Russian Hackers Are Targeting Hotels Across Europe, Researchers Say

The hackers used booby-trapped Word documents and a leaked NSA hacking tool to get a foothold into the networks to then attack guests.
Image: August_0802/Shutterstock

A notorious hacking group linked to the Russian government has been using booby-trapped documents to hack hotels across Europe in an apparent attempt to spy on their guests, according to a security firm.

The group, known by the codenames "APT28" or "Fancy Bear," infected the networks of at least seven hotels across Europe and one in the Middle East in July. In their attacks, the hackers also used an NSA hacking tool dumped online earlier this year by the mysterious group the Shadow Brokers, according to the American cybersecurity company FireEye, which revealed the campaign against the hotels in a blog post on Friday.


Read more: A Glimpse Into How Much Google Knows About Russian Government Hackers

FireEye researcher Ben Read told Motherboard that the hackers targeted hotels part of international chains where "you would expect distinguished visitors to stay at," but he declined to provide more details about the specific hotels targeted.

The July attacks witnessed by FireEye consisted of several stages. First, as a lure, the hackers sent a document that looked like a guest form for hotel employees to fill out. The document contained a small program embedded within it—a macro, in technical terms—that was designed to install a malicious implant on the victim's computer.

Then, once the hackers infected a computer within the hotel, according to FireEye, they moved through networks using ETERNALBLUE, one of the exploits allegedly stolen from the NSA that the Shadow Brokers leaked online in April. Since being leaked, ETERNALBLUE has been recycled in several other attacks, most notably by the hackers behind the disruptive ransomware outbreaks WannaCry and NotPetya. But this is the first time researchers have observed Fancy Bear using a tool leaked by the Shadow Brokers, Read said.

Interestingly, the hackers also tried to use a tool called Responder to steal credentials from the victims. Responder is an open-source tool often used by penetration testers that pretends to be a printer or another device on the local network to trick computers into connecting to it and steal their credentials.


The malware dropped by the booby-trapped document is the best indication that the group behind the attacks is in fact Fancy Bear, the same hacking group responsible for breaching the Democratic National Committee in 2016, according to FireEye, as well as other security researchers contacted by Motherboard.

"This malware is exclusively used by [Fancy Bear]," Anton Cherepanov, a researcher at security firm ESET, told Motherboard in a Twitter chat.

Read told Motherboard in a phone call that despite the fact that there's no "smoking gun," such as an overlap with infrastructure used in previous Fancy Bear attacks, "we don't have any indication that it could be anybody else."

Two other ESET researchers, as well as another researcher at a third security firm, also told Motherboard that the malware contained in the lure document is made by Fancy Bear hackers.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at, or email

The document—"HOTEL RESERVATION SHEET"—used in the July campaign is listed on Virus Total, an online malware repository. And it was also publicly flagged by John Lambert, Microsoft's head of threat intelligence in a July 23 tweet.

Read told me that FireEye didn't have any evidence of Fancy Bar having successfully hacked any travelers in their July attacks. The company, however, also revealed a related incident in 2016 where Fancy Bear accessed the computer and Outlook online account of a guest staying at a hotel in Europe, after the victim connected to the hotel's Wi-Fi. Read declined to provide more details about this particular attack.

All these incidents are yet more evidence that government hackers are very interested in getting into hotel networks mainly to target their guests. In 2014, Kaspersky Lab revealed an espionage campaign nicknamed DarkHotel that was aimed at high-profile Asian hotels. The following year, Israeli spies allegedly hacked into the hotels where attendees of the nuclear talks between Iran and other countries were staying.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.