“I know that at least one of the victims was particularly staying in a hotel because she attended a conference event in that particular city.”
Having acquired access to server logs on machines once used by the Darkhotel actors, and having sent researchers to the various hotels, Kaspersky determined the attacks date back to at least 2009. Most victims were based in Japan, Taiwan, China, Russia, Korea and Hong Kong.
They weren’t just using hotels to spread their malware, including an advanced keylogger. They also infected peer-to-peer networks like BitTorrent – in one case spreading via a file containing “an anime sex/military comic scene, exposing the likely interests of potential targets” – and sent out emails with malicious attachments. Using the latter technique, the attackers targeted defence firms, governments, and NGOs, using lures on topics including nuclear energy and weaponry capabilities.
‘A sophisticated and highly skilled attack’
Their attacks used zero-day vulnerabilities – those that haven’t been seen before nor fixed by vendors – in popular software, such as Internet Explorer and Adobe Flash.
They also signed their code with seemingly legitimate certificates, designed to prove the authenticity of applications, though they were likely duplicated by the attackers to bypass system defences here. In one case it appeared a certificate had been stolen from a Certificate Authority (CA).
Both the zero-days and the certificates indicated a high level of skill amongs the Darkhotel hackers, according to Kasperksy.
Onlookers have been surprised by the targeted nature of the Wi-Fi attacks. “This type of targeted attack is uncommon. The steps taken to infect the machines and factors that have to be in place for it to work make it a very specialist type of infection,” said Mark James, security specialist at anti-virus firm ESET.
Richard Cassidy, senior solutions architect at Alert Logic, added: “We are seeing a very sophisticated attack on the target networks by this cell, who have put a great deal of thought into what information they want, who they are targeting and how to write malware that provides the best chance of getting what they’re after.”
Anyone concerned about such attacks has been advised to use a Virtual Private Networking (VPN) tool, which will encrypt data so attackers’ can’t read the plain text of web communications.