Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Businesses

Espionage Campaign Targets Corporate Executives Traveling Abroad 101

An anonymous reader writes Kaspersky Lab researched the Darkhotel espionage campaign, which has lurked in the shadows for at least four years while stealing sensitive data from selected corporate executives traveling abroad. Darkhotel hits its targets while they are staying in luxury hotels. The crew never goes after the same target twice; they operate with surgical precision, obtaining all the valuable data they can from the first contact, deleting traces of their work and fading into the background to await the next high profile target. The most recent traveling targets include top executives from the USA and Asia doing business and investing in the APAC region: CEOs, senior vice presidents, sales and marketing directors and top R&D staff. This threat actor is still active.
This discussion has been archived. No new comments can be posted.

Espionage Campaign Targets Corporate Executives Traveling Abroad

Comments Filter:
  • by sociocapitalist ( 2471722 ) on Monday November 10, 2014 @10:18AM (#48350031)

    Any corporate executive traveling will have encrypted communications from their company as a matter of course.

    This post is nothing but a weak attempt at Kaspersky marketing.

    • Re:marketing (Score:5, Insightful)

      by VIPERsssss ( 907375 ) on Monday November 10, 2014 @10:30AM (#48350167)
      Hah, you'd be surprised. "All that encryption stuff just gets in my way. I'm an important person. Just make it work."

      Then you have to clean off all the shit from their laptop when they get back. Or worse, they copied their files to their personal laptop and then took that because it's "easier."

      And how dare a lowly IT admin tell the VP of R&D that what they want is dangerous and stupid.
      • Re:marketing (Score:5, Insightful)

        by Ihlosi ( 895663 ) on Monday November 10, 2014 @10:46AM (#48350317)
        And how dare a lowly IT admin tell the VP of R&D that what they want is dangerous and stupid.

        You don't. You tell them it's a huge financial risk for the company.

        • by Anonymous Coward

          And then get harassed to produce numbers to prove your point and more numbers to show how your suggestions will help reduce the risk and then even more numbers to show what the ROI to securing their IT is....

          All this while actually supporting your users, maintaining your infrastructure and implementing new projects.......Oh and then people crying they did not receive enough training on how to use the solutions you implemented (god forbid they read the documentation you painstakingly spent time preparing....

          • And then get harassed to produce numbers to prove your point and more numbers to show how your suggestions will help reduce the risk and then even more numbers to show what the ROI to securing their IT is....

            If you can't show how your suggestions will reduce risk then why would you expect a business to spend time and money implementing them.

        • Since it is your job to protect them from these risks, not to produce stupid policies that get in the way of their "work". I managed to get a few nice laptops from my wife's former bosses. They were so loaded with malware that the barely functioned. Rather than admit that they were responsible, the point hairs simply bought new laptops and discarded the old ones.
          • by Ihlosi ( 895663 )
            Rather than admit that they were responsible,

            Why should they "admit" something that they barely understand in the first place?

            The average user doesn't know how malware works, how to recognize it, how it gets on their machines, why it's bad to have it on your machine, etc. And the average user also doesn't possess the technical expertise to understand a thorough explanation.

      • by raymorris ( 2726007 ) on Monday November 10, 2014 @11:22AM (#48350615) Journal

        Most top level executives don't know DES from GPG or IDEA.
        What they do understand is when you send them an email with links to to three Wall Street Journal articles, Target, TJ Maxx, and Home Depot, then say "to prevent this from happening to our company, we need to have the following policies in place:".

        • Doesn't matter. The exec will have all his passwords taped to the bottom of his laptop.

          Seen it too many times to be shocked.

        • Most top level executives don't know DES from GPG or IDEA.
          What they do understand is when you send them an email with links to to three Wall Street Journal articles, Target, TJ Maxx, and Home Depot, then say "to prevent this from happening to our company, we need to have the following policies in place:".

          Sounds like an excellent way to get them to click on malware links too :-)

      • by torkus ( 1133985 )

        Agreed in many cases.

        Some things - like VPN and Citrix are relatively secure. Unfortunately many executives also use things like gmail, facebook, SMS, chat, xyz-gaming-app and so on during their travel. I've seen plenty of senior people send confidential information outside of accepted/expected channels. They don't want to remember passwords, much less change them. There's a lot of 'I'm too busy and it won't happen to me anyhow' mentality with data security.

        'Sorry, we don't allow abc gizmo you have to u

    • Re:marketing (Score:5, Interesting)

      by OzPeter ( 195038 ) on Monday November 10, 2014 @10:40AM (#48350265)

      Any corporate executive traveling will have encrypted communications from their company as a matter of course.

