Cyberespionage is the weapon of choice in the 21st century. Even a seemingly harmless mobile app is able to find out quite a few secrets that a careless user might reveal, let alone full-scale surveillance campaigns specifically targeted at representatives of major businesses and government organizations.
This autumn’s newest revelation is the discovery of a spy network, dubbed ‘Darkhotel’, which had been active for seven years in a number of Asian hotels. Furthermore, smart and professional spies involved in this long-running operation created a comprehensive toolkit consisting of various methods that can be used to break into victims’ computers.
The FBI first mentioned the attacks on guests that were staying in the hotels in question in 2012. However, the malware used over the course of Darkhotel’s activity (a.k.a. Tapaoux) have been popping up here and there as early as 2007.
The main method of infiltration into the victim’s PC was through Wi-Fi networks in a number of luxury Asian hotels. Cybercriminals used zero-day exploits in Adobe Flash and other popular products by renowned vendors. Such vulnerabilities are not easy to find, which proves the fact that either rich sponsors, who can afford to purchase quite an expensive cyber weapon, were behind the operation, or the high level of professionalism of the agents that were involved in the campaign. Likely both.
The aforementioned method of dropping spyware was the most frequently used, yet not the only, way for the criminals to handle the operation, which suggests that they were employed by hotels. The alternative involves a Trojan, distributed through torrent clients, as part of a compromised archive of adult-rated comics in Chinese. Also the cyberspies used targeted phishing, sending compromised emails to employees of state and non-profit organizations.
Strangely, the culprits were extremely cautious and designed a number of measures to prevent the detection of the malware. Firstly, they ensured the virus had a very long ‘incubation period’: the first time the Trojan connected to the C&C servers was 180 days after it had infiltrated the systems. Secondly, the spyware program had a self-destruction protocol if the language of the system changed to Korean.
The criminals were mainly operating in Japan, as well as in neighboring Taiwan and China. However, it was managed to detect attacks in other countries, including those very far from the territories, which were an interest for the culprits.
Commenting on Darkhotel researcher said: “For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior. This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”
110 Reykjavik, Iceland