It is no surprise that Fancy Bear, the world's most infamous group of cyber criminals has turned its attention from major targets such as the World Anti-Doping Agency, the Democratic National Committee and the French presidential election to... hotel Wi-Fi systems.
It is not because it wants to disrupt the cleaning rotas that Fancy Bear is interested in hotels, it is because it wants to get to the guests. All kinds of senior people working for powerful organisations use hotels for business meetings and conferences and having access to their machines as they log on to Wi-Fi is a prize of potentially great value that will open up entire networks.
This diversification by Fancy Bear is a high-profile example of an increasing, world-wide phenomenon - that of hackers targeting the hospitality and retail industry with malicious emails. Data breaches have been reported this year in the US at InterContinental Hotel Group, fast-food chain Arby's, gentlemen's clothier Brooks Brothers and Kmart. In the UK we have already seen Wonga, Sports Direct, ABTA and Tesco Bank hit by hackers.
The common thread is emails
Certainly in the most recent attacks, the common element is that the initial delivery of malicious software begins with an email, often one disguised as emanating from a colleague or contact. It often only takes one or two clicks and the attack commences.
Many sources within the cyber security industry have been reporting big surges in these email-based attacks, with a malicious payload often hidden in attachments. Symantec reported that the rate of infection among emails was one in 359 in July this year, compared with one in 451 in June. Another security vendor reports a 250 per cent increase in campaigns using emails with malicious payloads in the second quarter of this year, with a marked increase in the use of attachments rather than links and much greater variety in the types of malware. These attacks, once successful, have involved the theft of email details so that more spam emails are created to further spread the malicious software.
Where retail and hospitality organisations are targeted, most cyber criminals seek to steal customers' payment card and personal details with a view to extracting cash in one way or another. Retailers in particular have ever-growing volumes of data about individual customers that are built up through sophisticated loyalty schemes. Being the banking arm of a major retailer, Tesco Bank, for example, was a very attractive target, having not just the details of its customers, but also their money. When it was breached in 2016, some 40,000 accounts were affected and money was stolen from 20,000 customers.
Fancy Bear, also known as APT28, appears more intent on disruption, however. Once its emails have been opened, it uses the EternalBlue tool allegedly developed by security services in the US, allowing malware to spread itself autonomously. Throughout July, the group was very active, sending out malware hidden in emails sent to numerous companies in the hospitality sector in Europe and the Middle East.
This is not to suggest that the world's hacking groups have voted en masse to target retail and hospitality in this year's email campaigns. They are still interested in other organisations. So far this year attacks have been successful against HBO, stealing episodes of Game of Thrones, Curb Your Enthusiasm, Insecure, Ballers and Barry and The Deuce. Yet July was also reported to be a big month for less headline-grabbing attacks on agriculture, forestry and mining in the US.
Tradition is good for hospitality, but bad for security
Unfortunately, many organisations have still not grasped the nettle of email security, failing to understand that the file-types used every day to share important information - standard files like Word docs, Excel spreadsheets and PDFs - are also the most common attack vectors widely used for the distribution of malware. They also continue to believe that providing traditional border security including firewall, anti-spam, anti-virus and even more recent sand-boxing technologies, will suffice.
This makes it relatively easy for today's devious minds to get inside an organisation with a spoofed email or phishing attack, using an attachment containing a piece of malicious code. With adversaries such as Fancy Bear, defences that rely on prior recognition of a threat's signature will be bound to fail. Hacking groups such as these are highly resourceful people who constantly refine and adapt their tools to slip unnoticed past defences vainly searching for what was a threat last year or last month.
With email utterly essential to business, it is up to organisations to adopt technologies that are more appropriate to the new era of fast-evolving, sophisticated attacks and which do not rely on the prior identification of threat signatures. Yet businesses must also educate employees and instill best practice procedures. It is the combination of smarter technology and smarter employees that will help ensure Fancy Bear and Co do not find a warm welcome inside the hospitality and retail industries.