DarkHotel: A Sophisticated New Hacking Attack Targets High-Profile Hotel Guests BYKIM ZETTER 11.10.14| 11:06 AM| PERMALINK Share on Facebook709 inShare412 4

Getty ImagesThe hotel guest probably never knew what hit him. When he tried to get online using his five-star hotels WiFi network, he got a pop-up alerting him to a new Adobe software update. When he clicked to accept the download, he got a malicious executable instead.What he didnt know was that the sophisticated attackers who targeted him had been lurking on the hotels network for days waiting for him to check in. They uploaded their malware to the hotels server days before his arrival, then deleted it from the hotel network days after he left.Thats the conclusion reached by researchers at Kaspersky Lab and the third-party company that manages the WiFi network of the unidentified hotel where the guest stayed, located somewhere in Asia.Kaspersky says the attackers have been active for at least seven years, conducting surgical strikes against targeted guests at other luxury hotels in Asia as well as infecting victims via spear-phishing attacks and P2P networks.Kaspersky researchers named the group DarkHotel, but theyre also known as Tapaoux by other security firms who have been separately tracking their spear-phishing and P2P attacks. The attackers have been active since at least 2007, using a combination of highly sophisticated methods and pedestrian techniques to ensnare victims, but the hotel hacks appear to be a new and daring development in a campaign aimed at high-value targets.Every day this is getting bigger and bigger, says Costin Raiu, manager of Kasperskys Global Research and Analysis Team. Theyre doing more and more hotels. The majority of the hotels that are hit are in Asia but some are in the U.S. as well. Kaspersky will not name the hotels but says theyve been uncooperative in assisting with the investigation.This Is NSA-Level Infection MechanismThe attackers methods include the use of zero-day exploits to target executives in spear-phishing attacks as well as a kernel-mode keystroke logger to siphon data from victim machines. They also managed to crack weak digital signing keys to generate certificates for signing their malware, in order to make malicious files appear to be legitimate software.Obviously, were not dealing with an average actor, says Raiu. This is a top-class threat actor. Their ability to do the kernel-mode key logger is rare, the reverse engineering of the certificate, the leveraging of zero daysthat puts them in a special category.THEIR TARGETING IS NUCLEAR THEMED, BUT THEY ALSO TARGET THE DEFENSE INDUSTRY BASE IN THE U.S.Targets in the spear-phishing attacks include high-profile executivesamong them a media executive from Asiaas well as government agencies and NGOs and U.S. executives. The primary targets, however, appear to be in North Korea, Japan, and India. All nuclear nations in Asia, Raiu notes. Their targeting is nuclear themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments. Recently there has been a spike in the attacks against the U.S. defense industry.The attackers seems to take a two-pronged approachusing the P2P campaign to infect as many victims as possible and then the spear-phishing and hotel attacks for surgically targeted attacks. In the P2P attacks thousands of victims are infected with botnet malware during the initial stage, but if the victim turns out to be interesting, the attackers go a step further to place a backdoor on the system to exfiltrate documents and data.Until recently, the attackers had about 200 command-and-control servers set up to manage the operation. Kaspersky managed tosinkhole 26 of the command server domainsand even gained access to some of the servers, where they found unprotected logs identifying thousands of infected systems. A lot of the machines in the attackers logs, however, turned out to be sandboxes set up by researchers to ensnare and study botnets, showing how indiscriminating the attackers were in their P2P campaign. The attackers shut down much of their command infrastructure in October, however, presumably after becoming aware that the Kaspersky researchers were tracking themAs far as I can see there was an emergency shut down, Raiu says. I think there is a lot of panic over this.Signs Point to South KoreaThat panic may be because the campaign shows signs of possibly emanating from an important U.S. ally: South Korea. Researchers point out that one variant of malware the attackers used was designed to shut down if it found itself on a machine whose codepage was set to Korean. The key logger the attackers used also has Korean characters