Friday, May 20, 2022

Russian Hackers ‘APT28’ Allegedly Used NSA Exploit in Hotel Cyberattacks

Russian Hackers ‘APT28’ Allegedly Used NSA Exploit in Hotel Cyberattacks

Russian cyber-espionage group APT28 has allegedly used EternalBlue — an NSA exploit — in an attempt to steal the credentials of travelers abroad.

Also read: TREZOR Wallet Team: Bitcoin Cash Integration Tougher Than We Expected

APT28 Group Used NSA Exploit, Says Security Firm

Last month, APT28 also launched a series of attacks on travelers staying at hotels in Europe and regions of the Middle East. They carried out the attacks by tricking guests into downloading malicious files that mimicked hotel reservations.

If these files were opened, then it would install a “dropper file” that would ultimately end up downloading malware called Gamefish.

According to private security firm FireEye, the group employed a version of the NSA exploit “EternalBlue” during their attacks.

APT28 used the EternalBlue variant to spread through a hotel’s network as well as py2exe — a Python extension that converts Python scripts (.py) into Microsoft Windows executables (.exe).

However according to the researchers, it was the first time they’ve seen APT28 incorporate the exploit into their intrusions.

The primary motivation for the intrusion was to steal private information from business travelers using hotel Wi-Fi networks, something the group apparently failed at — as no successful incident was observed.

Hotels in seven European countries and one Middle Eastern country were targeted.

Group Linked to Several High-Profile Attacks

APT28, or “Fancy Bear”, is a Russian-speaking counter-espionage group that has been linked to the Russian government through the country’s military intelligence agency, Main Intelligence Directorate (GRU).

Experts believe the group has been operating since the mid-2000s and their capabilities often mimic that of a nation state.

It has also been accused of numerous other high-profile cyber attacks around the world over the past few years. This included a six-month-long cyber-attack on the German parliament that began in December 2014.

They’ve also been accused of hacking the French television network TV5Monde, and launching attacks on NATO and the White House.

The intelligence group gained widespread infamy when they were identified by CrowdStrike as the actors behind phishing attacks on email addresses associated with the Democratic National Committee in the first part of 2016.

Additionally, they also attempted to target groups related to the French and German 2017 elections.

What do you think of APT 28’s attempts to steal information from travelers? Let us know in the comments below.

Images via, Heimdal Security

Bitsonline Email Newsletter