The ubiquity of the cloud, WiFi networks and cheaper roaming charges enable travellers to be connected throughout their journey – but also present opportunities for cyber threat actors to target new technologies, which are often built with limited or no security. The internet of things (IoT), artificial intelligence and voice recognition software have multiple benefits for users but, to provide personalised services, these technologies use intrusive collection methods to obtain large volumes of personal and sensitive data – making them attractive targets for cybercriminals and espionage groups.
Travellers present unsuspecting targets for cybercriminals, state-backed espionage groups
Cybercriminals threaten business travellers and the organisations they represent with reputational damage and financial losses. Our research and experience shows that travellers to a wide range of countries face a growing threat from cybercriminal activity, both from sophisticated as well as less capable groups. Cybercriminals use techniques such as drive-by downloads and phishing attacks to facilitate financial fraud and steal credentials (for online banking, for example). They typically also use remote access Trojans (RATs) to install malware, allowing them to monitor victims’ behaviour on their devices.
Hotels are a particularly attractive target for credit card fraud, because their WiFi networks are public and do not offer protection for communications. Cybercriminals can set up WiFi networks claiming to belong to hotels or trusted organisations to monitor online behaviour and obtain passwords, or can scan legitimate but vulnerable WiFi networks to steal sensitive information from devices connected to these networks.
Multiple cyber espionage groups have also been known to high-value individuals through hotel WiFi networks. Hotel networks typically have weaker encryption than corporate networks, making communication on connected devices vulnerable to interception by cyber threat actors.
Travellers also face a heightened risk of data breaches from their devices as governments increase security measures at sensitive border crossings. This can include confiscating devices for inspection, then installing malicious software such as spyware to gather information. There is a high probability that travellers, especially those in strategic roles, will be targeted in more covert forms, such as through social engineering and by intercepting electronic communications.
Threat actor insight: DarkHotel
DarkHotel’s campaign, which was originally identified in November 2014 and dated back to 2009, planted backdoors into the systems of government employees and senior executives of commercially strategic businesses, with the likely intention of exfiltrating data. In August 2015, DarkHotel added new tools and used them in new locations in its campaign targeting high-value travellers.
The group remains active, as shown by its apparent involvement in an attack targeting February’s Winter Olympics and over 300 organisations associated with the event. This was most likely aimed at reconnaissance and gathering information; while it did not explicitly appear to target travellers, they were likely to have been affected by the campaign. In May, DarkHotel then targeted Korean-focused trade organisations in China, likely to conduct reconnaissance on China’s trade policies.
Securing information when travelling
Travellers should take precautionary measures before, during and after travel, especially to high-risk locations. Corporate and personal devices will process and store information that is of high value to cyber threat actors. Before travelling, organisations should ensure travellers only take devices necessary for their trip, and secure these devices and the data they hold. Protective measures include updating software on devices, enabling multi-factor authentication for online accounts, encrypting data stored on a device, and using virtual private networks to protect communications.
While travelling, travellers should be vigilant about where and how they use their devices. Especially when in public places such as airports, hotels and restaurants, travellers should closely guard their devices and avoid accessing sensitive information including online banking, commercially sensitive data and personal information. Travellers can use privacy screens to limit their devices’ visibility to people nearby, and combination locks to secure laptop bags. When they return, travellers should run antivirus scans on all devices to remove potential malware, and should change passwords on devices and for online services used on their trip. Travellers should also remove any WiFi networks they have connected to on their trip, using the ‘forget network’ setting.
GDPR and the Cyber Crisis Response
Now that the General Data Protection Regulation (GDPR) is in effect, we are seeing an increase in cyber-related extortions where threat actors have demonstrated a level of contextual awareness relating to their victim’s operating environment. Notably, references to regulators, press, specific customers and other external stakeholders are being placed in communications in an attempt to put pressure on decision makers.
Given the general level of awareness and perceived fear around non-compliance with GDPR in the event of a breach, we should expect to see some extortionists try to apply further pressure on breached organisations to pay quickly and quietly by leveraging the new regulation. This may be embodied in direct messages to senior staff and shorter timeframes for payment, to suggest that a small ransom payment is nothing in comparison with a potential GDPR fine.
We should also expect to see an increase in fake extortions. Less capable threat groups will attempt to manipulate companies with unconfirmed threats of access to or possession of sensitive data. This will prove especially concerning for smaller businesses that don’t have a dedicated IT function that can rapidly identify whether or not data is at risk.
What should organisations be doing to prepare themselves to respond effectively?
Update response plans to include thresholds for notification to local regulators
Run exercises with executive-level management to map out possible pros and cons of different approaches to responding
Exercise technical response capabilities to identify and confirm the loss of data off the network at speed
Obtain threat intelligence that keeps security teams one step ahead of major extortive campaigns
Prioritise defences around critical assets including a focus on data impacted by GDPR
Control Risks offers cyber security advice and training courses for business travellers, which help reduce the likelihood of cyber-attacks and data breaches.
Authored by: Dahlia Al Sharif, Senior Consultant, Cyber Threat Intelligence - Control Risks; Connor Lattimer, Senior Consultant, Cyber Consulting - Control Risks