inside and appears to have ties to a coder in South Korea.The sophisticated nature of the key logger as well as the attack on the RSA keys indicates that DarkHotel is likely a nation-state campaignor at least a nation-state supported campaign. If true, this would make the attack against the U.S. defense industry awkward, to say the least.Raiu says the key logger, a kernel-mode logger, is the best written and most sophisticated logger hes seen in his years as a security researcher. Kernel-mode malware is rare and difficult to pull off. Operating at the core of the machine rather than the user level where most software applications run, allows the malware to better bypass antivirus scanners and other detection systems. But kernel-mode malware requires a skillful touch since it can easily crash a system if not well-designed.You have to be very skilled in kernel-level development and this is already quite a rare skillset, says Vitaly Kamluk, principal security researcher at Kaspersky Lab. Then you have to make it very stable. It must be very stable and very well tested.Theres no logical reason to use a kernel-level keylogger says Raiu since its so easy to write key loggers that hook the Windows API using about four lines of code. But these guys prefer to do a kernel-level keylogger, which is about 300 kilobytes in sizethe driver for the key loggerwhich is pretty crazy and very unusual.So the guy who did it is super confident in his coding skills. He knows that his code is top-notch.The logger, which was created in 2007, appears to have been written by someone who goes by the name Chpiea name that appears in source code for the logger. Chpie is the name used by a South Korean coder who is known to havecreated another kernel-level key loggerthat Raiu says appears to be an earlier version of this one. The key logger in the DarkHotel attack uses some of the same source code but is more sophisticated, as if its an upgraded version of the earlier keylogger.Aside from the sophisticated key logger, the attackers use of digital certificates to sign their malware also points to a nation-state or nation-state supported actor. The attackers found that a certificate authority belonging to the Malaysian government as well as Deutsche Telekom were using weak 512-bit signing keys. The small key size allowed the attackers, with a little super-computing power, to factor the 512-bit RSA keys (essentially re-engineer them) to generate their own digital certificates to sign their malware.You very rarely, if ever, see such techniques used by APT (advanced persistent threat) groups, Raiu says. Nobody else as far as we know has managed to do something similar, despite the fact that these certificates existed for some time. This is [an] NSA-level infection mechanism.These sophisticated elements of the attack are important, but the most intriguing part of the DarkHotel campaign is the hotel operation.Unravelling the Mystery of DarkHotelThe Kaspersky researchers first became aware of the hotel attacks last January when they got reports through their automated system about a cluster of customer infections. They traced the infections to the networks of a couple of hotels in Asia. Kamluk traveled to the hotels to see if he could determine how guests were being infected, but nothing happened to his machine. The hotels proved to be of no help when Kamluk told them what was happening to guests. But during his stay, he noticed that both hotels used the same third-party firm to manage its guest WiFi.Some hotels own and operate their network infrastructure; others use a managed services firm. The company managing the WiFi network of the two hotels Kamluk visited wishes to remain anonymous, but it was an unusually willing partner in getting to the bottom of the attacks. It acted quickly to provide Kaspersky with server images and logs to track down the attackers.Although the attackers left very few traces, There were certain command lines which should not have been there in the hotel system, a senior executive with the managed-services company says.In one case, the researchers found a reference to a malicious Windows executable in the directory of a Unix server. The file itself was long gone, but a reference pointing to its former existence remained. [T]there was a file-deletion record and a timestamp of when it happened, says Kamluk. Judging from traces left behind, the attackers had operated outside normal business hours to place their malware on the hotel system and infect guests.They started early in the morning before the hotel staff would arrive to the office and then after they leave the office they were also