      This post is nothing but a weak attempt at Kaspersky marketing.

      I just read this on the weekend: The icky part of tech support: Porn and other NSFW surprises [infoworld.com]

      Which has a wonderful bit of text in it:

      In a survey published last year by software vendor ThreatTrack Security, 40% of tech support employees said they'd been called in to remove malware from the computer or other device of a senior executive, specifically malware that came from infected porn sites.

      Would you care to revise your opinion of corporate executives?

    • Re:marketing (Score:5, Insightful)

      by gstoddart ( 321705 ) on Monday November 10, 2014 @10:51AM (#48350355) Homepage

      Any corporate executive traveling will have encrypted communications from their company as a matter of course.

      In my experience, the more senior the executives, the more they don't think basic security and precautions apply to them.

      I'm inclined to think this kind of thing is quite real.

      • Re:marketing (Score:5, Interesting)

        by TheCarp ( 96830 ) <sjc AT carpanet DOT net> on Monday November 10, 2014 @11:00AM (#48350447) Homepage

        and the more people are willing to kow-tow to them.

        We had a presentation once at a previous job on the new corperate single sign on system. I thought it was really strage that they were, in fact, storing passwords using an encryption rather than a hash, a fact which they made fairly clear was not simply a slip up in terminology.

        After the presentation I grabbed the presentor for a side conversation and asked why they didn't use a hash when that would be far more standard, and he sighed and said that it was because some people couldn't get over the idea of not being able to recover the password if a high level exec asked them to.

        • by Vokkyt ( 739289 )

          I want to second this as the reason that a lot of people are afraid of going the proper security route.

          At the University I work at, we have been trying to push through full disk encryption for computers that go out into the wild for years now, and each time we're told it's impossible because "what if someone loses the password?"

          Even with two key solutions that would ultimately at least allow access should we need it, we're told that the possibility of someone leaving on a trip and getting locked out of thei

          • by TheCarp ( 96830 )

            It has been about a decade since I worked at a university, but, I still remember hearing about the great debates. I wasn't part of them, but heard about them second hand from one of the people who was. At the time they were trying to push through email virus scanning and....

            "But this is a university, its perfectly legitimate that someone researching viruses may want to get email with viruses, we can't do anything that would impede legitimate research!"

      • Re:marketing (Score:5, Insightful)

        by CaptainDork ( 3678879 ) on Monday November 10, 2014 @11:03AM (#48350469)

        This has been my experience, as well.

        I have told management that it's not my job to casually suggest that they are taking risks; it's my job to jump up and down and rant and rave.

        I have also informed them that, for any best practice recommendations they choose to ignore, I need a CYA email from them that I have made the risk assessment clear and that they are making the business decision to ignore me.

        For those who will not do that, I send them an email referencing our "talk" about how they have declined to conform with best practice "as we discussed on this date."

        In my shop, system does not drive business ... business drives systems. My job is to inform, insist, and bitch and complain.

        After I apply due diligence (to the max), business evaluates risk and tells me what to do.

        • by Anonymous Coward

          At-will employment will get you.

          You are absolutely correct and are doing the right thing.

          In many organizations, your days as an employee would be numbered if you are seen as "not cooperative" by senior management

    • Re:marketing (Score:5, Informative)

      by mlts ( 1038732 ) on Monday November 10, 2014 @10:56AM (#48350405)

      One can accuse Kaspersky of being a mouthpiece for Russian propaganda, but in this case, this is a genuine threat.

      One Wi-Fi network at a local eatery always tries to replace one of my E-mail provider's SSL keys with one from 192.168.168.168. Most people would just click "continue" or "accept"... or even have their Exchange client configured to accept any SSL key. This makes it plausible that a black bag group could step in to do stuff like this.

      Of course, since people are so inundated with updates for Flash, Web browsers, and Java, clicking on yet another update becomes muscle memory, so a Trojan horse is definitely an avenue of attack. Couple this with a transparent proxy that is configured to MITM a key or two, and it isn't surprising how a group like this can score big.

      The solution? There is no single magic bullet, but there are things that can help. The most important is user training, but next to that:

      1: VPNs. The only key that can be attacked by a compromised local Wi-Fi AP would be the VPN's, and a good profile would just disallow access if this is the case.

      2: Home Depot announced that it is moving to Macs. No, OS X is not 100% secure (as the exploit posted last week shows), but the bad guys have their tools honed for Windows. For the most part, Macs are not on the bad guys' menu. Running an alternative platform might be an idea.

