Trustwave: Russian Cybercrime Group Targets Hospitality Industry
During September and October of 2016, Trustwave SpiderLabs was simultaneously consulted by several organizations from the hospitality sector in Europe and the United States to analyze suspicious and potentially malicious activity on their network including servers, point of sale terminals, and client workstations spread across different properties and locations.
The common successful entry point within all operations was an email message targeted to victim's public-facing services that contained a Microsoft Word document attachment. Upon opening the attachment multiple malicious files were created or downloaded allowing the attackers to gain some level of access into the victim's infrastructure. In some cases, attackers actually called the victims over the phone, social engineering vector, in order to trick staff into opening the attachment.
Trustwave released a 45-page Advanced Threat Report detailing their findings. This threat report describes what it believes to be a systematic criminal operation of attacks targeting the hospitality sector in Europe and the United States, at this time. However, the findings suggest that other sectors such as e-commerce and retail are equally at risk and the campaign could just as easily spread to other parts of the world.
The threat report intends to provide an analysis of this operation and document:
- Trustwave's analysis and findings in a way that describe the nature of the malicious activities, the tactics and tradecraft utilized by the attackers, possible motives and the attribution of the threat actors behind these attacks.
- Remediation actions and advice to organizations that have already been targeted by this campaign of attacks or willing to take proactive countermeasures.
- Indicators of Compromise (IOCs) that will benefit organizations seeking to either undertake a compromise assessment on their own (or with the help of a team that specializes in threat hunting and compromise assessments such as Trustwave SpiderLabs), or to proactively put in place detection mechanisms for providing an early warning system if and when the organization is targeted.
This threat report does not and is not capable of replacing formal incident response actions and procedures that must be undertaken to mitigate the threat and restore business functions as per the Organizational Incident Response/Disaster Recovery roadmap.
The complete report on this activity can be found here: https://www2.trustwave.com/Operation-Grand-Mars.html.