Executives often give away their room numbers to establish Wi-Fi connections while traveling, which has been drawing a swarm of hackers out of the shadows long enough to extract information from the traveling businessmen and women.
Russian security firm Kaspersky Lab is calling the syndicate Darkhotel. For the last four years, Darkhotel has been preying on executives who visit hotels in Asia -- though some of the attacks have been launched at hotels in the U.S.
"This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision," says Kurt Baumgartner, principal security researcher at Kaspersky Lab.
After settling into rooms and providing basic identifying details to connect to the hotel's private network, the executives are then preyed on through spear-phishing attacks.
The Darkhotel hackers have long-held entry points into the Wi-Fi protected networks. They can see the executives log in, watching as names and room numbers pop up on the networks, according to Baumgartner.
From there, the Darkhotel actors send the businessmen and women what Kaspersky calls a "hotel welcome package." The package offers spyware in what appears to legitimate updates for essential services, like Adobe Flash.
With the spyware propping open a back door on a victim's computers, the malicious software invites in keyloggers and other tracking applications. The malware will often track each of the victim's keystrokes and scan browsers for saved passwords, exposing a wealth of trade secrets and other inside information to the Darkhotel group.
After the heist of the sensitive information is complete, the Darkhotel actors step back into the shadows. The hackers clean up the scene by removing their tools, which has helped the attacks continue for years.
Most of the attacks appear to be directed, while Darkhotel mixes in some indiscriminate attempts, according to Baumgartner. He says the mix of directed and indiscriminate attacks is becoming more prevalent in the advanced packaging tools approach to hacking.
Costin Raiu, manager of the Global Research and Analysis Team at Kaspersky, is concerned about Darkhotel's use of spyware tools that tap into the kernel, the OS software that sits between hardware and end-user applications.
Along with using kernel-level keylogging, the Darkhotel actors' sophistication has been apparent in the hackers' ability to manipulate digital certificates and the use of zero-day exploits. Like the vulnerability recently discovered in Windows, zero-day exploits are software vulnerabilities that give developer no lead time to address the issues before the flaws are abused by hackers or malicious software.
"Obviously, we're not dealing with an average actor," Raiu says. "This is a top-class threat actor. Their ability to do the kernel-mode keylogger is rare, the reverse engineering of the certificate, the leveraging of zero days -- that puts them in a special category."