Travelers have come to depend on WiFi networks in hotels, and businesspeople have come to expect high speed wireless access in both private rooms and public spaces, including lobbies, meeting rooms, and even the hotel gym. Predictably, cyberspies and cybercriminals have inhabited some of these virtual spaces as well. Hotel lobbies are often seen to sprout open networks with identifiers intended to trick users into logging on. (“FreeOpenWiFi,” “Hilt0n,” and “MarriottL0BBY” have all been seen in the past month.) Security firm FireEye, however, has recently documented a new and more dangerous threat in the hotel space: a hacking campaign attributed to the Russian government sponsored, GRU-affiliated group known as “Fancy Bear” or “APT28.” (One of the two Russian groups known to have penetrated the Democratic National Committee in 2015-6.) This campaign, evident in hotels in Europe and the Middle East, is potentially more dangerous than prior exploits, and may spread rapidly to other regions. Travelers need to be aware of the dangers, and need to take immediate steps to protect sensitive information.
The activities of these Russian-sponsored hackers are widespread and sophisticated. The name “APT” is an abbreviation of “Advanced Persistent Threat,” and is the term used in the cybersecurity community to denote an actor that is especially thorough and patient in the infiltration of computer systems and exfiltration of information. Fancy Bear has been implicated in cyber attacks against the World Antidoping Agency, the Dutch government, and against political parties in this year’s French and German elections. Information stolen in these hacks has been distributed through WikiLeaks, other web sites, and by transmitting it to media outlets such as Sputnik, RT, and others.
Briefly, the new campaign is initiated by an email “spearphishing” campaign using an attached document that appears to be a room reservation form in a Microsoft Word document file. Once opened by hotel staff, that document installs malware onto the target Windows computer that then uses exploits stolen from the U.S. National Security Agency (EternalBlue) to move laterally to infect other computers in the target network. The malware, known as GAMEFISH, is capable of stealing logon credentials and other information from the network, and communicating this information over the internet to command and control servers controlled by unknown actors. Because GAMEFISH can attack the very computers that control the hotel wireless network, it may be able to steal information from guest computers simply using that network, even if those computers are never directly attacked or compromised. This information may then be used to attack the guest computers directly, perhaps even at a remote location and time.
This threat is by no means the only hotel-based hacking to be seen. For some time, networks in Russian and Asian hotels have been infected with computer worm and virus files of various types. During the Iranian nuclear talks in 2014-15, Duqu 2.0 malware was seen in the networks of the hotels that hosted the delegations and the talks themselves. It was believed that Duqu was an information stealing worm, capable of turning on computer microphones and cameras covertly, as well as stealing computer files. According to the Guardian, this worm is related to Stuxnet, and was thought to be used by the government of Israel as a way of gaining intelligence about the nuclear negotiations.
Because guests cannot be sure that hotel systems have not been compromised, it is advisable that such systems be avoided if possible, in favor of data carried over cellular networks which, while not immune to attack, are at least monitored more closely than commercial wireless systems in hotels. Even then, care should be exercised, and secure communications should be avoided because it is not possible to guarantee the security of cellular communications. Governments use devices called “stingrays” to intercept cellular signals. Not only can they listen to voice communications, but they are able to see text messages and in some instances, spy on data communications as well. While the sale and use of stingray devices is severely restricted in the United States, the same cannot be said for the rest of the world, and thus, care is necessary.
If a hotel network must be used, access should only be through a virtual private network (VPN), preferably one that is operated under private and trusted control, or a reputable commercial service. Virtual Private Networks are a type of data transmission service that ensures that all data flowing from a secured device goes only to a known computer system, and is encrypted from “end-to-end” as it flows to and from that trusted system. Once the encrypted information reaches the trusted VPN “server,” it may then be forwarded onward over the internet, if the VPN is configured to do so. In this manner, the VPN impedes eavesdropping on data communications because the secure link is the first thing set up during an online session.
We all seem to depend more every day on the electronic devices in our pockets and bags, and we carry ever-greater amounts of personal and business information in them. Governments and criminals know this, as well, and have set traps for the unwise and the unwary. Hotels are just the latest venues made dangerous for us and our data. The savvy traveler will now ask, first and always, whether access to a particular system is really worth the risk involved, if it must be done over connections that are likely to have been compromised. It may be better, after all, to forego checking one’s accounts, and just to relax and have an aperitivo.