Hackers allegedly linked to Russian actor APT28 may be linked to a campaign targeting travelers in hotels in Europe and the Middle East, with activity dating back to July 2017.
According to a FireEye report, the actor is using several techniques such as sniffing and stealing passwords over Wi-Fi, poisoning the NetBIOS Name Service and also using the EternalBlue exploit kit used to spread laterally.
The EternalBlue tool was used in recent WannaCry attacks.
FireEye also noted that APT28 is using malicious documents via spear phishing emails to target the hospitality industry.
As soon as victims click on the malicious attachment, a successful macro execution triggers the installation of APT28’s signature GAMEFISH malware.