Russian hackers used NSA’s leaked EternalBlue exploit to spy on hotel guests – CSO Online
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.
Your message has been sent.
There was an error emailing this page.
A Russian government-sponsored cyberespionage group has been accused of using a leaked NSA hacking tool in attacks against one Middle Eastern and at least seven European hotels in order to spy on guests.
Why reinvent the wheel, or a hacking tool, when the NSA created such an effective one? The NSAs EternalBlue was leaked online by the Shadow Broker in April. Now the security firm FireEye says it has a moderate confidence that Fancy Bear, or APT28, the hacking group linked to the Russian government and accused of hacking the Democratic National Committee last year, added EternalBlue to its arsenal in order to spy on and to steal credentials from guests at European and Middle Eastern hotels.
In a campaign aimed at the hospitality industry, attackers leveraged a malicious document in spear-phishing emails. The hostile hotel form, which Microsoft Threat Intelligence Center General Manager John Lambert tweeted about in July, appeared to be a hotel reservation document. If macros were allowed to run on the computers used by the hotel employees who opened it, then Fancy Bears Gamefish malware would be installed.
Fancy Bear, according to a report by the security firm FireEye, used novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers. Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks.
The Gamefish malware would download and run EternalBlue to spread to computers which were connected to corporate and guest Wi-Fi networks. After gaining access, Fancy Bear deployed Responder which listens for broadcasts from victim computers attempting to connect to network resources. Responder, FireEye explained, masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine.
Its definitely a new technique for Fancy Bear, FireEyes cyber espionage researcher Ben Read told Wired. Its a much more passive way to collect on people. You can just sit there and intercept stuff from the Wi-Fi traffic.
While FireEye didnt observe business travelers credentials being stolen via hotel Wi-Fi networks in July, the security firm cited a similar hotel attack by Fancy Bear in 2016.
In the 2016 incident, the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials. These 12 hours could have been used to crack a hashed password offline. After successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the victim's network, and accessed the victim's OWA account. The login originated from a computer on the same subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network.
The latest hotel attacks, FireEye added, is the first time we have seen APT28 incorporate this exploit [EternalBlue] into their intrusions. While the investigation is still going on, FireEye told Reuters it is moderately confident that Fancy Bear is behind the attacks. We just don't have the smoking gun yet.
The targeted hotels were not named, but were described as the type where valuable guests would stay. FireEye told Wired, These were not super expensive places, but also not the Holiday Inn. Theyre the type of hotel a distinguished visitor would stay in when theyre on corporate travel or diplomatic business.
FireEye wants travelers, such as business and government personnel, to be aware of the threats like having their information and credentials passively collected when connecting to a hotels Wi-Fi. While traveling abroad, high value targets should take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible. Wired suggested the safest approach for travelers is to bring their own hotspot and altogether skip connecting to the hotels Wi-Fi.
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.
Sponsored Links
See more here:
Russian hackers used NSA's leaked EternalBlue exploit to spy on hotel guests - CSO Online
- NSA Ajit Doval says he doesn't use phone or internet. Here's why - MSN - January 14th, 2026 [January 14th, 2026]
- NSA Ajit Doval says he doesnt use phone or internet; shares views on Indias future and youth - WION - January 11th, 2026 [January 11th, 2026]
- Liberia: NSA Director's Special Assistant Suspended Amid Alleged Gang Sodomy of 15-Year-Old; Authorities Remain Silent - FrontPageAfrica - January 11th, 2026 [January 11th, 2026]
- 'Wars happen because some countries want to impose their will on others': NSA Ajit Doval - Deccan Herald - January 11th, 2026 [January 11th, 2026]
- We have to avenge our history: NSA Ajit Doval urges youth to make India great in every aspect - The Indian Express - January 11th, 2026 [January 11th, 2026]
- CISA, NSA, and Canadian Cyber Centre update Brickstorm analysis with new Rust-based variants - Industrial Cyber - January 11th, 2026 [January 11th, 2026]
- ROVER communication terminals approved for international use by NSA - Military Embedded Systems - January 9th, 2026 [January 9th, 2026]
- L3Harris ROVER and TNR systems gain NSA approval enabling secure coalition interoperability - Defence Industry Europe - January 9th, 2026 [January 9th, 2026]
- Former NSA insider Kosiba brought back as spy agencys No. 2 - The Record from Recorded Future News - January 9th, 2026 [January 9th, 2026]
