Sophisticated Targeted Attack Via Hotel Networks

Kaspersky Labs is reporting (detailed report here, technical details here) on a sophisticated hacker group that is targeting specific individuals around the world. "Darkhotel" is the name the group and its techniques has been given.

This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crew's most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world. These travelers are often top executives from a variety of industries doing business and outsourcing in the APAC region. Targets have included CEOs, senior vice presidents, sales and marketing directors and top R&D staff. This hotel network intrusion set provides the attackers with precise global scale access to high value targets. From our observations, the highest volume of offensive activity on hotel networks started in August 2010 and continued through 2013, and we are investigating some 2014 hotel network events.

Good article. This seems pretty obviously a nation-state attack. It's anyone's guess which country is behind it, though.

Targets in the spear -- phishing attacks include high-profile executives -- among them a media executive from Asia­as well as government agencies and NGOs and U.S. executives. The primary targets, however, appear to be in North Korea, Japan, and India. "All nuclear nations in Asia," Raiu notes. "Their targeting is nuclear themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments." Recently there has been a spike in the attacks against the U.S. defense industry.

We usually infer the attackers from the target list. This one isn't that helpful. Pakistan? China? South Korea? I'm just guessing.

Posted on November 10, 2014 at 2:34 PM • 39 Comments


ArclightNovember 10, 2014 2:55 PM

I've often thought that hotels are a ripe target for this sort of highly-targeted monitoring and attack. First, the hospitality industry is very competitive, and their networks are virtually guaranteed to be maintained on a shoestring budget that has to compete with maintaining the HVAC and keeping the pools sparkling.

On a good day, half of them are broken and using self-signed portal certificates and the like. IFS and active incident response aren't even on the wish-list.

Next, we have a self-selected population of of folks who are already more likely to be important because they are travelling. We can further infer what they are up to and who they are based on the time and place (example: mid-week traveller to Crystal City, VA ia probably on .gov business). And we can infer more by the floor/accomodations they are placed in.

We also have physical access to nearly all of the facility for the price of a room-night. We can even book a suite we think is important and have 24 hours to install equipment with power and data access.

And even if the intended targets have a high security-awareness and quality training, travel means they are away from their home org's resources and under time pressure to accomplish some important task.

With these factors in mind, ignoring an SSL warning or connecting to an unknown network are perfectly rational things to do knowingly.

Oh, and let's not forget that once we record someone's MAC address, we now have unique and almost never-changing identifier for our targets.

All in all, this seems like pretty low-hanging fruit for an intel organization.


AnuraNovember 10, 2014 3:46 PM

Rule number one of wireless access points - if you don't control it, connect to a VPN. Honestly, I'm considering replacing the VPN server I use at home with a cheap VM on Amazon or something just because I don't even trust my ISP.

The weak RSA key thing is scary; why are devices even accepting 512-bit certificates? We've had more than enough time to phase out CA Certificates with keys shorter than 2048-bits, and shouldn't be accepting 1024-bit certs, let alone 512-bit.

GrauhutNovember 10, 2014 4:48 PM

@Anura: "...a cheap VM on Amazon or something just because I don't even trust my ISP"

If you dont trust your ISP, why would you trust in a service provider of the CIA? :)

On topic: If China, South Korea should be on the target list...

Sancho_PNovember 10, 2014 5:01 PM

There is one omnipotent, diligent and reckless FNSA (Foreign Nation State Attacker) which is seldom in the focus:
Our friends in the ME.

ACNovember 10, 2014 5:50 PM

@Anura: "Rule number one of wireless access points - if you don't control it, connect to a VPN."

Make sure that you are routing ALL your Internet traffic through the VPN tunnel.

MorozumiNovember 10, 2014 6:30 PM

How hotels protect this attack?
It is users' responsibility not to download something, but is there anything that the hackers cannot attack the hotel's network?

anonNovember 10, 2014 6:50 PM

I haven't read the article yet but I'm assuming they're just setting up wifi honeypots at these hotels and then launching a flash banner page with their malware. If that flash banner page looks like the hotel's captive portal - no one is the wiser. Pineapples from the People's Liberation Army.

