DarkHotel Cyber attack campaign
The Dark Hotel cyber threat sees businessmen and women targeted through Wi-Fi networks at hotels and business centres around the world. Kaspersky Labs

A sophisticated malware campaign known as DarkHotel is using Wi-Fi networks at luxury hotels across the globe to track and attack executives at major companies.

The DarkHotel campaign has been in operation since 2007 and continues to use hotel and business centre Wi-Fi networks today in order to "provide the attackers with precise global scale access to high value targets."

Executives from the private equity, pharmaceutical and electronics manufacturing industries, and figures from law enforcement, military services and non-government organisations are among those who have been compromised by the campaign.

While Kaspersky Lab, which identified the group, has seen infections in a huge range of countries, including the across Europe, 90% of the infections appear to be located in Japan, Taiwan, China, Russia and South Korea, with top executives from the US and Asia who are doing business and investment in the APAC region being the primary targets.


Kaspersky Labs says that overall, since 2008, the infection count numbers in the thousands and that is only set to grow:

"Considering their well-resourced, advanced exploit development efforts and large, dynamic infrastructure, we expect more DarkHotel activity in the coming years."

DarkHotel works when a victim connects to a hotel Wi-Fi network and downloads a piece of malware posing as an update to a major piece of software including Google Toolbar, Adobe Flash or Windows Messenger.

Once installed the malware can steal sensitive information from the victim's laptop and can even be updated remotely to allow the criminals behind it to install even more advanced tools such as keyloggers which can steal passwords and login credentials.


Commenting on the DarkHotel campaign, Mark James from ESET highlighted that this attack is atypical:

"This type of targeted attack is not common. The steps taken to infect the machines and factors that have to be in place for it to work make it a very specialist type of infection. The fact that they target specific industrial sectors forces them to limit their targets but when they achieve their goal, the rewards should be considerably greater. Normally Wi-Fi type attacks take a much more general approach instead attempting to infect anything and everything."

While James says that the use of Virtual Private Networks (VPNs) is the the way forward, Amichai Shulman from Imperva has other ideas:

"Organisations who want to reduce such risks can equip their travelling managers with cellular modems - they allow the device to directly connect to the Internet, not going through the hotel portal and not using the (usually) unencrypted hotel Wi-Fi network."

Finally, TK Keanini from Lancope warned that business travellers need to worry about more than just connecting to dodgy Wi-Fi networks:

"It is not just the Wi-Fi you must pay attention to while travelling. Physical security of your computing devices is just as important. If you leave your hotel room, you must put your computer in the safe or take it with you. Do not leave it in your room as hotel workers who have access to your room have been known to gain physical access to your laptop and install malware. Why steal anything and raise red flags when they can just gain access to your computer remotely and take what they need when they need it?"