APT28

After the US government has spent probably millions of dollars developing hacking tools, Russian hackers are now using them to spy on guests across hotels in Europe and the Middle East.

According to a report released today by US cyber-security firm FireEye, a well-known Russian cyber-espionage group has used an NSA exploit known as ETERNALBLUE as part of a complex set of hacks it carried out starting July this year.

This report marks the first time a Russian or any other cyber-espionage unit has used ETERNALBLUE in a live campaign after a group of hackers called The Shadow Brokers leaked the tool online in April this year.

APT28 targeted hotels with clever spear-phishing campaign

The Russian cyber-espionage unit that deployed ETERNALBLUE is usually referred to by the name of APT28 but is also referenced in other reports as Fancy Bear, Sofacy, Sednit, Tsar Team, Pawn Storm, or Strontium.

This group is infamous in cyber-security circles, being suspected of hacking the DNC (Democratic National Committee), NATO, and the German Bundestag. Many believe the group has ties to the Russian military intelligence service GRU.

For this particular campaign, FireEye researchers say the APT28 group operated using a spear-phishing campaign that spread a bogus reservation entry as a Word document.

Attackers distributed the document to hotels and other entities in the hospitality industry. Targets who allowed the document to execute a built-in macro had their computers infected with the GAMEFISH malware, a long-standing APT28 tool.

ETERNALBLUE and Responder used to spread on local network

The hackers would then use this malware to download and run ETERNALBLUE and the open-source Responder tool. Both are used to facilitate the hackers from reaching other local hotel IT systems. ETERNALBLUE allows the hackers to spread via unsecured SMB services, while Responder uses NetBIOS Name Service (NBT-NS) poisoning to achieve the same thing.

"APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network," FireEye said today in a report.

Hotel WiFi networks a hot commodity among state hackers

Experts say that hackers were particularly interested in taking over the hotel's guest WiFi network. The reasoning behind this is that hackers can use the hotel's WiFi network and perform Man-in-the-Middle attacks to push malware or intercept traffic from guests of interest.

This was the first time APT28 used ETERNALBLUE, but this isn't the first time that APT28 targeted hotels. A similar incident happened in 2016.

In the 2016 incident, the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials. These 12 hours could have been used to crack a hashed password offline. After successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the victim's network, and accessed the victim's OWA account. The login originated from a computer on the same subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network. We cannot confirm how the initial credentials were stolen in the 2016 incident; however, later in the intrusion, Responder was deployed. Since this tool allows an attacker to sniff passwords from network traffic, it could have been used on the hotel Wi-Fi network to obtain a user’s credentials.

APT28 is not the only cyber-espionage group that targeted WiFi networks. The DarkHotel group was the first to carry out such attacks, hence its name, since 2011 and up until 2016. In addition, the Duqu group employed the same tactics in 2015 to spy on hotel guests participants in the Iranian nuclear negotiation deal.