Obviously high profile targets like these will be using VPNs while traveling but before they can establish a tunnel ... their computer will already be owned.

Bruce SchneierNovember 10, 2014 7:01 PM

"It makes little sense for Pakistan to spy on North Korea."

I was thinking that they're both nuclear-ish powers.

Bruce SchneierNovember 10, 2014 7:02 PM

"There is one omnipotent, diligent and reckless FNSA (Foreign Nation State Attacker) which is seldom in the focus: Our friends in the ME."

Who's that. Saudi Arabia?

It doesn't seem like a necessary and sufficient target list for them.

43hkrgjwernNovember 10, 2014 7:08 PM

This would benefit not only nearly every nations intelligence on the planet, but also profitable to pretty much any group.

I'd bet money the advanced flash vulns were bought from a well known vendor like Vupen. For some reason not even Russia, China, or the US seem to invest in the RE to find their own zero-days; even though they all have more than enough in-house talent..

Vulns are without a doubt complex struct based ROP and already in the hands of vendors. They will likely be reversed from patches and end up in exploit kits..

43hkrgjwernNovember 10, 2014 7:13 PM

"Saudi Arabia"

They wouldn't have to. They have the most powerful nations on Earth directing their economic output at them; why work for what your pocket change can buy or your assets can force?

anonNovember 10, 2014 7:21 PM

@ Alex

It makes a lot of sense. The ISI has been investigating weather AQ Khan sold any of their nuclear secrets. Even though AQ Khan has been pardoned and is no longer under house arrest ... they still have their suspicions.

AQ Khan (the Pakistani nuclear scientist) is known as the "godfather of North Korea's bomb"

anonNovember 10, 2014 7:34 PM

@ 43hkrgjwern

American defense contractors purchase and horde 0 days and even develop some of their own. We know that both Northrup Grumman and Raytheon sell 0 days to the NSA.

When the NSA doesn't have a suitable 0 day in their extensive library, which is fead by private contractors - albeit ones more professional than VuPen ... they turn to their own in-house custom exploit group known as TAO which employs over a 1,000 hackers.

As for China ... there are so many hackers in China that will only sell 0 days to the PLA so they have no need to pay steep prices to a company like Vupen or Hacking Team. The prices for exploits are extremely depressed in China so Western black hats won't even try to sell to the Chinese. source: grugq

And finally ... Russia .... Just because it hasn't been publicly confirmed in the media, doesn't mean that they aren't developing their own exploits, in house. The Russian hacker has become a meme .... from the mafia committing bank fraud to wall hackers in FPS games. You can be sure that they have one of the most aggressive programs in the world and it's unlikely that they rely on private companies in the EU.

AnuraNovember 10, 2014 7:36 PM


If you dont trust your ISP, why would you trust in a service provider of the CIA? :)

The only solution that offers any protection against HSAs is Tor. My main concern is ISPs targeted at consumers rather than businesses; I'm a lot more comfortable with the latter than the former.

algae virus unknown %%%%%November 10, 2014 8:01 PM

If the targets tend to be 'personnel' and the weakness is the
person(s) holding the Internet keys.....

1 Since the key weakness is the system adminstrator, what would
2 be the effects of suicidal dementia caused by viruses?

3 Why is it bad living and cat owning in Cleveland, Ohio, USA?
5 algae-pathogen-impairs-cognition-discovered-1721555
6 A Virus That Makes Humans Stupid? ‘Innocuous’ Algae Pathogen
7 That Impairs Cognition Discovered
8 Out of the 92 healthy adults screened in the
9 study, nearly 44 percent of them had the virus

12 lake_eries_algal_blooms_intens.html
13 maelstrom of harmful algal blooms, or HABs,
14 erupting around Lake Erie.
15 Note: allegedly that government was NOT watchful and
16 people drank some of the poisons before being notified.

