Appropriately paranoid travelers have always been wary of hotel Wi-Fi. Now they have a fresh justification of their worst wireless networking fears: A Russian espionage campaign has used those Wi-Fi networks to spy on high-value hotel guests, and recently started using a leaked NSA hacking tool to upgrade their attacks.

Since as early as last fall, the Russian hacker group known as APT28, or Fancy Bear, has targeted victims via their connections to hacked hotel Wi-Fi networks, according to a new report from security firm FireEye, which has closely tracked the group’s intrusions, including its breach of the Democratic National Committee ahead of last year’s election. Last month, FireEye says those hackers, believed to be associated with the Russian military intelligence service GRU, have begun to use EternalBlue, the leaked NSA hacking tool, as one technique to broaden their control of hotel networks after gaining an initial foothold via phishing or other techniques. Disturbingly, once those hackers take control of hotels' Wi-Fi, they’re using that access to harvest victim computers’ usernames and passwords silently, with a trick that doesn’t even require users to actively type them when signed onto the hotel network.

“It’s definitely a new technique" for the prolific Fancy Bear hacker group, says Ben Read, who leads FireEye’s espionage research team. “It’s a much more passive way to collect on people. You can just sit there and intercept stuff from the Wi-Fi traffic.”

Checking In

FireEye says it first saw evidence that Fancy Bear might be targeting hotels in the fall of last year, when the company analyzed an intrusion that had started on one corporate employee's computer. The company traced that infection to the victim's use of a hotel Wi-Fi network while traveling; 12 hours after the person had connected to that network, someone connected to the same Wi-Fi network had used the victim's own credentials to log into their computer, install malware on their machine, and access their Outlook data. That implies, FireEye says, that a hacker had been sitting on the same hotel's network, possibly sniffing its data to intercept the victim's credentials.

Then, just last month, FireEye learned of a series of similar Wi-Fi attacks at hotels across seven European capitals and one Middle Eastern capital. In each case, hackers had first breached the target hotel's network—FireEye believes via the common tactic of phishing emails carrying infected attachments that included malicious Microsoft Word macros. They then used that access to launch the NSA hacking tool EternalBlue, leaked earlier this year in a collection of NSA internal data by hackers known as the ShadowBrokers, which allowed them to quickly spread their control through the hotels' networks via a vulnerability in Microsoft's so-called "server message block" protocol, until they reached the servers managing the corporate and guest Wi-Fi networks.

From there, the attackers used a network-hacking tool called Responder, which allowed them not only to monitor traffic on the hijacked networks, but also to trick computers connecting to them to cough up users' credentials without giving victims any sign of the theft. When the victim computer reaches out to known services like printers or shared folders, Responder can impersonate those friendly entities with a fake authentication process, fooling the victim machine into transmitting its network username and password. And while the password is sent in a cryptographically hashed form, that hashing can sometimes be cracked. (FireEye believes, for instance, that hackers used Responder to steal the hotel guest's password in the 2016 case; the 12-hour delay may have been the time it took to crack the hash.)

In each case, FireEye says that the hacked networks were those of moderately high-end hotels, the kind that attract presumably valuable targets. "These were not super expensive places, but also not the Holiday Inn," FireEye's Read says. "They're the type of hotel a distinguished visitor would stay in when they’re on corporate travel or diplomatic business."