Russia's 'Fancy Bear' hackers target hotel guests

A recent hack at a New York Marriott hotel serves as a wake-up call for hotel security teams.
FireEye warns travelers to be aware of the threat when visiting hotels in other countries, and to take steps to secure their systems.

Networking security website FireEye discovered a malicious document in several emails sent to multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country, in early July. The document contained a macro that installs GAMEFISH malware, which is associated with a politically motivated Russian hacking group known as APT28 (or Fancy Bear). This is allegedly the same group that hacked the Democratic National Committee ahead of last year's U.S. election. The tool used after the initial malware installation, EternalBlue, reportedly was leaked from the U.S. National Security Agency itself.

FireEye said those hackers, believed to be associated with the Russian military intelligence service GRU, have begun to use EternalBlue as one technique to broaden their control of hotel networks after gaining an initial foothold via phishing or other techniques, reports Wired. Once those hackers take control of hotels' Wi-Fi, they’re using that access to harvest victim computers’ usernames and passwords silently, with a trick that doesn’t even require users to actively type them when signed onto the hotel network.

“It’s definitely a new technique" for the Fancy Bear hacker group, Ben Read, who leads FireEye’s espionage research team, told Wired. “It’s a much more passive way to collect on people. You can just sit there and intercept stuff from the Wi-Fi traffic.”

Virtual Event

HOTEL OPTIMIZATION PART 2 | Now Available On-Demand

Survival in these times is highly dependent on a hotel's ability to quickly adapt and pivot their business to meet the current needs of travelers and the surrounding community. Join us for Optimization Part 2 – a FREE virtual event – as we bring together top players in the industry to discuss alternative uses when occupancy is down, ways to boost F&B revenue, how to help your staff adjust to new challenges and more, in a series of panels focused on how you can regain profitability during this crisis.


The security group warns travelers to be aware of the threat when visiting hotels in other countries (though unsecured WiFi isn't restricted to foreign hotels), and to take steps to secure their systems.

"Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible," wrote Read and Lindsay Smith in a blog post.

FireEye says it first saw evidence that Fancy Bear might be targeting hotels in the fall of last year, when the company analyzed an intrusion that had started on one corporate employee's computer. The company traced that infection to the victim's use of a hotel Wi-Fi network while traveling; 12 hours after the person had connected to that network, someone connected to the same Wi-Fi network had used the victim's own credentials to log into the victim's computer, install malware on the machine and access the victim's Outlook data. That implies, FireEye said, that a hacker had been sitting on the same hotel's network, possibly sniffing its data to intercept the victim's credentials.

FireEye says that the hacked networks were those of moderately high-end hotels, the kind that attract presumably valuable targets. "These were not super expensive places, but also not the Holiday Inn," FireEye's Read said. "They're the type of hotel a distinguished visitor would stay in when they’re on corporate travel or diplomatic business."

But FireEye says it doesn't know whether the hackers had specific visitors in mind, or were simply casting a wide net for potential victims. "Maybe this was designed just to establish a foothold and see who shows up, or maybe they were just testing something out," Read said.

Other than the victim whose case they analyzed last year, the company's analysts couldn't confirm any individual victims whose credentials were stolen from the target hotels.

Suggested Articles

From services to small products in the bathroom, these guest amenities will become guest expectations in the near future.

With demand for contactless experiences on the rise and new programs coming online, property-management systems are evolving.

During the “Best Practices in Cleaning” panel, insiders shared how hoteliers can keep guests and employees safe.