Networking security website FireEye discovered a malicious document in several emails sent to multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country, in early July. The document contained a macro that installs GAMEFISH malware, which is associated with a politically motivated Russian hacking group known as APT28 (or Fancy Bear). This is allegedly the same group that hacked the Democratic National Committee ahead of last year's U.S. election. The tool used after the initial malware installation, EternalBlue, reportedly was leaked from the U.S. National Security Agency itself.
FireEye said those hackers, believed to be associated with the Russian military intelligence service GRU, have begun to use EternalBlue as one technique to broaden their control of hotel networks after gaining an initial foothold via phishing or other techniques, reports Wired. Once those hackers take control of hotels' Wi-Fi, they’re using that access to harvest victim computers’ usernames and passwords silently, with a trick that doesn’t even require users to actively type them when signed onto the hotel network.
“It’s definitely a new technique" for the Fancy Bear hacker group, Ben Read, who leads FireEye’s espionage research team, told Wired. “It’s a much more passive way to collect on people. You can just sit there and intercept stuff from the Wi-Fi traffic.”
The security group warns travelers to be aware of the threat when visiting hotels in other countries (though unsecured WiFi isn't restricted to foreign hotels), and to take steps to secure their systems.
"Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible," wrote Read and Lindsay Smith in a blog post.
FireEye says it first saw evidence that Fancy Bear might be targeting hotels in the fall of last year, when the company analyzed an intrusion that had started on one corporate employee's computer. The company traced that infection to the victim's use of a hotel Wi-Fi network while traveling; 12 hours after the person had connected to that network, someone connected to the same Wi-Fi network had used the victim's own credentials to log into the victim's computer, install malware on the machine and access the victim's Outlook data. That implies, FireEye said, that a hacker had been sitting on the same hotel's network, possibly sniffing its data to intercept the victim's credentials.
FireEye says that the hacked networks were those of moderately high-end hotels, the kind that attract presumably valuable targets. "These were not super expensive places, but also not the Holiday Inn," FireEye's Read said. "They're the type of hotel a distinguished visitor would stay in when they’re on corporate travel or diplomatic business."
But FireEye says it doesn't know whether the hackers had specific visitors in mind, or were simply casting a wide net for potential victims. "Maybe this was designed just to establish a foothold and see who shows up, or maybe they were just testing something out," Read said.
Other than the victim whose case they analyzed last year, the company's analysts couldn't confirm any individual victims whose credentials were stolen from the target hotels.