18 New findings: Depression, suicide, and Toxoplasma
19 gondii infection.
20 cats are the reservoirs

22 poem:
23 so you read Schneier and you wake from stupor to leery
24 and the stupid, depressed word eerie is no pun
25 you hold the Internet Keys and drink from Lake Erie
26 being stupid, depressed, and weary is no fun

poem semantic word cluster analysis draft:
wake as in USA United States of Amnesia? Gore Vidal
meaning of Lake Erie - spelling similar to eerie or frightening
holding the keys is the PKI crypto objects to the 'source code'
rhymes - in american english: leery, weary, Lake Erie, eerie
pun, fun, wake / lake

CEO + arbitrary power + Stupid + suicidal + 'arrogance?' ==
using a statistical review of history

thevoidNovember 10, 2014 10:11 PM

@Bruce S.

my mind went to saudi arabia first as well, but there is another ME 'friend'
there with high technical capabilities...

Jonathan WilsonNovember 10, 2014 10:18 PM

Why does it seem like despite the endeless stream of security updates from Adobe, Flash is still the #1 biggest problem when it comes to security holes and attacks?

All browser vendors need to do what some are already doing and implement click-to-play for Flash so that no flash video file can run without the user choosing to run it.

That said, how many of the people being infected with these kinds of threats are running old versions of Flash instead of the latest most secure version?

Roger MooreNovember 10, 2014 10:40 PM

@anon: Obviously high profile targets like these will be using VPNs while traveling but before they can establish a tunnel ... their computer will already be owned.

If you want security, you probably shouldn't be trusting the hotel's WiFi at all. A VIP staying in a fancy hotel should be able to afford their own wireless connection with the VPN configured by the home office. Given how much fancy hotels charge for internet, it could probably be justified on cost alone. Add in the convenience and security benefits, and it should be an absolute no-brainer.

Clive RobinsonNovember 10, 2014 10:46 PM

@ theVoid,

... but there is another ME 'friend' there with high technical capabilities...

That also has "Mediterranean End" vistas. They are also believed by some to have tapped into under sea comms cables, and amongst other things, put code with known weaknesses they can exploit remotely in cell phone RF units that end up in security products sold all over the world. Oh and steal others designs and technology in a way that made the old ROC "China knock offs" look tame.

anonNovember 10, 2014 11:55 PM

I always hack into the WiFi connection of a nearby business when I'm at a hotel so I guess that would make me safe from this attack.

Of coarse ... I do that mainly cuz I'm a cheap skate and because the businesses across the street often have WEP connections.

I wonder what the maids think when they see my dish that points downwards?

thevoidNovember 11, 2014 1:03 AM


a few years ago bamford made similar statements about tech they supply to a
certain agency we all know and love...

WaelNovember 11, 2014 1:04 AM

There is one omnipotent, diligent and reckless FNSA (Foreign Nation State Attacker) which is seldom in the focus: Our friends in the ME
No brainer! Hawaii?

Clive RobinsonNovember 11, 2014 3:39 AM

@ thevoid,

Yes and he is probably not wrong, because those "we all know and love" would know all the secrets --maybe-- it's the rest of us that get to pay the price.

I for one know about their "knock offs" first hand and worse still the "passing off" as originals designs they had stolen from me that I had designed for a company. After a short investigation we found out that it is entirely pointless trying to get legal redress as the government and the courts their activly act against the original IP holders...

When you get treated that way you start to think they are as bad if not worse than the Chinese and Russians.

Not that it's the first time I've had my work "ripped off" the honour of the first time falls to the French, and on subsiquent occasions to atleast two of the FiveEyes nations. Which is why I know that any one who believes "My Country right or wrong" is not an original thinker or anything much better than "cannon fodder" their country will happily use them for, which brings us around again to the notion of "authoritarian followers"...

Clive RobinsonNovember 11, 2014 3:44 AM

@ Wael,

Ahh Hawaii one of the few places on earth that confound Mark Twain's advice about "real estate", because their they certainly are making more of it...

