Kremlin-backed Russian hackers may be targeting government and business travellers in Europe and the Middle East, according to intelligence company FireEye.
The security research firm has declared with “moderate confidence,” that Russian actor APT28 is behind a hacking campaign directed against a number of hotels last June. APT28 has previously been linked to Russian military intelligence, and is the same group accused of hacking the US Democratic Party’s servers last year.
A spokesperson for FireEye said: “Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, though actors may also collect information on the hotel as a means of facilitating operations.
“Business and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad.”
FireEye discovered the hacking campaign after uncovering a malicious document sent in spear phishing emails to multiple companies in the hospitality industry, including at least 7 hotels in Europe and one in the Middle East.
Appearing on the surface as a hotel reservation form, it contained a macro that, once activated, installed APT28’s signature GAMEFISH malware onto a hotel computer. Once running, the malware was instructed to find and infect internal Wi-Fi networks, and attack guests of interest.
According to FireEye, “the actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.”
EternalBlue is generally believed to have been developed by the National Security Agency (NSA). It was used as part of the worldwide WannaCry ransomware attack in May earlier this year, and again during the NotPetya cyberattack in June.
“Travellers must be aware of the threats posed when traveling – especially to foreign countries – and take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible.”
DIGIT spoke to wifi management firm BLACKBX about the measures you can take to ensure that your data is protected whilst abroad.
“Firstly, avoid working with sensitive data such as online banking and keep your antivirus software up-to-date,” BLACKBX founder Patrick Clover said. “You should also turn on two-factor authentication for accessing emails and other places where sensitive data might be.
“Whether you’re using a Windows PC, a Mac, tablet or phone, turn off file sharing and AirDrop options. Also, turn on your system’s in-built firewall and invest in a VPN (Virtual Private Network) service.
“While businesses, and their employees, are vulnerable to scams like spear phishing, they should do their best to provide a secure network. Features like data encryption, content filtering which prevents users accessing dangerous sites leaving the network vulnerable, and bandwidth limits which help identify users who are using too much bandwidth usually indicating they are downloading torrents which can bring risks to the network, are the minimum businesses should provide.”