distributing the malware then, says the senior executive. This is not just something that happened yesterday. These are people who have been taking their time. Theyve been trying to access networks over the last years.Its unclear how many other hotels theyve attacked, but it appears the hackers cherry-pick their targets, only hitting hotels where they know their victims will be staying.When victims attempt to connect to the WiFi network, they get a pop-up alert telling them their Adobe Flash player needs an update and offering them a file, digitally signed to make it look authentic, to download. If the victims accept they download, they get a Trojan delivered instead. Crucially, the alerts pop up before guests actually get onto the WiFi network, so even if they abandon their plan to get online, they are infected the moment they hit accept.The malware doesnt then immediately go to work. Instead it sits quietly for six months before waking up and calling home to a command-and-control server.Raiu says this is likely meant to circumvent the watchful eyes of IT departments who would be on the lookout for suspicious behavior immediately after an executive returned from a trip to Asia.At some of the hotels, only a few victims appear to have been targeted. But on other systems, it appears the attackers targeted a delegation of visitors; in that instance, evidence shows they tried to hit every device attempting to get online during a specific period of time.Seems like some event occurred or maybe some delegation visited the hotel and stayed there for a few days and they tried to hit as many members of the delegation as possible, Raiu says. He thinks the victims were ones the attackers couldnt reach through ordinary spearphishing attacksperhaps because their work networks were carefully protected.Kaspersky still doesnt know how the attackers get onto the hotel servers. They dont live on the servers the way criminal hackers dothat is, maintain backdoor access to the servers to gain re-entry over an extended period of time. The DarkHotel attackers come in, do their deed, then erase all evidence and leave. But in the logs, the researchers found no backdoors on the systems, so either the attackers never used them or successfully erased any evidence of them. Or they had an insider who helped them pull off the attacks.The researchers dont know exactly who the attackers were targeting in the identified hotel attacks. Guests logging onto WiFi often have to enter their last name and room number in the WiFi login page, but neither Kaspersky, nor the company that maintained the WiFi network, had access to the guest information. Reports that come into Kasperskys automated reporting system from customers are anonymous, so Kaspersky is seldom able to identify a victim beyond an IP address.The number of hotels that have been hit is also unknown. So far the researchers have found fewer than a dozen hotels with infection indicators. Maybe there are some hotels that use to be infected and we just cannot learn about that because there are no traces, the network-management executive says.The company worked with Kaspersky to scour all of the hotel servers it manages for any traces of malware and are fairly confident that the malware doesnt sit on any hotel server today. But that is just one network-management company. Presumably, the DarkHotel operation is still active on other networks.Safeguarding against such an attack can be difficult for hotel guests.The best defense is to double check update alerts that pop up on your computer during a stay in a hotel. Go to the software vendors site directly to see if an update has been posted and download it directly from there.Though, of course, this wont help if the attackers are able to redirect your machine to a malicious download site. Howard Treesonga day ago"Hi, I'm a process on a server you don't know. Can I install some files on your computer?"No. The answer is no. Never.I find all stories about problems with computers and malware a bit odd, seeing as how at some level the user has to cooperate. This user does not cooperate. This user trusts no one, for any reason, ever.I don't know what strangled-by-his-own-umbilical-cord idiot came up with the idea of 'trusted certificates'. What is going to be the first vector for any attack? That which the user ostensibly [has to] trust[s]. Do these characters have no idea what words mean? It's all a meme now, it no longer matters?Who can you truly trust in life? Very few people. Who can you trust online? Absolutely nobody. Is this something people are really too dumb to learn or will the lesson sink in at some point? 12 Reply Share