Clive RobinsonNovember 11, 2014 4:43 AM

@ Alex,

Actually it makes a lot of sense for Pakistan to spy on North Korea, or any other nation that is "space delivery" capable.

Nukes in their own right are realy quite usless, you need a working delivery mechanism as you do with all WMD unless you are going to use them for "scorched earth" defence.

Tactical rockets such as SCUDs are of limited use, it's why you need not just ICBM capability but space platform capability to be respected by the "top table" especially the US.

And it's this "top table" respect that many nations have craved that has motivated them to become first nuclear capable but secondly delivery platform capable. Historicaly it's the only "power politics" the US has shown any respect for, which is why some nations who feel threatened by the US have been driven to become nuclear capable.

Of the two delivery system capability is still currently the hardest to successfully aquire which is why it is most valued. And it is the "real intent" indicator that a nation knows it's the US it has real fear of, which might account for why North Korea has put so much effort into delivery systems as a primary objective.

Although the US continualy go on about nuclear programs, a nation wanting nuclear technology is quite rational from an energy security and national survival perspective. Most European Nations would be nuclear capable if it was not for the fears of their citizens, because at the end of the day they governments don't want to be dependent on the likes of Russia to keep the lights on. Putin has shown himself to be more than happy to keep nations in a vasal state simply by turning the gas tap off in winter. It also accounts for the desperate interest of EU nations in "shale gas" which has to be as much if not more problmatic than nuclear energy production. Governments do employee historians and knowledge of things like "water rights wars" tell us why we don't want to become energy dependent on other nations.

Oh and ask the question about what happens when the oil runs out?

Most people fail to realise that petrol is just a "waste byproduct" of getting other hydrocarbons for the chemical and food industries, which we are much more reliant on for our survival than personal vehicles...

Back in WWII the Germans were faced with this "feed stock" issue and they developed various techniques for synthetically making them by various "gassification" processes. The base raw materials CO2, O2 and H2O are readily available and plants are quite adept at producing some hydrocarbons. However the more usefull hydrocarbons need to be either extracted from fosil fuels or made synthetically by the use of intense heat and a lot of preasure. Other than burning other fuels the only way we can get the required tempratures is from either the sun which is unreliable, or from reliable nuclear energy...

As a race, we humans have to face quite tough questions when it comes not just to our comfort but our survival and it looks like we will need to resolve some of them fairly rapidly, just to buy us enough time to engineer other solutions.

So spying on those adept at both nuclear technology and delivery mechanisms is likely to be very profitable for survival and security.

KarasevokNovember 11, 2014 5:34 AM

Billion dollar companies and then so poor that they have to use hotel wlan? How about using phone data plan and VPN? I don't use wlan even on my home, and I wouldn't ever dream of connecting to wifi that I don't have 100% control of.

thevoidNovember 11, 2014 5:57 AM


well, they say imitation is the highest form of flattery!

i am sure there is also some french clive out there who was similarly ripped
off by the usual suspects.

i think this quote sums it up pretty well:

But the state lieth in all languages of good and evil; and whatever it saith it lieth; and whatever it hath it hath stolen. -nietzsche

43hkrgjwernNovember 11, 2014 8:05 AM

@Jonathan Wilson: Java gets more that's why it gets disabled.

Crime kit teams just reverse patches. All the vulns are pretty complex stuff that do things like ROP off of vector struct corruption.

The "sandbox" systems everyone seem to be implementing seem to stop nothing, nor do things like SELinux and FORTIFY_SOURCE which are 100% of security in a lot of platforms.. People just find ways to get ROP to work around them.. W8 actually had a lot of protections implemented but they were defeated with advanced ROP within a month of ISO leak..

paulNovember 11, 2014 9:25 AM

Do we really know that this is a nation-state-level attack? It seems to me that with the amount of money sloshing around these days a large criminal organization or particularly unscrupulous company (insert obvious punchline here) would also easily have the resources to pull this kind of thing off. Albeit it might be harder for them to keep their work secure.

65535November 11, 2014 10:13 AM

That also has "Mediterranean End" vistas. – Clive

Interesting. Thus, indicating our untouchable 0-day provider at Vupp@n? Or possibly the country at the end of boot with a football?

