{ "id": "71fe4c7c-6c83-414e-abc2-63c8073e0ebc", "created_at": "2026-04-06T01:29:11.386292Z", "updated_at": "2026-04-10T13:12:06.057542Z", "deleted_at": null, "sha1_hash": "f990f9b65b833b187f5f5e8d0e9c861e6c858839", "title": "APT28 Targets Hospitality Sector, Presents Threat to Travelers « APT28 Targets Hospitality Sector, Presents Threat to Travelers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 73943, "plain_text": "APT28 Targets Hospitality Sector, Presents Threat to Travelers «\r\nAPT28 Targets Hospitality Sector, Presents Threat to Travelers\r\nBy by Lindsay Smith, Ben Read | Threat Research\r\nPublished: 2017-08-11 · Archived: 2026-04-06 01:19:06 UTC\r\nFireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor\r\nAPT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels\r\nthroughout Europe and the Middle East. The actor has used several notable techniques in these incidents such as\r\nsniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the\r\nEternalBlue exploit. \r\nAPT28 Uses Malicious Document to Target Hospitality Industry\r\nFireEye has uncovered a malicious document sent in spear phishing emails to multiple companies in the\r\nhospitality industry, including hotels in at least seven European countries and one Middle Eastern country in early\r\nJuly. Successful execution of the macro within the malicious document results in the installation of APT28’s\r\nsignature GAMEFISH malware.\r\nThe malicious document – Hotel_Reservation_Form.doc (MD5: 9b10685b774a783eabfecdb6119a8aa3), as seen\r\nin Figure 1 – contains a macro that base64 decodes a dropper that then deploys APT28’s signature GAMEFISH\r\nmalware (MD5: 1421419d1be31f1f9ea60e8ed87277db), which uses mvband.net and mvtband.net as command\r\nand control (C2) domains.\r\nhttps://web.archive.org/web/20171202185937/https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html\r\nPage 1 of 4\n\nFigure 1: Hotel_Reservation_Form.doc (MD5: 9b10685b774a783eabfecdb6119a8aa3)\r\nAPT28 Uses Novel Techniques to Move Laterally and Potentially Target Travelers\r\nAPT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread\r\nlaterally through networks and likely target travelers. Once inside the network of a hospitality company, APT28\r\nsought out machines that controlled both guest and internal Wi-Fi networks. No guest credentials were observed\r\nhttps://web.archive.org/web/20171202185937/https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html\r\nPage 2 of 4\n\nbeing stolen at the compromised hotels; however, in a separate incident that occurred in Fall 2016, APT28 gained\r\ninitial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network. \r\nUpon gaining access to the machines connected to corporate and guest Wi-Fi networks, APT28 deployed\r\nResponder. Responder facilitates NetBIOS Name Service (NBT-NS) poisoning. This technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received,\r\nResponder masquerades as the sought-out resource and causes the victim computer to send the username and\r\nhashed password to the attacker-controlled machine. APT28 used this technique to steal usernames and hashed\r\npasswords that allowed escalation of privileges in the victim network.\r\nTo spread through the hospitality company’s network, APT28 used a version of the EternalBlue SMB exploit. This\r\nwas combined with the heavy use of py2exe to compile Python scripts. This is the first time we have seen APT28\r\nincorporate this exploit into their intrusions.\r\nIn the 2016 incident, the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours after\r\nthe victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen\r\ncredentials. These 12 hours could have been used to crack a hashed password offline. After successfully accessing\r\nthe machine, the attacker deployed tools on the machine, spread laterally through the victim's network, and\r\naccessed the victim's OWA account. The login originated from a computer on the same subnet, indicating that the\r\nattacker machine was physically close to the victim and on the same Wi-Fi network.\r\nWe cannot confirm how the initial credentials were stolen in the 2016 incident; however, later in the intrusion,\r\nResponder was deployed. Since this tool allows an attacker to sniff passwords from network traffic, it could have\r\nbeen used on the hotel Wi-Fi network to obtain a user’s credentials.\r\nLong-Standing Threats to Travelers\r\nCyber espionage activity against the hospitality industry is typically focused on collecting information on or from\r\nhotel guests of interest rather than on the hotel industry itself, though actors may also collect information on the\r\nhotel as a means of facilitating operations. Business and government personnel who are traveling, especially in a\r\nforeign country, often rely on systems to conduct business other than those at their home office, and may be\r\nunfamiliar with threats posed while abroad.\r\nAPT28 isn’t the only group targeting travelers. South Korea-nexus Fallout Team (aka Darkhotel) has used spoofed\r\nsoftware updates on infected Wi-Fi networks in Asian hotels, and Duqu 2.0 malware has been found on the\r\nnetworks of European hotels used by participants in the Iranian nuclear negotiations. Additionally, open sources\r\nhave reported for several years that in Russia and China, high-profile hotel guests may expect their hotel rooms to\r\nbe accessed and their laptops and other electronic devices accessed.\r\nOutlook and Implications\r\nThese incidents show a novel infection vector being used by APT28. The group is leveraging less secure hotel Wi-Fi networks to steal credentials and a NetBIOS Name Service poisoning utility to escalate privileges. APT28’s\r\nalready wide-ranging capabilities and tactics are continuing to grow and refine as the group expands its infection\r\nvectors.\r\nhttps://web.archive.org/web/20171202185937/https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html\r\nPage 3 of 4\n\nTravelers must be aware of the threats posed when traveling – especially to foreign countries – and take extra\r\nprecautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and\r\nshould be avoided whenever possible.\r\nAdditional technical information and details are available to FireEye iSIGHT Intelligence customers through our\r\nportal.\r\nSource: https://web.archive.org/web/20171202185937/https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.ht\r\nml\r\nhttps://web.archive.org/web/20171202185937/https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20171202185937/https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html" ], "report_names": [ "apt28-targets-hospitality-sector.html" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775438951, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f990f9b65b833b187f5f5e8d0e9c861e6c858839.pdf", "text": "https://archive.orkl.eu/f990f9b65b833b187f5f5e8d0e9c861e6c858839.txt", "img": "https://archive.orkl.eu/f990f9b65b833b187f5f5e8d0e9c861e6c858839.jpg" } }