RationalCenterHoward Treesonga day agoThe point of the article is that the site was able to successfully masquerade as a trustworthy site. This is not an example of clueless users, it's an example of a very sophisticated attack that would work on the vast majority of computer users, even many experienced ones.Our entire technology ecosystem is predicated on constant updates - Windows, Adobe, even Kaspersky need updates on an almost daily basis, many just for security reasons. You can't tell people that they have to keep their computers updated to be safe, and then call them stupid for installing an update that by all appearances is from a trusted source. That's a system issue, not a user issue. 14 Reply Share

Howard TreesongRationalCenter9 hours ago"masquerade as a trustworthy site".Hello? *knock knock* is there anyone alive in there?There are -no- trustworthy sites. Such a thing does not exist on this planet. Read the words. 'trusted sites'. There are sites the traffic of which you begrudgingly have to accept. That does not mean I trust them. That is never what it means. I do not trust them, I have not trusted them before and I will never trust them hereafter. The concept of 'trust' is something entirely different than the need to accept traffic from the site. Entire national security departments are filled with people chuckling at the notion of users 'trusting' sites.Seriously, do people no longer care about what words mean? 2 Reply Share

Unlo4Howard Treesong3 hours agoYou keep using that word. I don't think it means what you think it means (in an IT context). Reply Share

Sergio OrtizHoward Treesonga day agoSo you're saying you don't download updates for your operating system then? Or for your antivirus? Because if you do, then you're trusting someone somewhere online. 7 Reply Share

Howard TreesongSergio Ortiz9 hours agoNo. I -have to- accept traffic from certain sites, always grudgingly, I trust them -absolutely never-.Has anyone ever taken the time to explain to you what trust means? Because I have the uneasy feeling you're substituting it for something I call gullibility. The two are not equivalent. 1 Reply Share

Andy HHoward Treesong21 hours ago"Is this something people are really too dumb to learn or will the lesson sink in at some point?"I think we both know the unfortunate answer to that question. Some users just shut off their brains when it's anything computer related and others refuse to take even basic precautions because it's just too inconvenient. Somehow they don't understand that "it shouldn't work that way", "it should know what I want/mean" and "they shouldn't be able to do that" are fine sentiments but utterly meaningless in the real world. 2 Reply Share

moleculethecatHoward Treesonga day agoWell said. I NEVER download and install software from a server I don't know and/or trust. 1 Reply Share

Unlo4moleculethecat3 hours agoHacking DNS and a RSA cert means that your browser can be pointed to "https://www.wired.com" and the SSL icon is green/encrypted, and there is absolutely NO end-user indication that you aren't exactly where you think you are. It's impossible for the end user to know they aren't on the legit site. Reply Share

Justicer2321 hours agoHmmmm... Rats at night,.....Ghosts at daylight!!! Insider Job? Negative... -> Many Hotels!...Outsider? With the ability to deep intrusion every night and purging their bread crumbs till morning!!!... -> NotSuchAgency skills!!! 3 Reply Share

YaPiDo19 hours ago"The best defense" is to insist on a MicroSoft product that stops stuff like this. Instead they keep messing with the GUI and the Start Button. 2 Reply Share

JaitcHYaPiDo14 hours agoThe best defence is NOT to use Windows or Mac. There are many of other decent OS to use is high risk areas. Reply Share

thauberJaitcH4 hours agoTrue, but the article only mentioned Windows. I am curious whether they created a kernel level trojan for the Mac. Reply Share

bogorada day agoKasperski! Stopped reading right there. These pitiful fear-mongers will say anything to cheat you out of your money. 1 Reply Share

slave138bogorada day agoMaybe next time you should try reading a little more then. If you had, you might have realized that your whine makes no sense at all in the context of this article.If they were trying to scare people out of their money, why would they admit they don't know who exactly is doing it, where (other than a few examples they could find) it has been done, or how to stop it from happening again?Their software obviously wasn't stopping it because they received the reports of suspicious activity from users who were already infected. 3 Reply Share

bogoradslave138a day agoOh, this one's easy - they just want to keep paranoia in people's minds as strong as possible. I knew a guy from Elya-Shim (google it!) who told me that most viruses were written by them. Big surprise it goes on. 1 Reply Share

slave138bogorad21 hours agoI know a guy from McAfee who told me most viruses were written by Norton. I know a guy from Norton who told me most viruses were written by Memco. I know a guy from Memco who told me that Elyashim wrote most of the viruses but blames Kaspersky for doing it. I know a guy from Kaspersky who doesn't say much of anything because he's always drunk.Similar rumors have been going around the antivirus industry for just about as long as the industry has been around. None of which haseverbeen proven. They always have the earmarks common to urban legends and chain email B.S.Don't you think if Elyashim (or any other AV company) had proof that one of their competitors was writing viruses to drum up business, they would expose them properly rather than starting a friend-of-a-friend whisper campaign? 6 Reply Share

Unlo4bogorad3 hours agoSo... this is all a big lie? Reply Share

Rick Fictusa day agoUsers should not have permission to update software, period. If you want to do any updates, you should have to log out, log in as an administrator, and do it there. Yes, I'm aware of how sudo works, but complete separation of the accounts, with lockdown of the administrator account as far as install vectors, is the only way to go. 1 Reply Share

