Indian Hotels Being Targeted by Russian Hacking Group for User Data: FireEye

Indian Hotels Being Targeted by Russian Hacking Group for User Data: FireEye


  • APT28 is targeting the hospitality sector globally
  • APT28 uses various hacking techniques such as “EternalBlue”
  • “Indian organisations should have strong security controls in place”

A Russian hacking group “APT28” is targeting the hospitality sector globally and the Indian hotels and resorts must have strong Wi-Fi security in place to safeguard travellers’ data from being stolen, a cyber-security company said on Friday.

APT28 has already attacked travellers in hotels throughout Europe and the Middle East in a campaign that dates back to July this year, according to the US-based company FireEye.

APT28 uses various hacking techniques, such as “EternalBlue” and “Responder” sniffing passwords from Wi-Fi traffic.

“One of the most concerning aspects of this operation is the victims included hotel guests who didn’t do anything wrong. They didn’t click a malicious link or open an attachment they shouldn’t have. They simply used the Internet over Wi-Fi in their hotels,” Subhendu Sahu, Acting Country Manager for India, FireEye, told IANS.

“Indian organisations should have strong security controls in place to detect attackers who compromise travelling employees’ systems and then follow them home like an unwanted souvenir,” Sahu added.

FireEye has claimed to have found a malicious document named “Hotel_Reservation_Form.doc”, sent in spear phishing emails to multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country.

APT28 used EternalBlue and Responder to spread laterally through networks and target travellers to steal usernames and hashed passwords.

According to FireEye, APT28, in an incident in 2016, gained initial access to a victim’s network via credentials likely stolen from the hotel Wi-Fi network and hacked the victim’s Outlook Web Access (OWA) account.

Once inside the network of a hospitality company, APT28 seeks machines that control both guest and internal Wi-Fi networks.

“Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, though actors may also collect information on the hotel as a means of facilitating operations,” FireEye said.

“Business and government personnel who are travelling often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad,” it added.

Travellers must be aware of the threats especially when in foreign countries and take extra precautions to secure their systems and data.

“Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible,” FireEye warned.

There are also other hacking groups targeting travellers apart from APT28, including “South Korea-nexus Fallout Team” (also known as “Darkhotel”) and “Duqu 2.0”.