- Trumps tariff threat to India self-inflicted wound: Former US NSA John Bolton - The Indian EYE - January 9th, 2026 [January 9th, 2026]
- NSA Scotland demands support for sheep farmers ahead of Holyrood elections - Farmers Guardian - January 9th, 2026 [January 9th, 2026]
- Announcing tariffs for purchasing Russian oil unfortunate: Former US NSA backs closer relationship with India - Punjab News Express - January 9th, 2026 [January 9th, 2026]
- NSA Ajit Doval likely to be part of Indian delegation at WEF in Davos - The New Indian Express - January 9th, 2026 [January 9th, 2026]
- "A lot of hot air": Former NSA John Bolton on Trump's remarks on possible action beyond Venezuela - ANI News - January 9th, 2026 [January 9th, 2026]
- NSA employee sues Trump administration over order on transgender rights and two 'immutable' genders - Yahoo - December 22nd, 2025 [December 22nd, 2025]
- NSA employee sues the Trump administration over transgender rights and 'immutable' genders - AP News - December 22nd, 2025 [December 22nd, 2025]
- Senior official at Indo-Pacific Command is set to be Trumps pick to lead Cyber Command, NSA - The Record from Recorded Future News - December 22nd, 2025 [December 22nd, 2025]
- NSA employee sues the Trump administration over transgender rights and 'immutable' genders - Temple Daily Telegram - December 22nd, 2025 [December 22nd, 2025]
- Potential NSA, Cyber Command leader nomination transmitted to Senate - Nextgov/FCW - December 22nd, 2025 [December 22nd, 2025]
- After Eight Months, White House Names Nominee To Head NSA And CYBERCOM - Defense Daily - December 22nd, 2025 [December 22nd, 2025]
- Fubara Hosts NSA, Says Tinubu Happy With Rivers Governor - TVC News - December 22nd, 2025 [December 22nd, 2025]
- CISA, NSA warn of Chinas BRICKSTORM malware after incident response efforts - The Record from Recorded Future News - December 10th, 2025 [December 10th, 2025]
- CISA and NSA Warn of BRICKSTORM Malware Attacking VMware ESXi and Windows Environments - CybersecurityNews - December 10th, 2025 [December 10th, 2025]
- NSA, CISA, and Others Release Guidance on Integrating AI in Operational Technology - National Security Agency (.gov) - December 4th, 2025 [December 4th, 2025]
- NSA has met 2,000-person workforce reduction goal, people familiar say - Nextgov/FCW - December 4th, 2025 [December 4th, 2025]
- NSA Doval, Thai Foreign Minister Phuangketkeow discuss maritime security, threats of online scams - The Indian EYE - December 4th, 2025 [December 4th, 2025]
- NSA Doval, Thai FM discuss maritime security, threats of online scams - Awaz The Voice - December 4th, 2025 [December 4th, 2025]
- All-clear issued about 2 hours after NSA Naples schools evacuated over potential threat - Stars and Stripes - November 18th, 2025 [November 18th, 2025]
- 'Dhurandhar': R Madhavan reveals Aditya Dhar's little trick that perfected his NSA-inspired look for the - The Times of India - November 18th, 2025 [November 18th, 2025]
- Army officer with Indo-Pacific experience emerges as potential Cyber Command, NSA pick - The Record from Recorded Future News - November 18th, 2025 [November 18th, 2025]
- NSA Dr Rahman to attend Security Conclave in New Delhi - United News of Bangladesh - November 18th, 2025 [November 18th, 2025]
- Man claims NSA told him to shatter glass at AT&T building with hatchet, Nashville police say - WSMV - November 18th, 2025 [November 18th, 2025]
- How the heartbreaking lack of a confirmed leader is impacting CYBERCOM and NSA - Breaking Defense - November 7th, 2025 [November 7th, 2025]
- Goa invokes NSA for three months to tackle anti-socials - The Times of India - November 7th, 2025 [November 7th, 2025]
- CISA, NSA and other unveil security blueprint to harden Microsoft Exchange servers - Homeland Preparedness News - November 7th, 2025 [November 7th, 2025]
- NSA Shares Q3 Revenue Results Below Expectations - GuruFocus - November 7th, 2025 [November 7th, 2025]
- Filipinos aware of civilian supremacy over military NSA Ao - Philippine News Agency - October 28th, 2025 [October 28th, 2025]
- Sonam Wangchuk says his words were twisted to justify his NSA detention - The Statesman - October 26th, 2025 [October 26th, 2025]
- Nokia and stc pioneer the first commercial 5G NSA Cloud RAN deployment in the MEA region - ZAWYA - October 26th, 2025 [October 26th, 2025]
- China accuses NSA of multi-year hack targeting its national time systems - Nextgov/FCW - October 23rd, 2025 [October 23rd, 2025]
- Cybersecurity News: AWS outage, NSA hacking accusations, High risk WhatsApp automation - CISO Series - October 23rd, 2025 [October 23rd, 2025]
- Hackers Say They Have Personal Data of Thousands of NSA and Other Government Officials - Homeland Security Today - October 23rd, 2025 [October 23rd, 2025]
- AWS outage, NSA hacking accusations, High risk WhatsApp automation - LinkedIn - October 23rd, 2025 [October 23rd, 2025]
- Palestinian President Mahmoud Abbas: No Concessions Were Made In The Oslo Accords 1.85 Million Palestinians Returned To Their Homeland;... - October 23rd, 2025 [October 23rd, 2025]
