the victim’s computer.

The backdoor can now install a variety of other malware and tools needed for extraction of the target’s data. These tools can than detect the type of antivirus and antimalware software installed on the system to effectively circumvent them, record every keystroke, search for cached passwords in web browsers, and steal log in credentials for email and social media, along with other private information. Although many of Darkhotel’s attacks are targeted, they attack indiscriminately as well.

“The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene, where targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools,” notes Kurt Baumgartner, the Principal Security Researcher at Kaspersky America.

You can also watch a short video depicting the attack scenario: