FireEye has recently uncovered the spread of a campaign attributed with moderate confidence to APT28, actively targeting the hospitality sector. The company uncovered a malicious document that was used to target multiple companies in the hospitality industry including hotels in at least seven European countries and one Middle Eastern country.
APT28 is using targeting techniques such as sniffing passwords from Wi-Fi traffic and by poisoning the NetBIOS Name Service and spreading laterally via the ETERNALBLUE exploit, vulnerability in Microsoft’s Windows operating systems. Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, though actors may also collect information on the hotel as a means of facilitating operations.
While the ultimate purpose of this targeting is unknown, there is indication that APT28 is seeking to compromise government and business travelers by leveraging on remote access to guest Wi-Fi networks at hotels. These personnel who are traveling, especially in a foreign country, must often rely on less secure systems to conduct business than at their home office, or may be unfamiliar with the additional threats posed while abroad.
Stealing these credentials can be done remotely, or via an attacker machine in physical proximity and on the same Wi-Fi network. The stolen credentials could then be used to compromise the victim by remotely logging into a victim’s computer and deploying malware or logging into a victim’s Outlook Web Access (OWA) account. This tactic exploits single factor user authentication and requires no victim interaction.
“The last thing holiday makers want to think about on their vacation is falling victim to a cyber-attack, but unfortunately our analysis shows that they are being targeted. The hospitality industry may not be one that immediately comes to mind when talking about cyber security attacks, but this just goes to show that all businesses need to have effective defenses in place. This is especially true in regions like the GCC where tourism is an important part of the economy,” said Mohammed Abukhater, Regional Director, Middle East and Africa, FireEye.