Kaspersky Lab Sheds Light on "Darkhotels", Where Business Executives Fall Prey to an Elite Spying Crew

News provided by

Kaspersky Lab

10 Nov, 2014, 13:32 GMT

LONDON, November 10, 2014 /PRNewswire/ --

Kaspersky Lab's Global Research and Analysis Team experts have researched the "Darkhotel" espionage campaign, which has lurked in the shadows for at least four years, stealing sensitive data from selected corporate executives travelling abroad. "Darkhotel" hits its targets while they are staying in luxury hotels. The crew never goes after the same target twice; they perform operations with surgical precision, getting all the valuable data they can from the first contact, deleting traces of their work and melting into the background to await the next high-profile individual. The most recent travelling targets include top executives  from the US and Asia doing business and investing in the APAC region: CEOs, senior vice presidents, sales and marketing directors and top research and development staff have all been targeted. Who will be next? This threat actor is still active, Kaspersky Lab warns.        

How the hotel attack works

The Darkhotel actor maintains an effective intrusion set on hotel networks, providing ample access over the years, even to systems that were believed to be private and secure. It waits until the victim connects to the hotel Wi-Fi network, submitting his room number and surname at the login. The attackers see him in the compromised network and trick him into downloading and installing a backdoor that pretends to be an update for legitimate software - Google Toolbar, Adobe Flash or Windows Messenger. The unsuspecting executive downloads this hotel "welcome package", only to infect his machine with a backdoor, Darkhotel's spying software.

Once on a system, the backdoor has been, and may be used, to further download more advanced stealing tools: a digitally-signed advanced keylogger, the Trojan "Karba" and an information-stealing module. These tools collect data about the system and the anti-malware software installed on it, steals all keystrokes, and hunt for cached passwords in Firefox, Chrome and Internet Explorer. It also looks for Gmail Notifier, Twitter, Facebook, Yahoo! and Google login credentials, as well as other private information. Victims lose sensitive information - likely the intellectual property of the business entities they represent. After the operation, the attackers carefully delete their tools from the hotel network and go back into hiding.

Commenting on Darkhotel, Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab, said: "For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behaviour.  This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision."

However, Darkhotel's malicious activity can be inconsistent: it is indiscriminate in its spread of malware alongside its highly targeted attacks. Read more about these specific malware delivery vectors here.

"The mix of both targeted and indiscriminate attacks  is becoming more and more common in the APT scene, where targeted attacks are used to compromise high-profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools," added Kurt Baumgartner. 

How to outsmart Darkhotel's tricks

When travelling, any network, even semi-private ones in hotels, should be viewed as potentially dangerous. The Darkhotel case illustrates an evolving attack vector: individuals who possess valuable information can easily fall victim to Darkhotel itself, as it is still active, or to something similar to a Darkhotel attack. To prevent this, Kaspersky Lab has the following tips:

  • Choose a Virtual Private Network (VPN) provider - you will get an encrypted communication channel  when accessing public or semi-public Wi-Fi;
  • When travelling, always regard software updates as suspicious. Confirm that the proposed update installer is signed by the appropriate vendor.
  • Make sure your Internet security solution includes proactive defence against new threats rather than just basic antivirus protection.
  • To read more about privacy tips, please visit http://cybersmart.kaspersky.com/privacy.

Additional information    

  • The attackers left a footprint in a string within their malicious code pointing to a Korean-speaking actor.
  • Kaspersky Lab's products detect and neutralise the malicious programs and their variants used by the Darkhotel toolkit.
  • Kaspersky Lab is currently working with relevant organisations to best mitigate the problem.
  • To read the full report on the Darkhotel APT actor, please visit Securelist .

About Kaspersky Lab 

Kaspersky Lab is the world's largest privately held vendor of endpoint protection solutions. The company is ranked among the world's top four vendors of security solutions for endpoint users*. Throughout its more than 17-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at  http://www.kaspersky.com.

The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2013. The rating was published in the IDC report "Worldwide Endpoint Security 2014-2018 Forecast and 2013 Vendor Shares (IDC #250210, August 2014). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2013. 

Editorial contact:

Berkeley PR
Lauren White
kasperskylab@berkeleypr.co.uk
Telephone: +44(0)118-909-0909

1650 Arlington Business Park
RG7 4SA, Reading

Kaspersky Lab UK
Ruth Knowles
Ruth.Knowles@kasperskylab.co.uk
Telephone: +44(0)7590-440-433
2 Kingdom Street
W2 6BD, London