FistOfReasonRick Fictusa day agoInteresting how that's how OSX is configured by default. Plus, even if the user has permissions, the file must be set to executable before it can run. Yay POSIX! Reply Share

slave138FistOfReason21 hours agoInteresting that OSX (with default configurations) still manages to be compromised each year at the Pwn2Own competition. 3 Reply Share

FistOfReasonslave1386 hours agoIt takes a team of attackers to compromise OSX, yet Windows can be compromised be any third rate script kiddie. 2 Reply Share

slave138FistOfReason3 hours agoEven third-rate script kiddies know that there's nothing worth stealing from an OSX machine. Crappy indie films and emo hipster poetry just isn't worth a scripted attack. Also, this article is about a "team of hackers".Funny that as soon as there's something worth grabbing (celeb photos), the iCloud was compromised pretty quickly by 3rd rate script kiddies. It should also be noted that Apple put out a warning today about the exact same kind of vulnerability described here affecting iOS devices - You know, their only product with widespread usage? Reply Share

FistOfReasonslave1383 hours agoHAHA!! You kids crack me up, no wonder nobody takes you seriously. Actually iCloud was penetrated with a device meant for law enforcement, but I'm sure you know that since you have such exteneive experience. Plus, OMac users tend to have higher incomes; thus proving to be very tempting targets. But keep believing what your MCSE tells you. Reply Share

slave138FistOfReasonan hour agoTo quote your earlier post: Wrong.iCloud was hacked by people on 4chan using phishing and brute force methods to obtain account passwords. It had nothing to do with the law enforcement devices.Where do you dream up your extensive levels of complete B.S.?As for incomes and OS usage: It's one of those misleading statistics that get passed around like it means something significant. Yes, OSX users tend to have higher incomes than the average Windows user, but there are a lot more wealthy people using Windows than OSX.OSX is used by less than 10% the consumer market. Assuming Windows is limited to only 60% of the market, that still means there are likely a lot more wealthy users on Windows than OSX. This is also not surprising since OSX systems tend to cost significantly more than Windows systems. It only goes to figure that their userbase will have more wealthy users.As for iOS: it did manage to capture a significant userbase with a higher average income. Which is precisely why itisbeing successfully targeted. Reply Share

FistOfReasonslave138an hour agoWrong, completely. You must enjoy being abused! No, iCloud was hacked by this:http://www.wired.com/2014/09/e...Without the device the hack wouldn't work. "none of the cases we have investigated hasresulted from any breach in any of Apples systems including iCloud orFind my iPhone." Plus you seem to forget DropBox accounts were hacked too.Wealthy people don't use $200 Acers. I work for a Mercedes & BMW dealer, just about all of our customers come in here with Macbooks.Sorry kiddo you're wrong, quit while you're behind. As for market share, didn't GM have 90% of the car market for the world? Then Toyota came in at 10%. Then 15%. The biggest sector for Mac's growth? The enterprise! w00t!Having said that, OSX should be targeted more because people want to rob the house on the hill, not the crackhouse next to ehe tracks. (Windows=house on the tracks, OSX=house in the hill, for clarification).As for iOS being "successfully" targeted, you call this successful?http://www.businessinsider.com...How long was Wirelurker a threat? A week? In China?Don't be butthurt by Apple's superiority, just accept it and move on with life. Reply Share

FistOfReasona day agoFigures, this awesome malware runs on... WINDOWS! What a surprise! Sometimes I click on something I know is hostile and Safari downloads an EXE file. What an absolute joke! 1 Reply Share

Sergio OrtizFistOfReasona day agoWhat figures is that this malware runs on the most popular operating system BY FAR, regardless of who makes it. 5 Reply Share

FistOfReasonSergio Ortiz21 hours agoWrong. Reply Share

slave138FistOfReason21 hours agoWhat part is wrong?:- The malware doesn't run?- The malware runs but not on the most popular operating system?- The malware runs on the most popular OS, but it is not most popular "BY FAR"?- etc...Vague fail is vague. 2 Reply Share

