Russia-linked hackers target hotel guests in Europe

August 14, 2017 - 6:59 PM
A hooded man holds laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. Kacper Pempel/Reuters illustration

FRANKFURT — A cyber-spying group with suspected links to Russian military intelligence was probably behind a campaign targeting hotel guests in eight mostly European countries last month, researchers at security firm FireEye said on Friday.

The espionage group, dubbed APT 28, sought to steal password credentials from Western government and business travelers using hotel wi-fi networks, in order then to infect their organizational networks back home, FireEye said in a report (

The wave of attacks during the first week of July targeted travelers who were staying in several hotel chains in at least seven countries in Europe and one in the Middle East, it said.

These preliminary findings are the latest to allege that Russia is engaged in far-flung hacking activity aimed at governments, businesses and election campaigns, including Hillary Clinton’s unsuccessful White House bid last year.

Several governments and security research firms have linked APT 28 to the GRU, Russia’s military intelligence directorate. Other researchers have tracked the same pattern of attacks, but stopped short of linking APT 28 to the Russian state.

Moscow vehemently denies the accusations.

Benjamin Read, manager of cyber espionage analysis for U.S.-based FireEye, said the technical exploits and remote chain of command used to mount the attacks all clearly pointed to APT 28, whose vast scope of activities his firm has detailed since 2014.

“We are moderately confident in our assessment,” Read told Reuters, saying this was because the technical inquiry was still in its early days. “We just don’t have the smoking gun yet.”

The latest attempts were identified and thwarted in the initial infiltration stage. But similar methods were used in the autumn of 2016 at hotels in Europe, and managed to breach the computer of a U.S. government employee, he said.

In the July attacks, FireEye found spear-phishing emails were used to trick hotel employees to download an infected hotel reservation document, which then installed GAMEFISH malware run remotely from internet sites known to be controlled by APT 28.

This foothold gave the cyber spies control over guest wi-fi networks and could help them grab passwords of targeted victims and sniff unencrypted data being transmitted to shared network drives in the up-market, business-class hotels of major cities.

“We did not observe any guest credentials being stolen. However there were multiple hotel chains targeted and we don’t know the full extent of the operation,” Read said.

The July attacks took advantage of a recently leaked piece of malicious software known as EternalBlue, believed to have been stolen from the U.S. National Security Agency, giving hackers a highly sophisticated way to move silently inside organizations’ networks once they infect even a single machine.

It was also EternalBlue that fueled the worldwide spread of WannaCry ransomware in May and the NotPetya attack against Ukraine in June, which fanned out globally to hit dozens of major firms.

The 2016 hotel attacks tricked one user with a fake Adobe Flash update and were likely launched by a nearby hacker on the same guest wi-fi network, FireEye said. APT 28 logged into the guest’s web-based Outlook email account 12 hours later, it said.

The government employee returned to the United States and the infection spread to their agency when their computer was reconnected to the network, Read said. He declined to comment on how far the attack reached or whether it caused any damage.