Darkhotel APT Campaign Targets Traveling Executives

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Kaspersky Lab researchers are warning of a advanced persistent threat (APT) called Darkhotel, which specifically targets traveling business executives in a variety of industries.

"For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior," Kaspersky Lab principal security researcher Kurt Baumgartner said in a statement.

"This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision," Baumgartner added.

The APT campaign infects Wi-Fi networks at luxury hotels, then waits for specific business executives to check in. When a targeted victim accessing the hotel's Wi-Fi network by entering his last name and room number, the attackers then prompt the victim to download an update for Adobe Flash, Google Toolbar or Windows Messenger.

"The unsuspecting executive downloads this hotel 'welcome package,' only to infect his machine with a backdoor, Darkhotel's spying software," the researchers explain.

The backdoor can then be used to download digitally-signed advanced keyloggers, information-stealing modules and other malware. Those tools collect data from the infected machine, including login credentials and other sensitive personal and corporate data.

"When Kaspersky Lab researchers visited Darkhotel incident destinations with honeypot machines they did not attract Darkhotel attacks, which suggests the APT acts selectively," the researchers note. "Further work demonstrated just how careful these attackers were to hide their activity -- as soon as a target was effectively infected, they deleted their tools from the hotel network staging point, maintaining a hidden status."

According to Kaspersky, the campaign has targeted CEOs, senior vice presidents, sales and marketing directors and top R&D staff across a wide range of verticals including electronics manufacturing; investment capital and private equity; pharmaceuticals; cosmetics and chemicals manufacturing offshoring and sales; automotive manufacturer offshoring services; automotive assembly, distribution, sales and services; defense industrial base; law enforcement and military services; and non-governmental organizations.

About 90 percent of the infections appear to be located in Japan, Taiwan, China, Russia and South Korea. "The more interesting traveling targets include top executives from the U.S. and Asia doing business and investment in the APAC region," the researchers note.

Kaspersky recommends that executives take the following steps to protect themselves:

  • Choose a Virtual Private Network (VPN) provider -- you will get an encrypted communication channel when accessing public or semi-public Wi-Fi.
  • When traveling, always regard software updates as suspicious. Confirm that the proposed update installer is signed by the appropriate vendor.
  • Make sure your Internet security solution includes proactive defense against new threats rather than just basic antivirus protection.

The Oxford Internet Institute's Ian Brown suggested to BBC News that executives should also consider protecting themselves by using personal mobile hotspots instead of hotel Wi-Fi connections.