How it happened is that the sophisticated attackers had been lurking on the hotel’s network for days waiting for him to check in. They uploaded their malware to the hotel’s server days before then deleted it from the hotel network days after.
Kaspersky says the attackers have been active for at least seven years, conducting surgical strikes against targeted guests at other luxury hotels in Asia as well as infecting victims via spear-phishing attacks and P2P networks.
Their targets include high-profile executives—among them a media executive from Asia—as well as government agencies and NGOs and U.S. executives. The primary targets, however, appear to be in North Korea, Japan, and India.
The attackers take a two-pronged approach—using the P2P campaign to infect as many victims as possible and then the spear-phishing and hotel attacks for surgically targeted attacks.
Until recently, the attackers had about 200 command-and-control servers set up to manage the operation. Kaspersky managed to sinkhole 26 of the command server domains and even gained access to some of the servers, where they found unprotected logs identifying thousands of infected systems. A
lot of the machines in the attackers’ logs, however, turned out to be sandboxes set up by researchers to ensnare and study botnets, showing how indiscriminating the attackers were in their P2P campaign. The attackers shut down much of their command infrastructure in October, however, presumably after becoming aware that the Kaspersky researchers were tracking them.
When victims attempt to connect to the WiFi network, they get a pop-up alert telling them their Adobe Flash player needs an update and offering them a file, digitally signed to make it look authentic, to download.
If the victims accept they download, they get a Trojan delivered instead. Crucially, the alerts pop up before guests actually get onto the WiFi network, so even if they abandon their plan to get online, they are infected the moment they hit “accept.”
The malware doesn’t then immediately go to work. Instead it sits quietly for six months before waking up and calling home to a command-and-control server.
Kaspersky still doesn’t know how the attackers get onto the hotel servers.
Safeguarding against such an attack can be difficult for hotel guests. The best defense is to double check update alerts that pop up on your computer during a stay in a hotel. Go to the software vendor’s site directly to see if an update has been posted and download it directly from there. Though, of course, this won’t help if the attackers are able to redirect your machine to a malicious download site