      3: Going with Citrix, and have the laptop be essentially a dumb terminal. Bad guys can still compromise it, especially with a RAT and taking over the session, but going with this raises the bar, especially if 2FA is used. Again, this isn't 100%, but it does help.

      4: Tools like enterprise DeepFreeze. Store data on an encrypted, thawed partition, have the OS and applications be on the "frozen" drive. This makes cleanup a matter of just rebooting, assuming the documents are not compromised.

      5: Tools like AppLocker or other programs to ensure unauthorized stuff isn't put on. For salespeople, this isn't going to happen, as they are the company breadwinners.

      6: VMs. If the user knows what they are doing, VMs/sandboxes and a VDI can be useful, however, with non-technical people, the KISS principle is important, as they may not want to waste the time firing up a VM in order to browse the web between their presentations.

      As for antivirus, this attack is a Dancing Pigs/Dancing Bunnies attack, and no AV software will protect against it, unless the user is denied admin rights on their laptop.

    • by thieh ( 3654731 )
      This post means the police is busted about telling people encrypting their phones is a bad idea. [dailydot.com]
    • by plover ( 150551 )

      If you think this is an attempt at marketing, you should recognize they're doing a terrible job at it. Read page 3 of the PDF above, the section titled "Executive Summary". That is not even close to an executive summary, and wouldn't explain jack to any of the executives I work with.

      An executive summary for this paper should read like this:

      "We have documented a sophisticated espionage ring that is targeting the laptop computers of upper level executives who travel to Southeast Asia. The attackers are usi

    • by Molonel ( 593119 )
      Oh, thank you. I needed a nice, rich deep belly laugh on a Monday morning.

      I think back over the years of high-level executives who exempted themselves from ever having to change their passwords or using password complexity, or who refused to use VPN because it was too complicated, or whose computers constantly had to be hosed down and reimaged by techs wearing hazmat suits because of highly inappropriate internet browsing on company computers, and malware-infected USB sticks handed to them at conferences
  • Gaming the Market (Score:4, Interesting)

    by DumbSwede ( 521261 ) <slashdotbin@hotmail.com> on Monday November 10, 2014 @10:26AM (#48350113) Homepage Journal

    One always hears about attempts to steal intellectual property, but (assuming this isn’t hype by Kaspersky) could these types of attacks be about insider trading? Could nation-states being playing the markets with this info?

  • by EmperorOfCanada ( 1332175 ) on Monday November 10, 2014 @10:33AM (#48350193)
    I hope that Kaspersky manages to cheat these executives out of tons of money based on this nebulous threat.
  • by quietwalker ( 969769 ) <pdughi@gmail.com> on Monday November 10, 2014 @10:37AM (#48350225)

    ... at least, outside of the US, it seems. Many countries have a policy that basically boils down to "if you can grab it, then it's yours, and it's impolite for another company to point fingers and claim you stole it." Not as litigious perhaps, but certainly less trustworthy. I got the standard 4 hour class from at least two companies; don't talk to folks on planes about it, don't talk to folks at the hotels, they'll arrange friendly people to sit next to you, or have a room next to you, or to flirt or whatever. Act as if your laptop/other hardware WILL be stolen or sabotaged. Keep one for travel with only the minimum relevant information on it, and so on.

    I worked for a company once that did big data analysis for the semiconductor industry. Boosted yield rates by anywhere from 3 to 15%, which is a big deal. It was a service, not a software product, so we took their data, did our analysis, and the product was suggestions to correct their process, with proof. Obviously we had a lot of special software on the backend which represented our core IP, and we protected that.

    When we went to China, we rewrote the executable so it was encrypted, plus locked to the CPU id.

    Part of our process required about 18-20 hours to run on the puny laptops we had available, and the folks we met actually laughed when they told us we couldn't stay the night, nor take the systems back to the hotel with us because they had been exposed to their internal network. So we chained it to a desk, and the next morning, the system had died, and it looked like someone had removed the hard drive while the thing was running. Apparently after a day in a half of processing later, they realized they couldn't get their copy to run, and explained that they had to keep our machine, forever, but they would provide us with one that was equivalent - loaded with virii and spyware no doubt.

    One of the individuals actually begged us to stop when we took apart our laptop and ground the hard drive and cpu up and shattered the boards. Total lack of composure, I assume he was losing his job at that point.

    However, that was just par for the course for much of Asia, barring Japan.

    • Half of Korea ain't so bad either.

