Since as early as last fall, the Russian hacking group known as APT28, or Fancy Bear, has targeted victims via their connections to hacked hotel Wi-Fi networks, according to a new report from security firm FireEye, which has closely tracked the group’s intrusions, including its breach of the Democratic National Committee ahead of last year’s election. Last month, FireEye says those hackers, believed to be associated with the Russian military intelligence service GRU, have begun to use EternalBlue, the leaked NSA hacking tool, as one technique to broaden their control of hotel networks after gaining an initial foothold via phishing or other techniques. Disturbingly, once those Russian hacking groups take control of hotels’ Wi-Fi, they’re using that access to harvest victim computers’ usernames and passwords silently, with a trick that doesn’t even require users to actively type them when signed onto the hotel network.
Over the past few years, hotel Wi-Fi has emerged as a frequent vehicle for advanced Russian hacking groups to target people of interest who happen to be connected. FireEye learned of a series of similar Wi-Fi attacks at hotels across seven European capitals and one Middle Eastern capital. In each case, hackers had first breached the target hotel’s network—FireEye believes via the common tactic of phishing emails carrying infected attachments that included malicious Microsoft Word macros. They then used that access to launch the NSA hacking tool EternalBlue, leaked earlier this year in a collection of NSA internal data by hackers known as the ShadowBrokers, which allowed them to quickly spread their control through the hotels’ networks via a vulnerability in Microsoft’s so-called “server message block” protocol, until they reached the servers managing the corporate and guest Wi-Fi networks.
FireEye says it has “moderate confidence” in its conclusion that Fancy Bear conducted both the 2016 hotel attack and the more recent spate. It bases that assessment on the use of two pieces of Fancy Bear-associated malware, known as GameFish and XTunnel, planted on hotel and victim computers. The company also points to clues in the command and control infrastructure of that malware and information about the victims of the Russian hacking, which it’s not making public.
In the 2016 incident, the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials. These 12 hours could have been used to crack a hashed password offline. After successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the victim’s network, and accessed the victim’s OWA account. The login originated from a computer on the same subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network.
The attack observed in July used a modified version of Eternal Blue that was created using the Python programming language and later made publicly available, Fire Eye researchers said in an e-mail. The Python implementation was then compiled into an executable file using the publicly available py2exe tool.