X

'Darkhotel' hack targets executives using hotel Internet

Using hotel Wi-Fi networks, the hackers are able to infect corporate executives' computers with malicious software, according to security research firm Kaspersky Lab.

Don Reisinger
CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
Don Reisinger
2 min read

The majority of Darkhotel attacks are happening in Japan, Taiwan, China, Russia and South Korea, according to Kaspersky Labs. CNET

Corporate executives traveling in Asia may need to be extra cautions the next time they connect to a hotel's Wi-Fi network -- that is, if they haven't already been hacked.

Over the last four years, malicious hackers have been stealing data from company executives while they stay in luxury hotels in an attack known as "Darkhotel," security research firm Kaspersky Lab revealed on Monday. The hackers gain access to executives' computers when they connect to a hotel's wireless Internet, the report said, though no specific hotels are named.

The majority of the attacks are happening in Japan, Taiwan, China, Russia and South Korea, according to the report, with top executives from the US and Asia among the recent targets.

How exactly does the Darkhotel attack work? Kaspersky Labs explains:

[The hackers] wait until, after check-in, the victim connects to the hotel Wi-Fi network, submitting his room number and surname at the log-in. The attackers see him in the compromised network and trick him into downloading and installing a backdoor that pretends to be an update for legitimate software - Google Toolbar, Adobe Flash or Windows Messenger. The unsuspecting executive downloads this hotel "welcome package," only to infect his machine with a backdoor, Darkhotel's spying software.

That's about all the hackers need. From there, they can infect computers with keyloggers, Trojans and other software meant to steal passwords, monitor keystrokes and collect private information, according to the report. With corporate executives often the target of Darkhotel, the goal appears to be stealing sensitive corporate information or gaining access to a corporate networks.

Once the hack is over, all trace of the attack is removed and unsuspecting victims go about their lives not knowing that sensitive data on them and their corporations has been stolen, according to Kaspersky. The hackers apparently never go after the same target twice.

The hackers also spread the Darkhotel malware indiscriminately alongside these targeted attacks.

"The mix of both targeted and indiscriminate attacks is becoming more and more common in the [Advanced Packaging Tool] scene," said Kurt Baumgartner, principal security researcher at Kaspersky Lab. "Targeted attacks are used to compromise high-profile victims and botnet-style operations are used for mass surveillance or performing other tasks such as [distributed denial-of-service attacking] hostile parties or simply upgrading interesting victims to more sophisticated espionage tools."

The Kaspersky report did not specifically say what companies and executives have been targeted, only that the victims span a wide range of industries -- from electronics manufacturing to pharmaceuticals to non-governmental organizations. Nearly 90 percent of Darkhotel infections appear to be located in Japan, Taiwan, China, Russia and South Korea, the report said, though the malicious software has also been detected in the United States, the United Arab Emirates, Singapore, Kazakhstan, South Korea, the Philippines, Hong Kong, India, Indonesia, Germany, Ireland, Mexico, Belgium, Serbia, Lebanon, Pakistan, Greece, Italy and others.

The attacks have been happening since at least 2009, according to the report, and continue to this day.