      But yeah, the rest of Asia is pretty f'ed up.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      One of the individuals actually begged us to stop when we took apart our laptop and ground the hard drive and cpu up and shattered the boards. Total lack of composure, I assume he was losing his job at that point.

      Well, yeah. He failed to do his research. Not all targets are soft targets. If he'd done his research, he could have got it escalated to the Dream Team who would have been able to determine how to handle the problem, or to back off and try to find another, less obvious, way to steal your stuff. Sucks to be him.

    • However, that was just par for the course for much of Asia, barring Japan.

      Japan is much the same, they are just much better at hiding it.

    • ... at least, outside of the US, it seems. Many countries have a policy that basically boils down to "if you can grab it, then it's yours, and it's impolite for another company to point fingers and claim you stole it."

      I guess you didn't read the parts of the Snowden releases where NSA/GCHQ were caught engaging in industrial espionage, right?

      If you think the USA is somehow on a moral high ground here, I really wonder why. The USA has less that it can steal from other countries, but it certainly hasn't shown

      • Sorry, I should have been more clear.

        There's apparently less corp-to-corp espionage rather than gov-to-corp*. It's simply not intrinsic to our culture, especially when the legal system provides such an easy way to strike at those who do. Heck, we even sue when people switch jobs to a competitor. If you come up with something remotely similar to an existing product - you're gonna get sued, that's how it is.

        What I've noticed is that there's two general types of countries; in one type, the onus is on the p

      • I guess you didn't read the Snowden allegations

        FTFY.

        If you think the USA is somehow on a moral high ground here, I really wonder why.

        See my title - China has been proven to do it while Snowden hasn't even gone to a US court. The only people that think that the US has lost any moral ground are those that oppose the US, and/or additionally support Snowden's allegations.

    • I wonder how hard it would be to dump something on there that "looks" like the real deal, but deliberately delivers poor performance, bad output, or even a cleverly hidden security hole.

      Let them steal it, and then see if you can use those to your advantage when they make use of the subtly broken tech.

  • Everyone knows there is No Such Agency.
  • by ErichTheRed ( 39327 ) on Monday November 10, 2014 @11:24AM (#48350629)

    I'm a client systems person (yes, yes, I know, the desktop is dead and everyone is going to be writing Excel macros on their iPhones...I'm aware of it.) But, having worked for a couple of companies' IT departments doing this, and for a service provider doing this for other customers, I am absolutely not shocked that corporate execs are being targeted for this. Almost everywhere I've worked, executives have overriden the rules and required that they have full admin access to their laptops. Combining this with BYOD and users travelling onto untrusted networks is a nightmare. All it takes is one time not carefully thinking about a prompt to update something from a non-legitimate source. Once that's done, all the full-disk encryption and other good stuff goes out the window.

    The higher the rank, the less they know or care about information security. It's a losing battle too, because (a) they don't want some lowly IT guy telling them what's best for them, and (b) the heavy-handed approach doesn't work because they don't believe there's a threat.

    Hotel networks are especially interesting because the system is most likely some turnkey thing like a Cisco or Juniper appliance that gets wired up, thrown in a closet and forgotten about. That's the perfect target for compromise because it never gets updated, bugs never get fixed, and all you have to do to get physical access to the device is get a job as a cleaner or maintenance person.

  • by Princeofcups ( 150855 ) <john@princeofcups.com> on Monday November 10, 2014 @11:27AM (#48350657) Homepage

    The same guys who are having their data stolen are the ones buying data that was stolen from some other guy. It's a sociopath feeding frenzy, and the criminals are cashing in.

  • What about giving the execs a Linux notebook with a password protected Bios, a Linux distro with full hard drive encryption + home directory encryption a VPN connection and a VM? Too much for an exec to handle? What about Chromebooks? As far as I know, they'll alert you if they've been tampered (as people that have installed Crouton can attest to), it stores nothing locally and can be wiped out from the other side of the planet? I know that execs can be...fickle. But there are alternatives.
    • "Real funny. Now get me a real computer before I have you fired so fast it will make your head spin."
  • Eugene Kaspersky is Putin's sauna buddy and their AV product is engaging in funky behavior. Unfortunately, my company's IT decided to ditch our old AV and go with Kaspersky instead. Not because it is better, less a performance drag, more compatible, or anything - quite contrary. The decision was made because we need some AV to check off a box on a list for management and do so by spending the least amount of money. Leaves us cubicle dwellers wondering who ships GB of data every night to a data center in Can

Do you suffer painful illumination? -- Isaac Newton, "Optics"

Working...