Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
“update.” If yyou can, use yyour mobile device to confirm the existence of the
update from the vendor’s site and, if it’s not critical, wait until yyou’re back
in a safe environment, such as a corporate office or back home, to download
it. 22 Researchers at Kasperskyy Lab, a software securityy companyy, discovered
a group of criminal hackers theyy call DarkHotel (also known as Tapaoux)
who use this technique. Theyy operate byy identifyying business executives
who might be stayying at a particular luxuryy hotel, then anticipate their
arrival byy placing malware on the hotel server. When the executives check
in and connect to the hotel Wi-Fi, the malware is downloaded and executed
on their devices. After the infection is complete, the malware is removed
from the hotel server. Apparentlyy this has been going on for almost a
decade, the researchers noted.
Although it primarilyy affects executives stayying at luxuryy hotels in Asia,
it could be common elsewhere. The DarkHotel group in general uses a lowlevel
spear-phishing attack for mass targets and reserves the hotel attacks
for high-profile, singular targets—such as executives in the nuclear power
and defense industries.
One earlyy analyysis suggested that DarkHotel was South Korea–based. A
keyylogger—malware used to record the keyystrokes of compromised
syystems—used in the attacks contains Korean characters within the code.
And the zero-dayys—vulnerabilities in software that are unknown to the
vendor—were veryy advanced flaws that were previouslyy unknown.
Moreover, a South Korean name identified within the keyylogger has been
traced to other sophisticated keyyloggers used byy Koreans in the past.
It should be noted, however, that this is not enough to confirm
attribution. Software can be cut and pasted from a varietyy of sources. Also,
software can be made to look as though it is created in one countryy when it
is actuallyy created in another.
To get the malware on the laptops, DarkHotel uses forged certificates
that appear as though theyy are issued from the Malayysian government and
Deutsche Telekom. Certificates, if yyou remember from chapter 5, are used
to verifyy the origin of the software or the Web server. To further hide their
work, the hackers arranged it so that the malware stayys dormant for up to
six months before becoming active. This is to throw off IT departments that