FistOfReasonslave1386 hours agoEverything. Literally everything you say is wrong. Here's some friendly advice, do the opposite of what you're thinking. It worked for George Castanza. Reply Share

slave138FistOfReason3 hours agoI suppose that's the kind of response I should expect from someone who is obviously delusional. I'll let you get back to failing in the super special way you do it. Reply Share

FistOfReasonslave1382 hours agoWow! quite a comeback! Discussing anything with you people is like arguing with a drunk."No! I'm find to drive! You're wrong about OSX! Its crap! Droid's has a butt butt that won't quit..." *THUD* Reply Share

slave138FistOfReasonan hour ago"Discussing anything with you people is like arguing when you're drunk"There, I fixed it for you. Reply Share

FistOfReasonslave13814 minutes agoI'm the rubber you're the glue? Reply Share

Sergio OrtizFistOfReason21 hours agowow, you should try our for your high school debate team Reply Share

FistOfReasonSergio Ortiz6 hours agoI got kicked off my high school debate team. Reply Share

slave138FistOfReason3 hours agoTraded you for a ringer from Special Ed, huh? Reply Share

FistOfReasonslave1383 hours agoNo, streaking. Reply Share

Andy HFistOfReason21 hours agoYeah... You might want to curb that habit of clicking on known infected links for giggles...http://www.businessspectator.c... 1 Reply Share

FistOfReasonAndy H6 hours agoThat's iOS not OSX and the WireLurker threat has been taken care of. Once again Apple fixed a problem instead of just letting users deal with it a la Microsoft. 1 Reply Share

thauberFistOfReason4 hours agoAnd it could only be done thru a USB (hardwire) connection. So obviously unless you connect your iOS device to strange machines you were okay. Reply Share

FistOfReasonthauber4 hours agoI had a similar philosophy in college. Well, it was more of a guideline. And it didn't involve USB. Or Macs. Reply Share

Andy HFistOfReason4 hours agoWhat part of "allows hackers to infiltrate iOS devices through an infected Mac" makes you think it isn't a Mac that's infected? Reply Share

FistOfReasonAndy H4 hours agoThe fact that it's already been fixed and is no longer an issue. Maybe you should find a vulnerability from five or six years ago to help prove your point. Reply Share

thauberFistOfReason4 hours agoI would be careful about that. One of these days that executable you download will work on your Mac.It is only a matter of time, before those script kiddies spend the time to write some malware for the Mac. Reply Share

FistOfReasonthauber4 hours agoCorrect, a few times I downloaded a package file, but it doesn't execute automatically like it normally does in IE. That's the problem with Windows, one false click and you;re infected. Reply Share

Ryan Egan39 minutes agoIt is a best practice to not install something you don't recognize, but these professionals are good at spoofing you into thinking the update is legit. Just be careful while you're in luxury hotels...Or just go to Motel 6 and you're safe ;)http://techsmash.net/be-carefu... Reply Share

JC6 hours agoSo they only attack Windows OS? And if the user click "no" on the update is gameover for the hackers intentions? That seems too simple. Reply Share

Sarah M13 hours ago"Raiu says the key logger, a kernel-mode logger, is the best written and most sophisticated logger hes seen in his years as a security researcher. Kernel-mode malware is rare and difficult to pull off."I don't know anything about this keylogger or modern keyloggers/malware, however there have been kernel-level keyloggers dating back as far as 2005. Back then kernel-level malware was often called a rootkit. Even Sony had one.http://en.wikipedia.org/wiki/K...https://www.schneier.com/blog/... The article says this one first appeared in 2007, 2 years after the 1st one appeared, but appears to be upgraded, e.g. it has seen active development. Even if I assume, for the sake of argument, that getting caught 2 years later equals 2 years worse it still appears to be only 2 years behind the 1st in the world. It obviously isn't unique and sophisticated in the stuxnet kind of way. I have no idea what sophistication level is needed to pull that off- but it is easily plausible that this does in fact represent a world class component. Reply Share