**August 11, 2017 | by Lindsay Smith, Ben Read | Threat Research** **FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian** **[actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers](https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html)** **to hotels throughout Europe and the Middle East. The actor has used several notable techniques in these** **incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading** **[laterally via the EternalBlue exploit.](https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html)** **FireEye has uncovered a malicious document sent in spear phishing emails to multiple companies in the** **hospitality industry, including hotels in at least seven European countries and one Middle Eastern country in** **early July. Successful execution of the macro within the malicious document results in the installation of** **[APT28’s signature GAMEFISH malware.](https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html)** **The malicious document – Hotel_Reservation_Form.doc (MD5: 9b10685b774a783eabfecdb6119a8aa3), as** **seen in Figure 1 – contains a macro that base64 decodes a dropper that then deploys APT28’s signature** **GAMEFISH malware (MD5: 1421419d1be31f1f9ea60e8ed87277db), which uses mvband.net and** **mvtband.net as command and control (C2) domains.** ----- **Figure 1: Hotel_Reservation_Form.doc (MD5: 9b10685b774a783eabfecdb6119a8aa3)** **[APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to](https://github.com/SpiderLabs/Responder)** **spread laterally through networks and likely target travelers. Once inside the network of a hospitality company,** **APT28 sought out machines that controlled both guest and internal Wi-Fi networks. No guest credentials** **were observed being stolen at the compromised hotels; however, in a separate incident that occurred in Fall** **2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi** ----- **Responder. Responder facilitates NetBIOS Name Service (NBT-NS) poisoning. This technique listens for** **NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once** **received, Responder masquerades as the sought-out resource and causes the victim computer to send the** **username and hashed password to the attacker-controlled machine. APT28 used this technique to steal** **usernames and hashed passwords that allowed escalation of privileges in the victim network.** **To spread through the hospitality company’s network, APT28 used a version of the EternalBlue SMB exploit.** **This was combined with the heavy use of py2exe to compile Python scripts. This is the first time we have seen** **APT28 incorporate this exploit into their intrusions.** **In the 2016 incident, the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours** **after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with** **stolen credentials. These 12 hours could have been used to crack a hashed password offline. After** **successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the** **victim's network, and accessed the victim's OWA account. The login originated from a computer on the same** **subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi** **network.** **We cannot confirm how the initial credentials were stolen in the 2016 incident; however, later in the intrusion,** **Responder was deployed. Since this tool allows an attacker to sniff passwords from network traffic, it could** **have been used on the hotel Wi-Fi network to obtain a user’s credentials.** **Cyber espionage activity against the hospitality industry is typically focused on collecting information on or** **from hotel guests of interest rather than on the hotel industry itself, though actors may also collect information** **on the hotel as a means of facilitating operations. Business and government personnel who are traveling,** **especially in a foreign country, often rely on systems to conduct business other than those at their home** **office, and may be unfamiliar with threats posed while abroad.** **APT28 isn’t the only group targeting travelers. South Korea-nexus Fallout Team (aka Darkhotel) has used** **[spoofed software updates on infected Wi-Fi networks in Asian hotels, and Duqu 2.0 malware has been found](http://www.zdnet.com/article/hackers-are-using-hotel-wi-fi-to-spy-on-guests-steal-data/)** **on the networks of European hotels used by participants in the Iranian nuclear negotiations. Additionally, open** **sources have reported for several years that in Russia and China, high-profile hotel guests may expect their** **[hotel rooms to be accessed and their laptops and other electronic devices accessed.](https://www.theguardian.com/world/2013/oct/06/russia-monitor-communications-sochi-winter-olympics)** **These incidents show a novel infection vector being used by APT28. The group is leveraging less secure** **hotel Wi-Fi networks to steal credentials and a NetBIOS Name Service poisoning utility to escalate privileges.** **APT28’s already wide-ranging capabilities and tactics are continuing to grow and refine as the group expands** **its infection vectors.** **Travelers must be aware of the threats posed when traveling – especially to foreign countries – and take extra** **precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat** **and should be avoided whenever possible.** **[Additional technical information and details are available to FireEye iSIGHT Intelligence customers through](https://www.fireeye.com/products/isight-cyber-threat-intelligence-subscriptions.html)** **our portal.** ----- **Posts, Lindsay Smith, Spear Phishing, Targeted Attacks, and Threat Research.** **Get information and insight on today's advanced threats from the leader in advanced** **threat prevention.** # First Name Last Name Email Address **Executive Perspective Blog** **Threat Research Blog** **Products and Services Blog** **Subscribe** **Contact Us** **+1 888-227-2721** **Company** **About FireEye** **Customer Stories** **Careers** **Partners** **[Investor Relations](http://investors.fireeye.com/)** **Supplier Documents** **News & Events** **Newsroom** **Press Releases** **Webinars** **Events** **Get information and insight on today's advanced threats from the leader in advanced** **threat prevention.** # First Name Last Name Email Address **Executive Perspective Blog** **Threat Research Blog** **Products and Services Blog** **Subscribe** ----- **Technical Support** **Incident?** **Report Security Issue** **Contact Support** **[Customer Portal](https://csportal.fireeye.com/secur/login_portal.jsp?orgId=00D3000000063LS&portalId=06030000000pSNE)** **[Communities](https://community.fireeye.com/welcome)** **[Documentation Portal](https://docs.fireeye.com)** **Cyber Threat Map** **Copyright © 2017 FireEye, Inc. All rights reserved.** **Privacy & Cookies Policy | Privacy Shield | Legal Documentation** -----