Russian security firm Kaspersky Lab has discovered that criminals have been exploiting the wifi networks of certain luxury hotels in Asia to steal confidential information.
The group, known as the ‘Darkhotel’ hackers modified their code in order to target only the machines of those they wished to infiltrate. This indicates they had advanced knowledge of their victims’ whereabouts and which hotels they would be staying in.
The goal of the hackers seems to have been to gain access to services like Google, Facebook, Yahoo and Twitter accounts for a number of American and Asian business executives. It is also clear that the plan was to snoop on their targets for as long as possible, long after the initial infection.
Kaspersky Lab’s Costin Raiu said “the perpetrators could have had multiple motivations and may have been nation state-sponsored hackers or cyber criminals”.
“So far all victims we have been able to trace are very important people and they make sense in the context,” he said. “Maybe what we have here is the same framework being used by two different groups – one with a focus on other nation states, the other focusing on business interests… it wouldn’t be abnormal.
“I know that at least one of the victims was particularly staying in a hotel because she attended a conference event in that particular city.”
Upon further investigation at the hotel, Kaspersky Labs have found that the attacks date back to at least 2009. The scheme was not restricted to hotels either. Their malware has also cropped up on peer-to-peer file sharing networks like BitTorrent, and as email attachments where the targets appear to have been governments, defence firms and NGOs – lured with relevant topics on nuclear energy and defence capabilities.
These attacks were sophisticated, exploiting zero-day vulnerabilities. This means the methods used had not been seen before, and therefore had not been fixed by software vendors. In addition to this, the code was ‘signed’ with security certificates, designed to prevent exactly this kind of attack.
“This type of targeted attack is uncommon. The steps taken to infect the machines and factors that have to be in place for it to work make it a very specialist type of infection,” said Mark James, security specialist at anti-virus firm ESET.
Richard Cassidy, senior solutions architect at Alert Logic, added: “We are seeing a very sophisticated attack on the target networks by this cell, who have put a great deal of thought into what information they want, who they are targeting and how to write malware that provides the best chance of getting what they’re after.”