The hotel guest probably never knew what hit him. When he tried to get online using his five-star hotel’s WiFi network, he got a pop-up alerting him to a new Adobe software update. When he clicked to accept the download, he got a malicious executable instead.

What he didn’t know was that the sophisticated attackers who targeted him had been lurking on the hotel’s network for days waiting for him to check in. They uploaded their malware to the hotel’s server days before his arrival, then deleted it from the hotel network days after he left.

That’s the conclusion reached by researchers at Kaspersky Lab and the third-party company that manages the WiFi network of the unidentified hotel where the guest stayed, located somewhere in Asia. Kaspersky says the attackers have been active for at least seven years, conducting surgical strikes against targeted guests at other luxury hotels in Asia as well as infecting victims via spear-phishing attacks and P2P networks.

Kaspersky researchers named the group DarkHotel, but they’re also known as Tapaoux by other security firms who have been separately tracking their spear-phishing and P2P attacks. The attackers have been active since at least 2007, using a combination of highly sophisticated methods and pedestrian techniques to ensnare victims, but the hotel hacks appear to be a new and daring development in a campaign aimed at high-value targets.

“Every day this is getting bigger and bigger,” says Costin Raiu, manager of Kaspersky’s Global Research and Analysis Team. “They’re doing more and more hotels.” The majority of the hotels that are hit are in Asia but some are in the U.S. as well. Kaspersky will not name the hotels but says they’ve been uncooperative in assisting with the investigation.

“This Is NSA-Level Infection Mechanism”

The attackers’ methods include the use of zero-day exploits to target executives in spear-phishing attacks as well as a kernel-mode keystroke logger to siphon data from victim machines. They also managed to crack weak digital signing keys to generate certificates for signing their malware, in order to make malicious files appear to be legitimate software.

“Obviously, we’re not dealing with an average actor,” says Raiu. “This is a top-class threat actor. Their ability to do the kernel-mode key logger is rare, the reverse engineering of the certificate, the leveraging of zero days—that puts them in a special category.”

Targets in the spear-phishing attacks include high-profile executives—among them a media executive from Asia—as well as government agencies and NGOs and U.S. executives. The primary targets, however, appear to be in North Korea, Japan, and India. “All nuclear nations in Asia,” Raiu notes. “Their targeting is nuclear themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments.” Recently there has been a spike in the attacks against the U.S. defense industry.

The attackers seems to take a two-pronged approach—using the P2P campaign to infect as many victims as possible and then the spear-phishing and hotel attacks for surgically targeted attacks. In the P2P attacks thousands of victims are infected with botnet malware during the initial stage, but if the victim turns out to be interesting, the attackers go a step further to place a backdoor on the system to exfiltrate documents and data.

Until recently, the attackers had about 200 command-and-control servers set up to manage the operation. Kaspersky managed to sinkhole 26 of the command server domains and even gained access to some of the servers, where they found unprotected logs identifying thousands of infected systems. A lot of the machines in the attackers’ logs, however, turned out to be sandboxes set up by researchers to ensnare and study botnets, showing how indiscriminating the attackers were in their P2P campaign. The attackers shut down much of their command infrastructure in October, however, presumably after becoming aware that the Kaspersky researchers were tracking them

“As far as I can see there was an emergency shut down,” Raiu says. “I think there is a lot of panic over this.”

Signs Point to South Korea

That panic may be because the campaign shows signs of possibly emanating from an important U.S. ally: South Korea. Researchers point out that one variant of malware the attackers used was designed to shut down if it found itself on a machine whose codepage was set to Korean. The key logger the attackers used also has Korean characters inside and appears to have ties to a coder in South Korea. The sophisticated nature of the key logger as well as the attack on the RSA keys indicates that DarkHotel is likely a nation-state campaign—or at least a nation-state supported campaign. If true, this would make the attack against the U.S. defense industry awkward, to say the least.

Raiu says the key logger, a kernel-mode logger, is the best written and most sophisticated logger he’s seen in his years as a security researcher. Kernel-mode malware is rare and difficult to pull off. Operating at the core of the machine rather than the user level where most software applications run, allows the malware to better bypass antivirus scanners and other detection systems. But kernel-mode malware requires a skillful touch since it can easily crash a system if not well-designed.

“You have to be very skilled in kernel-level development and this is already quite a rare skillset,” says Vitaly Kamluk, principal security researcher at Kaspersky Lab. “Then you have to make it very stable…. It must be very stable and very well tested.”

There’s no logical reason to use a kernel-level keylogger says Raiu since it’s so easy to write key loggers that hook the Windows API using about four lines of code. “But these guys prefer to do a kernel-level keylogger, which is about 300 kilobytes in size—the driver for the key logger—which is pretty crazy and very unusual. So the guy who did it is super confident in his coding skills. He knows that his code is top-notch.”

The logger, which was created in 2007, appears to have been written by someone who goes by the name “Chpie”—a name that appears in source code for the logger. Chpie is the name used by a South Korean coder who is known to have created another kernel-level key logger that Raiu says appears to be an earlier version of this one. The key logger in the DarkHotel attack uses some of the same source code but is more sophisticated, as if it’s an upgraded version of the earlier keylogger.

