Technology 4 min read

Alleged Russian APT28 Used Spy Tools to Hack Hotels and Steal Info

HypnoArt |

HypnoArt |

An infamous cyber-espionage group was discovered by security analysts exploiting the same spy tools behind the WannaCry and NotPetya ransomware attacks.

Cyber security researchers from FireEye divulged in a blog post that an alleged Russian group is targeting travelers and hotels across Europe and the Middle East to steal data. The post read:

“FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East.”

Hackers now use #EternalBlue exploit to infiltrate hotel guest networks!Click To Tweet

APT28, also know as Sofacy, Sednit, Pawn Storm, and Fancy Bear, was found attempting to steal credentials from high-value guests of European and Middle Eastern hotels through their WiFi networks.

Russians Use NSA Spy Tools to Steal Information

Fancy Bear is an infamous hacking organization which many security firms have linked to Russian intelligence. The said group is believed to have been operating since around 2007. They have been accused of hacking the Democratic National Committee and the Clinton campaign in an attempt to influence the 2016 United States Presidential election.

Daily Stormer |
Daily Stormer |

According to FireEye, the hacking campaign launched by Fancy Bear exploits EternalBlue, a vulnerability that takes advantage of a version of Windows’ Server Message Block (SMB) networking protocol to infiltrate networks.

It should be remembered that EternalBlue, together with other spy tools, were leaked in April by the infamous Shadow Brokers hacking group. These tools that were designed to target Windows PCs and servers were said to be used by U.S. intelligence services and the National Security Agency to conduct surveillance.

With the code out in the open, several cyber criminal groups took advantage of it; such was the case with the WannaCry ransomware and NotPetya outbreak.

Experts also believed that several hacking groups are using the NSA spy tools to boost their malware. However, this is the first time that a cyber criminal organization was actually spotted in the act.

In a statement to ZDNet, Cristiana Brafman Kittner, Senior Analyst at FireEye said:

“This is the first time we have seen APT28 incorporate this exploit into their intrusions, and as far as we believe, the variant used was based on the public version.”

The Attack Process Using Spy Tools

According to threat analysts, the hacking attack starts with email phishing. FireEye apparently discovered “malicious document sent in spear phishing emails to multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country in early July.”

Once the macro within the malicious document is successfully executed, APT28’s signature Gamefish malware will be installed in the computer. Once Gamefish is installed, it will use the spy tool EternalBlue to find machines that control both administrative WiFi and guest networks.

The malicious document – Hotel_Reservation_Form.doc, contains a macro that base64 decodes before deploying APT28's Gamefish malware. | FireEye |
The malicious document – Hotel_Reservation_Form.doc, contains a macro that base64 decodes before deploying APT28’s Gamefish malware. | FireEye |

After gaining access to the said machines, the malware will then deploy an open source Responder tool to steal information sent over the wireless network.

The post from FireEye stated that no guest credentials were stolen at the compromised hotels. However, they cited an incident in Fall 2016 when APT28 gained initial access to a victim’s network via credentials allegedly stolen from a hotel WiFi network.

This is not the first time that hackers targeted hotel guests. It was reported that a South Korean hacking group known as Fallout Team or DarkHotel, carried out a separate but similar attack against Asian hotels to acquire information from top executives of large global companies during their business trips.

U.S travelers are advised to refrain from using hotel WiFi and other public networks, especially in foreign lands. Instead, security experts suggest using mobile device hotspot to gain Internet access.

Do you ever use hotel WiFi or other public internet networks during your travels abroad? Let us know in the comment section below!

First AI Web Content Optimization Platform Just for Writers

Found this article interesting?

Let Chelle Fuertes know how much you appreciate this article by clicking the heart icon and by sharing this article on social media.

Profile Image

Chelle Fuertes

Chelle is the Product Management Lead at INK. She's an experienced SEO professional as well as UX researcher and designer. She enjoys traveling and spending time anywhere near the sea with her family and friends.

Comments (2)
Most Recent most recent
  1. Profile Image
    christiana shapes June 04 at 5:19 am GMT

    Can lost Bitcoin be Found or Retrieved?
    Generally speaking, whether
    lost bitcoin can be found or not depends on how it was lost. Considering
    the quantity of missing cryptocurrency out there, people have begun
    offering services to help recover lost bitcoin. These include data
    recovery specialists, but you need a professional recovery expert like
    Mr BRUCE to help you get back your lost bitcoin.
    Contact them to
    recover lost bitcoin, bitcoin cash, as well as all other forms of
    cryptocurrency. And you can be sure that no matter how long it has been
    lost, you will still get your bitcoin worth.
    Contact our support team for further assistance:
    WHATSAPP: +1 856 219 0486
    101 N BRAND BLVD.

  2. Profile Image
    Linda Anthony November 14 at 4:02 pm GMT

    GET RICH WITH BLANK ATM CARD, Whatsapp: +18033921735

    I want to testify about Dark Web blank atm cards which can withdraw money from any atm machines around the world. I was very poor before and have no job. I saw so many testimony about how Dark Web Online Hackers send them the atm blank card and use it to collect money in any atm machine and become rich I email them also and they sent me the blank atm card. I have use it to get 500,000 dollars. withdraw the maximum of 5,000 USD daily. Dark Web is giving out the card just to help the poor. Hack and take money directly from any atm machine vault with the use of atm programmed card which runs in automatic mode.

    You can also contact them for the service below

    * Western Union/MoneyGram Transfer

    * Bank Transfer

    * PayPal / Skrill Transfer

    * Crypto Mining

    * CashApp Transfer

    * Recover Stolen/Missing Crypto/Funds/Assets


    Telegram or WhatsApp: +18033921735

share Scroll to top

Link Copied Successfully

Sign in

Sign in to access your personalized homepage, follow authors and topics you love, and clap for stories that matter to you.

Sign in with Google Sign in with Facebook

By using our site you agree to our privacy policy.