Security researchers at Kaspersky Labs announced todaythat for at least the past four years, a group of hacker/spies have been engaged in a campaign of widespread corporate espionage which Kaspersky calls “Darkhotel.”
It's not known exactly who or how many people are behind this, though Kaspersky says that, “The attackers left a footprint in a string within their malicious code pointing to a Korean-speaking actor.”
The hackers attack and intercept the wi-fi networks at luxury hotels of the sort where big-company CEO-types stay while on business trips, and plant malware disguised as a legitimate software update (usually Google Toolbar, Windows Messenger or Adobe Flash).
When the unwary executives allow the “update,” it plants keylogging software that allows the hackers to remotely see everything the executive later types on that device – including, potentially, the passcodes those executives use to log on to their companies' restricted corporate networks, where the super-sensitive and valuable information is kept.
In the shadows
As Kaspersky said in its initial announcement, the Darkhotel espionage campaign:
…. has lurked in the shadows for at least four years while stealing sensitive data from selected corporate executives travelling abroad.“Darkhotel” hits its targets while they are staying inluxury hotels. The crew never goes after the same target twice; they perform operations with surgical precision, getting all the valuable data they can from the first contact, deleting traces of their work and melting into the background to await the next high profile individual. The most recent travelling targets include top executivesfrom the US and Asia doing business and investing in the APAC [Asia-Pacific] region: CEOs, senior vice presidents, sales and marketing directors and top R&D staff have all been targeted. Who will be next? This threat actor is still active, Kaspersky Lab warns.
Even worse, Darkhotel's targets and the hotels whose networks were attacked might not even know about it:
These tools collect data about the system and the anti-malware software installed on it, steal all keystrokes, and hunt for cached passwords in Firefox, Chrome and Internet Explorer; Gmail Notifier, Twitter, Facebook, Yahoo! and Google login credentials; and other private information. Victims lose sensitive information - likely the intellectual property of the business entities they represent. After the operation, the attackers carefully delete their tools from the hotel network and go back into hiding.
More valuable payoff
From a company's perspective, corporate espionage is a far worse threat than any hacker-caused loss of money or financial data — and from a thief's perspective, corporate espionage can have a far more valuable payoff.
Imagine a thief seeking to enrich himself at the Coca-Cola company's expense. Under the right circumstances he could perhaps hack into Coke's corporate bank account and take whatever money is there, or steal the credit-card numbers issued to Coke executives, buy things and charge them to Coke's corporate accounts — but if that thief wants to get seriously rich (or seriously hurt the Coca-Cola company, which is not the same thing), his best bet is to try stealing the actual secret recipe for Coke. Same thing if someone wants to get dishonestly rich off of Kentucky Fried Chicken – the real treasure isn't KFC's current cash reserves or credit lines, but Colonel Sanders' top-secret chicken recipe.
But so far, the evidence suggests that the Darkhotel spies aren't going after fast-food recipes or other consumer-based trade secrets; they appear more interested in gaining power rather than mere money. Kaspersky manager Costin Raiu said that, “Their targeting is nuclear themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments.”
Kaspersky's tips on “How to outsmart Darkhotel's tricks” include a reminder that “When traveling, any network, even semi-private ones in hotels, should be viewed as potentially dangerous.”
Even if you're not a wealthy executive with access to weapons-grade secrets, you still should be wary and take extra precautions when using any public wi-fi hotspot, not just those at hotels (luxurious or not).