Darkhotel Targets High Level Executives Through Hotel Wi-Fi

A group of sophisticated cyber criminals has compromised the Wi-Fi networks of luxury hotels for the past few years to launch malicious attacks against business people in the Asia-Pacific region.


Photo: pio3 / Shutterstock

Researchers from Kaspersky Lab dubbed the cyber-espionage group as ‘Darkhotel’ and tell us that it operates by injecting malicious codes into the Web portals used by entrepreneurs and executives to log in to Wi-Fi networks and access the Internet, usually by entering their last name and room number.

The Function of Darkhotel

The Darkhotel campaign includes both botnet-style operations and targeted attacks, according to Kaspersky Lab researchers.

Once a user connects to the Wi-Fi network, the hacker tricks the user into downloading malware that claims to be legitimate software on their device, infecting it with ‘Darkhotel’ spyware.

The software searches for the cached passwords and login credentials of the victim, and then steals keystrokes entered on the computer, with the goal of accessing intellectual property of corporate entities represented by the user.

Most of the users include senior vice presidents, chief executives, R&D staff, and sales and marketing directors operating businesses and investing in the Asia-Pacific region.

The attacks don’t target the same victim twice, and they perform attacks with precision, stealing all the valuable data they can in the first instance, removing traces of their work and returning to the shadows to await the next high level executive.

“Those portals are now reviewed, cleaned and undergoing a further review and hardening process,” said the researchers. Once Darkhotel is installed, it can download more new “advanced tools” to steal data, including all keystrokes.

Principle security researcher at Kaspersky Lab, Kurt Baumgartner, stated:

“For the past few years, Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cyber criminal behaviour.”

“This threat has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”

The malware also searches for social network and email credentials, as well as other private data. Kaspersky Lab is working with concerned organizations to mitigate the problem, but Wi-Fi networks in private and even semi-private hotels should be viewed as potentially risky by traveling business people.

Every hotel guest, executives included, should take the following measures into consideration when using the Internet in hotels:

  • Always consider software upgrades as suspicious. Confirm from the front desk or the concerned authority that the update installer is signed by the vendor in question
  • Make sure you’re using the latest anti-virus software or security solution that includes proactive defense against malware and new threats rather than just basic protection
  • Always use a trusted Virtual Private Network (VPN) provider – this will give you an encrypted communication channel when accessing semi-public or public Wi-Fi

Top executives from Asia and the US are likely to be the targets of the Darkhotel malware. The Darkhotel hackers are believed to be active since 2007 and have conducted attacks on executives from firms involved in investment capital, electronics, chemicals, defense, law enforcement, cosmetics and the military.