Aside from the sophisticated key logger, the attacker’s use of digital certificates to sign their malware also points to a nation-state or nation-state supported actor. The attackers found that a certificate authority belonging to the Malaysian government as well as Deutsche Telekom were using weak 512-bit signing keys. The small key size allowed the attackers, with a little super-computing power, to factor the 512-bit RSA keys (essentially re-engineer them) to generate their own digital certificates to sign their malware.

“You very rarely, if ever, see such techniques used by APT (advanced persistent threat) groups,” Raiu says. “Nobody else as far as we know has managed to do something similar, despite the fact that these certificates existed for some time…. This is [an] NSA-level infection mechanism.”

These sophisticated elements of the attack are important, but the most intriguing part of the DarkHotel campaign is the hotel operation.

Unravelling the Mystery of DarkHotel

The Kaspersky researchers first became aware of the hotel attacks last January when they got reports through their automated system about a cluster of customer infections. They traced the infections to the networks of a couple of hotels in Asia. Kamluk traveled to the hotels to see if he could determine how guests were being infected, but nothing happened to his machine. The hotels proved to be of no help when Kamluk told them what was happening to guests. But during his stay, he noticed that both hotels used the same third-party firm to manage its guest WiFi.

Some hotels own and operate their network infrastructure; others use a managed services firm. The company managing the WiFi network of the two hotels Kamluk visited wishes to remain anonymous, but it was an unusually willing partner in getting to the bottom of the attacks. It acted quickly to provide Kaspersky with server images and logs to track down the attackers.

Although the attackers left very few traces, “There were certain command lines which should not have been there in the hotel system,” a senior executive with the managed-services company says.

In one case, the researchers found a reference to a malicious Windows executable in the directory of a Unix server. The file itself was long gone, but a reference pointing to its former existence remained. “[T]there was a file-deletion record and a timestamp of when it happened,” says Kamluk. Judging from traces left behind, the attackers had operated outside normal business hours to place their malware on the hotel system and infect guests.

“They started early in the morning before the hotel staff would arrive to the office and then after they leave the office they were also distributing the malware then,” says the senior executive. “This is not just something that happened yesterday. These are people who have been taking their time. They’ve been trying to access networks over the last years.”

It’s unclear how many other hotels they’ve attacked, but it appears the hackers cherry-pick their targets, only hitting hotels where they know their victims will be staying.

When victims attempt to connect to the WiFi network, they get a pop-up alert telling them their Adobe Flash player needs an update and offering them a file, digitally signed to make it look authentic, to download. If the victims accept they download, they get a Trojan delivered instead. Crucially, the alerts pop up before guests actually get onto the WiFi network, so even if they abandon their plan to get online, they are infected the moment they hit “accept.” The malware doesn’t then immediately go to work. Instead it sits quietly for six months before waking up and calling home to a command-and-control server. Raiu says this is likely meant to circumvent the watchful eyes of IT departments who would be on the lookout for suspicious behavior immediately after an executive returned from a trip to Asia.

At some of the hotels, only a few victims appear to have been targeted. But on other systems, it appears the attackers targeted a delegation of visitors; in that instance, evidence shows they tried to hit every device attempting to get online during a specific period of time.

“Seems like some event occurred or maybe some delegation visited the hotel and stayed there for a few days and they tried to hit as many members of the delegation as possible,” Raiu says. He thinks the victims were ones the attackers couldn’t reach through ordinary spearphishing attacks—perhaps because their work networks were carefully protected.

Kaspersky still doesn’t know how the attackers get onto the hotel servers. They don’t live on the servers the way criminal hackers do—that is, maintain backdoor access to the servers to gain re-entry over an extended period of time. The DarkHotel attackers come in, do their deed, then erase all evidence and leave. But in the logs, the researchers found no backdoors on the systems, so either the attackers never used them or successfully erased any evidence of them. Or they had an insider who helped them pull off the attacks.

The researchers don’t know exactly who the attackers were targeting in the identified hotel attacks. Guests logging onto WiFi often have to enter their last name and room number in the WiFi login page, but neither Kaspersky, nor the company that maintained the WiFi network, had access to the guest information. Reports that come into Kaspersky’s automated reporting system from customers are anonymous, so Kaspersky is seldom able to identify a victim beyond an IP address.

The number of hotels that have been hit is also unknown. So far the researchers have found fewer than a dozen hotels with infection indicators. “Maybe there are some hotels that … use to be infected and we just cannot learn about that because there are no traces,” the network-management executive says.

The company worked with Kaspersky to scour all of the hotel servers it manages for any traces of malware and are “fairly confident that the malware doesn’t sit on any hotel server today.” But that is just one network-management company. Presumably, the DarkHotel operation is still active on other networks.

Safeguarding against such an attack can be difficult for hotel guests. The best defense is to double check update alerts that pop up on your computer during a stay in a hotel. Go to the software vendor’s site directly to see if an update has been posted and download it directly from there. Though, of course, this won’t help if the attackers are able to redirect your machine to a malicious download site.