Fancy Bear (1) or APT28 (2) is a Russia hacker collective; its claim to fame is the hacking of French television TV5 Monde (3), Democratic National Committee (4) and Clinton’s emails (5), which laid devastating impact on the US presidential elections last year.

The same team reportedly is involved in spying upon high-value guests visiting Middle Eastern and European hotels. Research suggests that to achieve their malicious objectives they are using a highly powerful NSA hacking tool EternalBlue (6) leaked by Shadow Brokers (7).

Cybersecurity firm FireEye’s research team has identified that Fancy Bear have been running an espionage campaign via Wi-Fi networks and to upgrade their attacks they are using a leaked NSA hacking tool.

APT28 attacked unsuspecting guests by hacking the Wi-Fi networks of the hotels across Europe. The scheme, claims FireEye, has links with Russian Military Intelligence service called GRU. The hacking group has now started using the EternalBlue to expand their control on hotel networks. It is worth noting that the group already has gained a foothold through various techniques like phishing.

Researchers Lindsay Smith and Ben Read stated in an official blog post that:

“A campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.”

All this is being done to control the Wi-Fi network of a hotel where their targeted personality is staying as a guest. The hackers use acquired access to the network to steal important, sensitive information like username and passwords from the victim’s network silently. They have used a unique method for obtaining sensitive data in which they did even need the user to type their credentials while using the hotel’s Wi-Fi network.

FireEye’s espionage research group head Ben Read states that the technique is a new one; it is a lot more passive way to spy on people and collect credentials. According to Read, the company got a hint of targeting of customers in European hotels during last fall when a corporate employee’s computer was intruded.

The victim’s computer was infected through a hotel’s Wi-Fi network, and 12 hours later, when the employee connected to that network it was learned that someone else had already connected to the same network using the credentials of the victim. The attacker logged in to the victim’s computer and installed malware to access Outlook data. Apparently, the hacker was spying upon the hotel’s network already probably he had an idea of the victim visiting that hotel or attacker was tracking the victim since long. The purpose of spying and tracking was to steal victim’s credentials.

Later on, FireEye identified a series of similar attacks using wireless networks of hotels across one Middle Eastern capital and 7 European capitals. All the attacks were similar since the hotel’s network was compromised initially through phishing emails that carried infected attachments including infected Microsoft Word Macros.

[fullsquaread][/fullsquaread]

The network was used to launch EternalBlue, which was part of a huge collection of internal data belonging to NSA leaked earlier this year by ShadowBrokers. EternalBlue helped the hackers in spreading their control across the entire network of the hotel rather quickly. This was made possible by a flaw in Server Message Block protocol of Microsoft (SMB). Attackers finally managed to access the corporate and guest Wi-Fi networks’ servers.

Using the Responder, another hacking tool, attackers were able to monitor traffic on these networks and trick computers that were connected to these compromised networks into giving away victim’s credentials without any trace. When the victim tried to use Printers or Shared Folders, Responder used a fake authentication process to fool the computer, and this is how attackers managed to get the username and password. The obtained password is in crack-able cryptographically hashed form.

FireEye noticed that the hacked networks were mostly of moderately high-end hotels where high-profile personalities might want to stay. Read explained:

“These were not super expensive places, but also not the Holiday Inn. They’re the type of hotel a distinguished visitor would stay in when they’re on corporate travel or diplomatic business.”

FireEye perhaps is moderately convinced that Fancy Bear is the real perpetrator of the attack on hotels in 2016 and the recent ones because the two malware GameFish and XTunnel used to attack the hotels’ Wi-Fi networks are associated with Fancy Bear. Furthermore, the C&C infrastructure of the 2016 attacks and latest ones is also similar.

The cyber security firm also believed that Fancy Bear’s use of EternalBlue malware represents that Russian hackers are now accessing NSA hacking tricks and that the group is continually improving its intrusion techniques. EternalBlue is a powerful hacking tool that performs computer intrusion silently.

FireEye has noted that business and government personnel traveling within or outside their country are key targets of Fancy Bear hackers. That’s because these travelers rely upon systems to carry out business outside the home office and are usually unfamiliar with threats they might face abroad. As of now, FireEye has only released information about the series of hack attacks and subsequent data breaches, but the research team hasn’t yet clarified the extent of success of this campaign from APT28.