A scandalous Russia- linked hacker group is known for cyber espionage and is apparently involved in an ongoing campaign targeting numerous hotels in European countries.
FireEye has linked the attacks with moderate confidence to APT28, a threat actor also known as Pawn Storm, Fancy Bear, Sofacy, Sednit and Strontium. The group is believed to have launched numerous high-profile attacks, including a campaign targeting last year’s presidential election in the United States.
FireEye has witnessed attacks targeting several companies in the hospitality sector, including hotels in seven European countries and one in Middle Eastern country.
Well, we will explicate you how it all begins!
The attacks start with a spear phishing email sent to a hotel employee. The emails carry a document named “Hotel_Reservation_Form.doc,” which uses macros to decode a dropper that deploys GameFish, a piece of malware known to be used by APT28. This backdoor was used recently in a campaign launched by the threat group against Montenegro just as the country had been preparing to join NATO.
The cyberspies also used Responder, an open source penetration testing tool developed by Laurent Gaffie of SpiderLabs. They leveraged Responder for NetBIOS Name Service (NBT-NS) poisoning.
“This technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine. APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network,” FireEye researchers explained.