Russian cyber-espionage group APT28 has allegedly used EternalBlue — an NSA exploit — in an attempt to steal the credentials of travelers abroad.
APT28 Group Used NSA Exploit, Says Security Firm
Last month, APT28 also launched a series of attacks on travelers staying at hotels in Europe and regions of the Middle East. They carried out the attacks by tricking guests into downloading malicious files that mimicked hotel reservations.
If these files were opened, then it would install a “dropper file” that would ultimately end up downloading malware called Gamefish.
APT28 used the EternalBlue variant to spread through a hotel’s network as well as py2exe — a Python extension that converts Python scripts (.py) into Microsoft Windows executables (.exe).
However according to the researchers, it was the first time they’ve seen APT28 incorporate the exploit into their intrusions.
The primary motivation for the intrusion was to steal private information from business travelers using hotel Wi-Fi networks, something the group apparently failed at — as no successful incident was observed.
Hotels in seven European countries and one Middle Eastern country were targeted.
Group Linked to Several High-Profile Attacks
APT28, or “Fancy Bear”, is a Russian-speaking counter-espionage group that has been linked to the Russian government through the country’s military intelligence agency, Main Intelligence Directorate (GRU).
Experts believe the group has been operating since the mid-2000s and their capabilities often mimic that of a nation state.
It has also been accused of numerous other high-profile cyber attacks around the world over the past few years. This included a six-month-long cyber-attack on the German parliament that began in December 2014.
They’ve also been accused of hacking the French television network TV5Monde, and launching attacks on NATO and the White House.
The intelligence group gained widespread infamy when they were identified by CrowdStrike as the actors behind phishing attacks on email addresses associated with the Democratic National Committee in the first part of 2016.
Additionally, they also attempted to target groups related to the French and German 2017 elections.
What do you think of APT 28’s attempts to steal information from travelers? Let us know in the comments below.
Images via eluniversalqueretaro.mx, Heimdal Security