“CEOs, senior vice presidents, sales and marketing directors and top R&D staff.” These are the people who have been targeted by Darkhotel, a sophisticated security threat, as they check into hotels around the world, according to a new report (pdf) by Kaspersky Labs, an online security firm. The vast majority of infections occurred in Japan, followed by Taiwan, China, Russia, South Korea, and other Asian nations. Germany and the US also figure on the list.
The attacks have been going on since 2007. Targeted executives come from a variety of fields, including electronics, pharmaceuticals, manufacturing, defense, law enforcement, military, and non-government organisations.
The attackers use hotel Wi-Fi to prompt people to download updates for software such as Adobe Flash, Google Toolbar, and Microsoft Messenger. The updates are in fact malware.
What makes the threat particularly interesting is that the attackers aren’t infecting victims at random. Though a basic version of the malware is distributed in a scattershot manner, it is only after a guest has entered a name and room number that a more advanced information-stealing tools are installed, suggesting a targeted campaign.
From the report:
At the hotels, these installs are selectively distributed to targeted individuals. This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels. So, the attackers lay in wait until these travelers arrive and connect to the Internet.
The report does not say which hotels have been infected. The hotels themselves have been “uncooperative,” a Kaspersky source told Wired’s Kim Zetter.
According to Kaspersky, whoever is behind the attacks “employs methods and techniques which go well beyond typical cybercriminal behavior.” These include proficient use of previously undiscovered holes (known as zero days) in common software, the fact that executives are specifically targeted as they travel, and careful planning to hide the malicious activity: “As soon as a target was effectively infected, they deleted their tools from the hotel network staging point, maintaining a hidden status.”
Kaspersky doesn’t speculate on the responsible party but there are signs the attacker may be Korean. The report notes that some components of the malware self-terminate on Windows when certain system defaults are set to Korean, and also notes the existence of Korean characters in some of the code.