- NSA to partner JKG to drive sports technology through Artificial Intelligence - GhanaWeb - October 23rd, 2025 [October 23rd, 2025]
- China claims NSA hacked its national timing systems using 42 "special cyber weapons" - TechSpot - October 23rd, 2025 [October 23rd, 2025]
- US NSA alleged to have launched a cyber attack on a Chinese agency - csoonline.com - October 21st, 2025 [October 21st, 2025]
- Hackers Say They Have Personal Data of Thousands of NSA and Other Government Officials - 404 Media - October 21st, 2025 [October 21st, 2025]
- China says it has foiled a series U.S. cyberattacks on its critical infrastructure Ministry of State Security says it has 'irrefutable evidence' NSA... - October 21st, 2025 [October 21st, 2025]
- China claims the NSA conducted cyberattacks on its national time center - Engadget - October 21st, 2025 [October 21st, 2025]
- China claims the US NSA conducted cyberattacks on its national time center - TechRadar - October 21st, 2025 [October 21st, 2025]
- Donald Trump's ex-NSA John Bolton indicted; charged over mishandling classified information; Trump calls - Times of India - October 19th, 2025 [October 19th, 2025]
- Trump critic and former NSA adviser John Bolton indicted on classified documents charges - MLive.com - October 19th, 2025 [October 19th, 2025]
- NSA Accused of Stealing Secrets from Chinas National Time Centre - Modern Diplomacy - October 19th, 2025 [October 19th, 2025]
- Ex-Donald Trump NSA John Bolton Indicted: All About The 18 Charges - NDTV - October 19th, 2025 [October 19th, 2025]
- Explained: What are the charges against ex-US NSA John Bolton? What next? - Firstpost - October 19th, 2025 [October 19th, 2025]
- Former Trump NSA John Bolton Indicted On 18 Counts For Sharing Classified Information - Republic World - October 19th, 2025 [October 19th, 2025]
- Ex-Trump NSA Bolton charged with storing, sharing classified information - Business Standard - October 17th, 2025 [October 17th, 2025]
- Lt. Gen. William Hartman, acting leader of NSA and Cyber Command, will not be nominated for the dual-hat role - POLITICO Pro - October 17th, 2025 [October 17th, 2025]
- Shaping health futures together: NSA engagement for EPW2 and Ageing is Living - World Health Organization (WHO) - October 17th, 2025 [October 17th, 2025]
- Trump's ex-NSA John Bolton indicted over sharing US defence secrets: Was his email hacked by Iran? - WION - October 17th, 2025 [October 17th, 2025]
- John Bolton Indicted: What are the Charges Against Trump's Former NSA? - Times Now - October 17th, 2025 [October 17th, 2025]
- China infrastructure hacks are 'unrestricted warfare' against America, former NSA director says - Washington Times - October 15th, 2025 [October 15th, 2025]
- Children were scared to sleep outside, many stopped going to schools: Why NSA was invoked against a rape accused in UPs Bhadohi - The Indian Express - October 15th, 2025 [October 15th, 2025]
- Chinas Capacity to Hack the U.S. Is Growing, Former NSA and Retired Gen. Tim Haugh Warns - Homeland Security Today - October 15th, 2025 [October 15th, 2025]
- Ousted NSA head Gen. Tim Haugh on his firing by the Trump administration - CBS News - October 13th, 2025 [October 13th, 2025]
- China's capacity to hack the U.S. is growing, former NSA head says. Here's what they're targeting and why. - CBS News - October 13th, 2025 [October 13th, 2025]
- China is hacking America's critical infrastructure, former NSA and retired Gen. Tim Haugh warns - CBS News - October 13th, 2025 [October 13th, 2025]
- John Bolton, Former US NSA And Trump Critic, May Face Federal Charges Soon: Report - News18 - October 13th, 2025 [October 13th, 2025]
- Acting US Cyber Command, NSA chief wont be nominated for the job, sources say - The Record from Recorded Future News - October 11th, 2025 [October 11th, 2025]
- Exclusive: DOJ seeking criminal charges against Trump's former NSA John Bolton - Yahoo - October 11th, 2025 [October 11th, 2025]
- NSA boss explains how revenue from Ghana-Mali game will be shared - GhanaWeb - October 11th, 2025 [October 11th, 2025]
- NSA rolls out digital skills, military training and smart reforms - GBC Ghana Online - October 9th, 2025 [October 9th, 2025]
- Overheated Solar Panel Batteries Caused Fire at NSA Chiefs Residence - liberianobserver.com - October 9th, 2025 [October 9th, 2025]
- NSA Doval meets Brazilian counterpart to review cooperation in strategic areas | Latest News India - Hindustan Times - October 4th, 2025 [October 4th, 2025]
- Red Hat allegedly hit by huge breach exposing major organizations, including the NSA - Cybernews - October 2nd, 2025 [October 2nd, 2025]
- NSA officer injured after Maryland man drives through checkpoint, rams multiple police vehicles - WMAR 2 News Baltimore - September 30th, 2025 [September 30th, 2025]
- Why should officials not be fined: HC on illegal NSA arrest - The Times of India - September 30th, 2025 [September 30th, 2025]
- SKM demands to release Sonam Wangchuk, revoke imposition of NSA - The Times of India - September 30th, 2025 [September 30th, 2025]
- Seoul's NSA reportedly says S.Korea unable to pay $350b upfront in investment in US for tariff deal; weaponizing alliance exposes nature of US... - September 30th, 2025 [September 30th, 2025]