DarkHotel is a cyberattack group that engages in highly targeted malicious attacks. They seek to compromise and steal data from valuable targets like C-level business executives and other high-level figures. Classed by Kaspersky as an advanced persistent threat (APT), DarkHotel APT remains a major risk for governments, enterprises, and other institutions.
The name DarkHotel is derived from their unique method of tracking traveler’s plans and attacking them via hotel Wi-Fi. They have also been labeled as ‘Tapaoux’ due to the name of the Trojan they used in many attacks. Since their initial rising, they have scaled beyond business targets to attack politicians and more. With their long, mostly consistent history, they present a threat to national economies and politics across the globe.
DarkHotel has been known to compromise luxury hotel networks, then stage attacks from those networks on selected high-profile victims. At the same time, their botnet-style operations are used for massive surveillance or to perform other tasks. Other methods include DDoS (distributed Denial-of-Service) attacks or installing more sophisticated espionage tools on the computers of particularly interesting victims.
The DarkHotel group appears to use a combination of spear phishing, dangerous malware, and botnet automation designed to capture confidential data.
As analyzed by Kaspersky’s Global Research and Analysis Team, DarkHotel utilizes layered attacks. Generally, each type of campaign they’ve used involved two malware infection stages:
The first infection is usually a Trojan delivering access for the DarkHotel attackers. The malware payload then lies quietly in waiting for months before becoming active. Once active, the malware contacts a command-and-control (C&C) server for further instruction.
The second infection is delivered exclusively to high-value targets. These individuals are identified and loaded with a kernel-level keylogger or other spyware. DarkHotel can then collect any private data entered or stored in the device that they want.
To set up these attacks, the following methods are used in preparation and development:
Cybercriminals behind DarkHotel have been operating for over a decade, targeting thousands of victims across the globe. 90% of the DarkHotel infections we have seen are in Japan, Taiwan, China, Russia, and Korea, but we have also seen infections in Germany, the USA, Indonesia, India, and Ireland.
Typical endpoint targets include officials and executives in the following areas:
DarkHotel APT seems to have a particular interest in political officials, as well as global C-level executives leading economic growth and investing. Nuclear-equipped nations have notably appeared as their targets as well. Targeted attacks in enterprise sectors are focused on CEOs, Senior Vice Presidents, Sales and Marketing Directors, and top R&D staff.
Attacks typically start by tricking individual employees into doing something that jeopardizes corporate security. Staff with public-facing roles (e.g. senior executives, sales, and marketing personnel) can be particularly vulnerable, especially since they are often on the road and are likely to use untrusted networks (e.g. at hotels) to connect to a corporate network. They may also be using personal devices that are less secure or without antivirus protection.
DarkHotel attack campaigns are unusual due to employing layers of malicious targeting.
They began with hotel Wi-Fi attacks via the Tapaoux Trojan malware and botnet-like command infrastructure to further infiltrate targets. Around 2014, an investigation from Kaspersky prompted DarkHotel to initiate an emergency shutdown on most of their command-and-control servers. Despite a short period of quiet activity, the group has moved towards politically targeted spear phishing and mass P2P file-sharing infections as of 2016 via their Inexsmar malware.
Hotel Wi-Fi exploits are used against targets as a more direct means of spear phishing. By tracing unsuspecting executives who are traveling overseas, they can preemptively infect the Wi-Fi network of their hotel. This is done by planting the infection on the hotel’s server.
The infection spreads a rare Trojan that masquerades as one of several major software releases, including Google Toolbar, Adobe Flash, and Windows Messenger. This first stage infection is used by the attackers to qualify their victims. Once the intended targets have been identified, Dark Hotel attackers download further malware to their computers to steal confidential data.
Spear phishing emails are another half of the directly targeted campaign to infiltrate high-profile individuals. The attacks follow the typical spear phishing process with thoroughly disguised DarkHotel implants. Email-lure content often includes topics like nuclear energy and weaponry capabilities.
Over the past several years, spear phishing emails have contained an Adobe zero-day exploit attached. They’ve also used links that redirect targets’ browsers to Internet Explorer zero-day exploits.
While DarkHotel’s email and hotel attacks engage in pinpoint targeting, they also spread malware indiscriminately via Japanese P2P (peer-to-peer) file-sharing sites. The malware is distributed as a part of a large RAR archive. It purports to offer sexual content but installs a backdoor Trojan that gathers confidential data from the victim.
While all of these campaigns may not be currently active, these tactics have proven effective for DarkHotel. They may at any point try to use past methods for data breaching. Furthermore, they might be using or developing other methods aimed to hack high-level organizations.
As demonstrated throughout cyberattack history, the skill and effort put into an attack is usually no less than the scale of the payoff. DarkHotel uses refined tactics that seem to aim towards high-payoff data rather than less valuable targets.
Unlike many other malware-based attacks, the malicious programming in this ongoing campaign appears to be designed by a highly skilled coder. Based on a string within the malicious code, it appears that the threat points to a Korean threat actor as the source of origination.
DarkHotel’s attack developers use surgically precise attack methods to execute and clean up after their attacks. Their demonstrated high level of coding skill and planning makes their attacks extremely difficult to trace, much less spot them amid an attack. Their coordination in hotel attacks specifically suggests that they may have insider assistance at hotels.
Furthermore, the scale of targeting suggests nation-state actors or nation-state support for these attacks. With their history of targeting political, nuclear, and economic forces, DarkHotel poses a threat to national security across many countries. The spear phishing and botnet methods are still an ongoing threat for users.
Although total prevention can be challenging, here are some tips on how to stay safe from DarkHotel when traveling: