DarkHotel: A North Korean hacker group which is widely known for targeting high-profile hotels

• The group obtained its name for compromising Wi-Fi and file sharing networks of luxury hotels.
• They steal sensitive data from the top executives while they are staying in luxury hotels.

DarkHotel is a North Korea-linked threat actor group that has been active since at least 2007. The group obtained its name for compromising Wi-Fi and file sharing networks of luxury hotels. They also go by the alias Tapaoux, Pioneer, Karba and Nemim.

Primary target

The threat group uses a combination of highly sophisticated methods to ensnare victims, but the hotel hacks continue to be a high-value target. A majority of the hotels that are hit are located in Asia, followed by some in the US. The hackers’ victims have been identified in North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, Taiwan, China, the United States, India, Mozambique, Indonesia and Germany. The first DarkHotel espionage campaign was discovered by experts at Kaspersky Lab in late 2014

Modus operandi

This APT drives a majority of its campaign via a spear-phishing attack. They steal sensitive data from top executives, including CEOs, senior vice presidents, sales and marketing directors from various organizations, while they were staying in luxury hotels. These top executives are primarily from manufacturing, defense, capital, pharmaceutical, law enforcement and military services and other industries.

The attackers leverage several methods including zero-day exploits to hack into the targeted systems. One of the zero-day exploits that the group uses is a Flash vulnerability. It initiates its hacking process by compromising Wi-Fi networks. When users connect to the network, they are represented with a dialog box that asks them to install a fake update. Instead, the fake update is actually a digitally signed piece of malware.

The malware used by the North Korean hacker group comes equipped with keylogging other information stealing feature which is then sent back to the attackers.

“At the hotels, these installs are selectively distributed to targeted individuals. This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels. So, the attackers lay in wait until these travelers arrive and connect to the internet,” said Kaspersky Lab in its analysis report.

The group’s operations also includes the hackers gaining access to some of the hotels’ systems that maintain the registration information for guests. By gaining access to the list, the attackers are able to gather information on their prime targets. The attackers could access information such as a victim’s expected arrival and departure times, room number and full name, among other things.

In addition to polluting peer-to-peer networks to infect the masses, DarkHotel uses a variety of digital certificates to extend their attack. The group exploits weakly implemented digital certificates to sign their malcode.

“The actor abused the trust of at least ten CAs in this manner. Currently, they are stealing and re-using other legitimate certificates to sign their mostly static backdoor and info stealer toolset. Their infrastructure grows and shrinks over time, with no consistent pattern to the setup. It is both protected with flexible data encryption and poorly defended with weak functionality,” Kaspersky Lab explains.

Tactics, Techniques and Procedures

Darkhotel has a field day when it comes to choosing tools and tactics for compromising a hotel network. This includes:

• Using keyloggers as most hotels have publicly accessible computers.
• Installing a simple malware downloader or malware on the guest computer to gather information.
• Leveraging zero-day exploit.
• Delivering malware via spear-phishing attack.