Slashdot Mirror

← Back to Stories (view on slashdot.org)

Espionage Campaign Targets Corporate Executives Traveling Abroad

Posted by samzenpus on from the all-your-data-are-belong-to-us dept.

An anonymous reader writes Kaspersky Lab researched the Darkhotel espionage campaign, which has lurked in the shadows for at least four years while stealing sensitive data from selected corporate executives traveling abroad. Darkhotel hits its targets while they are staying in luxury hotels. The crew never goes after the same target twice; they operate with surgical precision, obtaining all the valuable data they can from the first contact, deleting traces of their work and fading into the background to await the next high profile target. The most recent traveling targets include top executives from the USA and Asia doing business and investing in the APAC region: CEOs, senior vice presidents, sales and marketing directors and top R&D staff. This threat actor is still active.

1 of 101 comments (clear)

  1. Re:marketing by mlts · · Score: 4, Informative

    One can accuse Kaspersky of being a mouthpiece for Russian propaganda, but in this case, this is a genuine threat.

    One Wi-Fi network at a local eatery always tries to replace one of my E-mail provider's SSL keys with one from 192.168.168.168. Most people would just click "continue" or "accept"... or even have their Exchange client configured to accept any SSL key. This makes it plausible that a black bag group could step in to do stuff like this.

    Of course, since people are so inundated with updates for Flash, Web browsers, and Java, clicking on yet another update becomes muscle memory, so a Trojan horse is definitely an avenue of attack. Couple this with a transparent proxy that is configured to MITM a key or two, and it isn't surprising how a group like this can score big.

    The solution? There is no single magic bullet, but there are things that can help. The most important is user training, but next to that:

    1: VPNs. The only key that can be attacked by a compromised local Wi-Fi AP would be the VPN's, and a good profile would just disallow access if this is the case.

    2: Home Depot announced that it is moving to Macs. No, OS X is not 100% secure (as the exploit posted last week shows), but the bad guys have their tools honed for Windows. For the most part, Macs are not on the bad guys' menu. Running an alternative platform might be an idea.

    3: Going with Citrix, and have the laptop be essentially a dumb terminal. Bad guys can still compromise it, especially with a RAT and taking over the session, but going with this raises the bar, especially if 2FA is used. Again, this isn't 100%, but it does help.

    4: Tools like enterprise DeepFreeze. Store data on an encrypted, thawed partition, have the OS and applications be on the "frozen" drive. This makes cleanup a matter of just rebooting, assuming the documents are not compromised.

    5: Tools like AppLocker or other programs to ensure unauthorized stuff isn't put on. For salespeople, this isn't going to happen, as they are the company breadwinners.

    6: VMs. If the user knows what they are doing, VMs/sandboxes and a VDI can be useful, however, with non-technical people, the KISS principle is important, as they may not want to waste the time firing up a VM in order to browse the web between their presentations.

    As for antivirus, this attack is a Dancing Pigs/Dancing Bunnies attack, and no AV software will protect against it, unless the user is denied admin rights on their laptop.