A state-backed espionage group has spent years targeting senior executives from large global companies using a specialised Advanced Persistent Threat (APT) that can follow and steal data from them as they move around the globe from hotel to hotel, Kaspersky has revealed.
Dubbed 'Darkhotel' by the security firm in honour of this ability, the campaign has a number of unusual characteristics but it is the ability to 'follow' people that is the most curious and appears to explain a number of attacks on hotel guests in recent years that were previously thought to be unconnected.
This is pretty precise targeting but on a huge scale. Targets connecting through hotel Wi-Fi were prompted to install malware disguised as legitimate updates, which was based on remotely compromising the hotel's web, admin and possibly, Kaspersky Lab speculates, back office hotel systems.
So the attackers knew the day their named target was going to connect through the target hotel network, plus their room number. They then deleted signs of the attack afterwards while still being able to reactivate it at a later date should that be necessary.
The payload was keylogging that set out to steal logins to a range of web services and any other passwords it can grab from browser caches and email clients. This was and is clearly a tool designed to boost intelligence-gathering elsewhere.
The attacks used forged and stolen certificates (hacked thanks to 'weak' 512 bit RSA keys) to make the malware appear genuine, as well as a range of Flash zero-day exploits, including ones designed to beat the better security built into Windows 8.1.
Beyond the targeting and the long time period of the attacks and malware development, the ability to attack certificates and wield zero-day flaws at will is a sure sign that the attackers have had state resources at their disposal.
Interestingly, despite some smarts, the sophistication level isn't always top drawer, which points towards China rather than the US or Russia. The victim list is another hint at that too.
"Overall, victims in our sinkhole logs and KSN data were found across the globe, with the majority in Japan, Taiwan, China, Russia, Korea and Hong Kong," (in that order) noted Kaspersky Lab's researchers.
US executives were on the list but far below the prevalence for targeting Japanese CEOs and managers. And the attackers seem to go after almost everyone with the right job title, with sectors hit including electronics, finance, manufacturing, pharma, cosmetics, chemicals, automotive, defence, law, military and even NGOs - the last one has been an obsession for Chinese actors.
The Darkhotel suite of malware tools - a clutch of Trojans including Tapaoux, pioneer, Karba, and Nemim - could be traced back to 2006 or 2007 but the hotel attacks seem to date from 2012, Kaspersky said.
Sign up for Computerworld eNewsletters.