Darkhotel is an APT or Advanced Persistent Threat. Since at least 2007 this sophisticated attack has targeted executives staying in luxury hotels in Asia, mostly in Japan. The technology and targeting suggest state-level sponsorship. They use various zero-day exploits to implant the malware, and who has a collection of those just sitting around? Their targets are in defense in nuclear power. So, there is an intriguing but still mysterious geopolitical angle. But the most interesting part is the technical and operational sophistication.
What happens is that a highly placed executive checks into a luxury hotel. Once in their room, the executive connects to the hotel’s network, either wireless or through an Ethernet cable. The connection is routed through the hotel’s network, which challenges each guest for their last name and room number. So far, this is simply how business travelers access the Internet.
A pop-up appears, saying that Adobe or other software has an update available. The executive clicks on the pop-up, and malware is installed instead of the supposed update. So far, this is simply how untrusted network hotspots can be sources of malware infection.
However, Darkhotel goes much further in two ways.
First, the executives are precisely targeted. The agency or gang behind Darkhotel knows when they are scheduled to visit compromised hotels, and only those executives are targeted. The hotel network functions as intended for all the other guests. The malware was installed on the hotel servers a few days before the executive’s arrival, and deleted shortly after check-out.
Second, the attacks are sophisticated, relying on high-quality coding, high-end cryptanalysis, and clever and cautious modeling of human and corporate behavior.
The malware includes a kernel-level key logger. Attacks usually monitor keystrokes with user-space applications. A kernel module can much more easily evade detection, but its development is far more challenging.
The malware manages to be accepted as valid updates because it comes with digital signatures which check out perfectly although they are fakes. Some of the bogus signatures are based on stolen keys, but more of them have been generated after reverse-engineering the signing private keys.
How can the attackers reverse-engineer RSA private keys? They take advantage of some weaker signing key pairs out in the world. There are still some places creating digital certificates based on 512-bit RSA key pairs, despite current wisdom being to use at least 2048-bit keys. As I described in a series of blog posts here, here, here, here, and here, Internet-wide security has serious problems because of human behavior, not mathematical weaknesses of cryptography. Some Certification Authorities’ behavior puts Internet security at risk.
We know we shouldn’t use 512-bit RSA keys because they aren’t strong enough, but that doesn’t mean that it’s trivial to break them! The required brute-force search takes some serious computing power.
Cloud computing resources let you rent a supercomputer for a low hourly rate, so it isn’t nearly as expensive in time or hardware as it used to be, but Darkhotel is a rare attack that takes advantage of those resources. In 2010, there was an offer to factor 512-bit RSA keys for $5,000, taking about two weeks. In 2012, there was an estimate that it would then only cost $150 or less using Amazon Web Service’s EC2. Still, one does not casually set out to factor 512-bit keys.
As for the human factors, Kaspersky’s report describes peer-to-peer file sharing approaches used to infect as many machines as possible and gather information useful for the targeted attacks. The details are unsurprising, they take advantage of typical human nature.
When the carefully targeted executive’s laptop is breached, that malware waits silently for six months before contacting a command-and-control server. Any special monitoring after a trip to Asia ended long ago.
The targets are in the defense industry, government agencies, and NGOs. Spear-phishing lures its victims with topics related to weaponry and nuclear energy. This makes Darkhotel’s apparent origin in South Korea, a key U.S. ally, very awkward. The malware disables itself on systems configured for the Korean language, and it bears signs of development by a known South Korean programmer.
Like most APTs, much about Darkhotel remains a mystery. It will be one to watch for developments, and to discuss in the System and Network Security course I teach.