Russian Intelligence Targeting Travelers via Hotel WiFi

Since early July, APT28—a hacking group attributed to Russian Intelligence Services—has conducted an espionage campaign targeting travelers by compromising hotel networks in at least seven European countries and one Middle Eastern country, according to a report from FireEye. Spear-phishing emails containing a malicious attachment disguised as a hotel reservation form were sent to the targeted hospitality companies. When the document is opened, the computer is infected with the GAMEFISH malware, which uses mvband[.]net and mvtband[.]net for its C2 domains. After network access is gained, the actors search for machines that control guest and internal WiFi networks. Once the actors have acquired access to the WiFi networks, they deploy the Responder malware which allows them to poison the NetBIOS Name Service (NBT-NS), using this to masquerade as a network resource, convincing users to send their credentials to the controlled machine. The threat actors use the credentials to escalate their privileges, then use the EternalBlue SMB exploit to spread through the targeted network. FireEye attributes this activity to APT28 with moderate confidence and indicates the group is specifically targeting hotels using less secure WiFi networks. The NJCCIC recommends travelers avoid connecting to public WiFi networks, particularly in hotels, unless they are using a reputable and securely configured Virtual Private Network (VPN). Users must remember that, if accessing a compromised WiFi network, any actions taken prior to connecting to the VPN are potentially at risk. Alternatively, travelers can elect to purchase a personal WiFi hotspot.