Would not both of countries sell 0-days to our watchful friends at Fort Mead?

Why would they use the .pn [TLD] with a population 56 people [if that is the actual location of CnC servers]. Such a small number of people would be easy to watch and possibly influence – on both sides of the fence. Wouldn’t that be risky [I see the British flag and coat of arms on that flag – it could throw suspicion on GCHQ]. Not sure what to make of that.

Other items of note:

The kernel level keylogger reported believed to be S-Korean hacker uploaded his code to codeforge[dot]com. I note at least two other “hospitality” or Hotel code up-loads on that same site. The S-Korean hacker must have some hotel knowledge.

"...the attacker’s use of digital certificates to sign their malware also points to a nation-state or nation-state supported actor. The attackers found that a certificate authority belonging to the Malaysian government as well as Deutsche Telekom were using weak 512-bit signing keys. The small key size allowed the attackers, with a little super-computing power, to factor the 512-bit RSA keys (essentially re-engineer them) to generate their own digital certificates to sign their malware… very rarely, if ever, see such techniques used by APT (advanced persistent threat) groups,” Raiu says. “Nobody else as far as we know has managed to do something similar, despite the fact that these certificates existed for some time…. This is [an] NSA-level infection mechanism.” -Wired

We are back to the ugly issue of un-trustable SSL/TLS code signing certificates from “trusted” Certificate authorities!

To be fair the 512 bit certificates were from as early as 2005 [Equifax secure eBusiness CA1] through 2009. That could account for the relatively weak strength. More troubling are the Thawte Root certs from 2011 – 2014 [page 21 of the Kaspersky pdf].

It’s clear the certificate chain and resulting forged/tampered certificates must be reviewed and remediation. If not there will be considerable damage to huge sectors of the economy.

Interestingly, the victim’s chart seems to be 90% in Japan [according to Kaspersky p21 [darkholtel_kl_07.11[dot]pdf]. I do believe the USA maintains significant intelligence asset in Japan.

“…A description of the detailed connectback URl values and their xor/base64encoding scheme is included in the interesting Malware Trojan.Win32.Karba.e …A description of the detailed connectback URL values and their xor/base64… only 120 ip addresses perform the “B” checkin, and 90% of these are from the range 150.70.97.x. This entire range is owned by Trend Micro in Tokyo, JP… The “A” tag labels unwanted checkins from untargeted locations, like Hungary and italy. The “B” tag labels unwanted checkins from Trend Micro ip ranges… -Kaspersky

If I understand the Kaspersky report, this would indicate that the spyware doesn’t what to spy on Trendmicro’s block of IP’s in Japan [The other Japanese IP blocks would be targets].

‘…researchers found a reference to a malicious Windows executable in the directory of a Unix server. The file itself was long gone, but a reference pointing to its former existence remained. “[T]there was a file-deletion record and a timestamp of when it happened,” says Kamluk… traces left behind, the attackers had operated outside normal business hours to place their malware on the hotel system and infect guests. attackers shut down much of their command infrastructure in October, however, presumably after becoming aware that the Kaspersky researchers were tracking them… “As far as I can see there was an emergency shut down,” Raiu says.’ –Wired

I agree with the “researchers” interviewed by Wired. This attack was professional, targeted, and sophisticated. I can only assume this was the work of a Nation/state actor.

01November 11, 2014 3:09 PM

I hate to be "that guy" (you know... the guy), but how is it "obviously" a nation-state attack ?

The most nation-statish thing about it is that it uses really good flash 0-days, and even that is not exclusively a nation-state thing.

Given the potential cost of information one can gain by targeting high-profile individuals, I wouldn't put it past some of the more underhanded comptetitive intelligence companies to at least try something like that.

Erroneously posted this previously in a wrong comment thread :)

Sancho_PNovember 11, 2014 5:24 PM

@ Bruce

“Who's that. Saudi Arabia?”

