The Fancy Bear hackers are back and going after targets in Europe and the Middle East. The Kremlin-linked hacker group that has been deemed responsible for the DNC hack, as well as various other related cyber espionage attacks, has launched a new campaign targeting the hospitality industry. Fancy Bear, also known as APT 28, is now using the NSA's EternalBlue exploit, which was leaked in April by the mysterious hacker group Shadow Brokers.
The hackers' new campaign, which involves sending out phishing emails, targets hotels' systems that control guest and internal Wi-Fi networks. The hackers have targeted at least 7 European and 1 Middle Eastern hotel, according to FireEye researchers.
"APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers. We believe this activity, which dates back to at least July 2017," FireEye researchers said.
The researchers said that they had "moderate confidence" that the attacks are the work of Fancy Bear hackers, as the campaign also involves sending out phishing emails that drop the group's signature Gamefish malware. The responder tool used in the attacks allows Fancy Bear hackers to steal victims' usernames and hashed passwords, which researchers say boosts" escalation of privileges in the victim network."
"No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim's network via credentials likely stolen from a hotel Wi-Fi network," FireEye researchers said. "To spread through the hospitality company's network, APT28 used a version of the EternalBlue SMB exploit. This was combined with the heavy use of py2exe to compile Python scripts. This is the first time we have seen APT28 incorporate this exploit into their intrusions."
FireEye experts said that travellers, especially those from government and corporate sectors might be Fancy Bears' likely targets. Since government and business officials travelling to foreign nations often rely on hotel Wi-Fi networks, they may be most vulnerable to such attacks.
"These incidents show a novel infection vector being used by APT28. The group is leveraging less secure hotel Wi-Fi networks to steal credentials," FireEye researchers said, adding that Fancy Bear hackers' "already wide-ranging capabilities and tactics are continuing to grow and refine as the group expands its infection vectors."