According to the research team, the hacking campaign is very precise and targeted: they never go after the same individual twice. Once they have obtained sensitive records from the target, they remove all traces of their activity and effectively disappear.
The threat operates by first effectively compromising the entire hotel’s WiFi network – even those that were thought to be completely secured can be at risk due to the apparent high skillset of the hackers involved. Once the network is compromised, the hackers will see whenever a target logs into the hotel network with their name and room number. They then trick the target into downloading their malicious software which will be disguised as a software update for programs such as Flash and various toolbars. Once this malware is in place, they can obtain information about the victim’s computer as well as use keylogger software in order to collect information.
Once the hacker is done collecting information they can remove all traces of their activity from the target’s computer.
When Kaspersky Lab researchers visited Darkhotel incident destinations with honeypot machines they did not attract Darkhotel attacks, which suggests the APT acts selectively.. Further work demonstrated just how careful these attackers were to hide their activity – as soon as a target was effectively infected, they deleted their tools from the hotel network staging point, maintaining a hidden status.
According to Kaspersky, the Darkhotel threat actor has been around for several years, and is rather well documented.
In order to avoid infection by this threat, we recommend a few steps. These steps are rather commonsense and should be followed by everyone, regardless if they an executive traveling for work or a private individual on vacation.