Written by Chris Bing

A group of Russian hackers best known for breaking into the Democratic National Committee have been using a leaked NSA espionage tool to target hotels across Europe in an apparent attempt to spy on specific guests, according to new research published by cybersecurity firm FireEye.

The research underscores how cyber-espionage outfits backed by nation-states are readily leveraging a cache of NSA hacking tools that were leaked over the last year by a mysterious group named The Shadow Brokers. The U.S. government is currently engaged in an extensive counterintelligence investigation to identify who is behind The Shadow Brokers, CyberScoop first reported, with the recent focus pointed at a former U.S. intelligence community insider.

Computer networks of at least seven hotels across Europe and one in the Middle East were infected with malware used by the Russian hackers, codenamed APT28 or Fancy Bear by security researchers.

“FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East,” a blog post published Friday by FireEye researchers Lindsay Smith and Ben Read reads. “The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.”

FireEye found evidence in July that APT28 had sent a barrage of spearphishing emails to a series of targeted hotels. These malicious emails contained attachments designed to mimic guest reservation forms, but when opened would covertly download APT28’s signature “GAMEFISH” malware onto the device.

GameFish is a remote access trojan that provides attackers with a wide range of espionage capabilities including data exfiltration and lateral network movement. GameFish is an exclusive capability of APT28; the tool’s existence is the best indicator that Russian hackers are likely involved.

Once inside a hotel network, APT28 relied on an open source Responder tool and Windows-specific hacking capability named EternalBlue, which was originally used by the NSA to access machines using Microsoft’s server message block (SMB) protocol. This was done to narrow down their focus on certain machines used by specific guests.

Responder is typically used by professional penetration testers as a means to trick a computer into connecting to an offsite device to steal user credentials.

“Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, though actors may also collect information on the hotel as a means of facilitating operations,” according to FireEye. “Business and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad.”

Although the research indicates that multiple breaches occurred, it’s not clear how successful APT28’s hotel-focused espionage campaign was in the scope of gathering intelligence.