Hotel Wi-Fi may be one of the worst parts of traveling, but a notorious Russian hacker group is making it even worse thanks to phony emails. Researchers at FireEye security have warned that APT28 AKA Fancy Bear, a notorious Russian hacker group with ties to the US election hacking scandal, is using a known tool to sniff user passwords from Wi-Fi traffic in hotels across European countries and at least one Middle Eastern country.
The hack is being done through one of the oldest tricks in the book, a simple phishing email sent to hotel guests that appears legitimate. Each email contains an attachment that, when opened, serves as a Trojan horse for the program to plant malware on guests’ phones enabling hackers to steal their passwords. APT28 was identified as the culprit behind the scheme when the attachments installed their signature Gamefish malware.
The group sought to steal password credentials from Western government and business travelers using hotel Wi-Fi networks in over eight countries. The lingering malware on the guests’ phones could then be used to infect networks and compouter systems in their homelands. Once inside a hotel’s network, the hackers sought out machines that controlled the hotel’s Wi-Fi service. Upon accessing the machines, the hackers deployed other tactics to steal account information that gave them greater access to possible victims. According to FireEye, however, “No guest credentials were observed being stolen at the compromised hotels.”
The incident has been tied to the NSA leaks last year by the group known as the Shadow Brokers. In that incident, as the malware by Fancy Bear spread, it installed a version of the EternalBlue Exploit, a tool used by the NSA to gather information.
“Travelers must be aware of the threats posed when traveling—especially to foreign countries—and take extra precautions to secure their systems and data,” FireEye warned. “Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible.”
Similar technology was used in the recent WannaCry ransomware epidemic, as well as the Petya outbreak.