I’d not call them friends - we need them.
Omnipotent & dilligent & reckless == Mossad

Our friends ( - we - ) are in Israel.
And "friends tend to spy on friends, just to make sure" [allegedly from Angie]

Nick PNovember 11, 2014 6:15 PM

@ Sancho_P

On top of it, the leaked British MOD security manual put them as the No 3 threat to that country in espionage. Right after Russia and China. Bad part of U.S. is that our country pays for their actions against us haha.

thevoidNovember 12, 2014 6:20 AM

these may be the comments of bamford's i remember:

JAMES BAMFORD: Yeah. There?s two major ? or not major, they?re small companies, but they service the two major telecom companies. This company, Narus, which was founded in Israel and has large Israel connections, does the ? basically the tapping of the communications on AT&T. And Verizon chose another company, ironically also founded in Israel and largely controlled by and developed by people in Israel called Verint.


So, you know, you?ve got companies ? these companies have foreign connections with potential ties to foreign intelligence agencies, and you have problems of credibility, problems of honesty and all that. And these companies ? through these two companies pass probably 80 percent or more of all US communications at one point or another.

and nothing has changed apparently. more recently from wired:

What is especially troubling is that both companies have had extensive ties to Israel, as well as links to that country?s intelligence service, a country with a long and aggressive history of spying on the U.S.

In fact, according to Binney, the advanced analytical and data mining software the NSA had developed for both its worldwide and international eavesdropping operations was secretly passed to Israel by a mid-level employee, apparently with close connections to the country. The employee, a technical director in the Operations Directorate, ?who was a very strong supporter of Israel,? said Binney, ?gave, unbeknownst to us, he gave the software that we had, doing these fast rates, to the Israelis.?

Because of his position, it was something Binney should have been alerted to, but wasn?t.


But Binney now suspects that Israeli intelligence in turn passed the technology on to Israeli companies who operate in countries around the world, including the U.S. In return, the companies could act as extensions of Israeli intelligence and pass critical military, economic and diplomatic information back to them. ?And then five years later, four or five years later, you see a Narus device,? he said. ?I think there?s a connection there, we don?t know for sure.?

?It apparently hasn?t hurt Israel that so many Washington and Wall Street insiders assume that Israel knows their secrets.?

Chris AbbottNovember 12, 2014 7:36 PM

I'm back! It's been a while since I've posted.

Would something like a PFS DH key exchange/bulk cipher, like is done with HTTPS, that would in effect create secure public wifi (something I and billions of others have mentioned doing) thwart this type of thing? You could have a setup where all the network traffic is completely encrypted individually and not readable to to others on the network, in otherwards, a system that would make LAN sharing impossible, but other users on the network secure, a system used exclusively for public wifi. We should have some kind of setup like that.

01November 15, 2014 1:31 AM

Okay, aside from spambot attack, I'd like to slightly muse over this thing further (since I've already set upon the path of "that guy" anyway).

The fact that the attackers had their own digital certificates is noteworthy, but not strictly indicative of a state-sponsored attacks, since high-end non-state-sponsored blackhats have been known to gain access to "legitimate" certificates in the past (let's face it, some CAs just simply suck, also, when you have a bunch of stolen identities and a "reprocessed" passport* one could even get a cert "the formal way").
The only things that are very, very "statish" is target profile and presence of rather interesting zero-days (your average blackhat exploit peddler does not have strong incentives not to re-re-resell the exploit), but even those don't strictly indicate state actors (industrial espionage^W^W competitive intelligence goons could follow the targets with similar profiles for reasons that have to do with, well, what it says on their can).

I think that the reflex of jumping from "complex, well-crafted exploitation solution that uses some of the tools previously associated with TLAs" to "a nation-state sponsored attack" is a risky heuristic, especially since the boundary between state-sponsored groups and "simple hackers" might not be always a clear one

"That guy" out.

A reprocessed Ukrainean or Belorussian passport would cost, like, $400 or less, and it's very hard to detect that the photo was replaced even when you physically have the document and have the necessary tools (they're pretty good at what they do)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.