The Judiciary Police (PJ) said they had received a report relating to a threat involving “DarkHotel” malware. Speaking to the Times, a PJ spokesperson declined to provide any details of the contents of the report, but said that the “case is under investigation.”
However, local hotels are generally safe from malware attacks such as the “DarkHotel” spear-phishing spyware and malware-spreading campaigns, the vice chairman of the Macau Hotel Association told the Times.
Rutger Verschurentold comments follow a report by Trellix, a privately held cybersecurity, that at least 17 hotels in Macau had been targeted with attempted cyberattacks using DarkHotel between November last year and January this year.
According to Verschuren, who is also the Area Vice President for Artyzen Hospitality Group, “most, if not all, hotels in Macau have the latest sophisticated malware security systems in place,” so he believes that the industry is protected from this type of threat.
Questioned specifically on the mention, in the report, of one of the Macau hotels managed by his group (Grand Coloane Resort), Verschuren acknowledged that the company had indeed received a warning from its cybersecurity service suppliers about this threat.
“We received from one of our cybersecurity vendors a warning with detailed threat intelligence, with a detailed Indicator of Compromise about this threat, and were on high alert, as always,” Verschuren said. He added that the hotel’s “sophisticated firewall system and cybersecurity systems are constantly updated and working perfectly without interruptions, and any [cybersecurity threat] such as a phishing message would have come to our IT management’s attention.”
Verschuren also said that, nonetheless and as a precautionary measure, the company has informed all employees of the potential threat, but noted that the company has so far not experienced malware attempts from “DarkHotel,” nor has “any data breach … occurred. All data is safe.”
As to whether he is aware of reports of other hotels potentially being targeted, he said he had not heard from other hotels about this type of threat.
According to the report from Trellix, a company with experience in the detection and prevention of major cyberattacks and a vendor of cybersecurity hardware and software, the alleged attacks on 17 hotels in Macau involved an email impersonating the Macao Government Tourism Office (MGTO), with the ‘trojan’ file disguised as an Excel spreadsheet.
Trellix also said that the attacks, which have been ongoing for several years in different locations including Asia and the USA, normally start with a spear-phishing email directed to the hotel’s senior managerial staff, who have database access privileges.
The phishing attacks that follow are usually in the form of fraudulent communications that appear to come from reputable sources, usually via email, and that attempt to steal sensitive data such as credit card information or login and password information.
In relation to the Macau cases, Trellix said it had determined that an email dated December 7, 2021, was sent to seventeen different hotels in Macau. The company said that this information was gathered by analyzing the names and email domains of the chain email.
The cybersecurity company also added that the server used for the campaign was attempting to impersonate a government website domain by using the web address “fsm-gov.com,” an address that resembles the web address of the Public Security Forces of Macau (fsm.gov.mo).
“We suspect the group was trying to lay the foundations for a future campaign involving these specific hotels. After researching the event agenda for the targeted hotels, we did indeed find multiple conferences that would have been of interest to the threat actor,” Trellix said.
Past targets of the “DarkHotel” malware have been reported as primarily executives in investment and development, government agencies, defense industries, electronics manufacturers and energy policymakers, with most victims being located in South Korea, China, Russia and Japan, according to reports from BBC News and NBC News in 2014 and 2017.
The threat, also known by the alias “Tapaoux,” has also been referenced by another international cybersecurity company, Kaspersky Lab, as an advanced and persistent threat since 2014.
Covid-19 might have
played a mitigating role
According to the Trellix report, the phishing attacks may have been prevented due to the impact of Covid-19 in Macau and mainland China.
The main goal of the malware is to target a large number of users on the same WiFi network, such as the large concentration of people at major events and fairs.
“However, as most of the events were canceled or postponed due to the rapid rise of Covid-19 cases in Macau and China, the attacks stopped on January 18,” the company concluded.
The Grand Coloane Resort was also operating as one of the major quarantine hotel facilities in Macau for almost two years, and therefore not able to host events as it had before the pandemic, when it used to host golfing and other events.
The Times has also attempted to obtain comment from other hotels referenced in the Trellix report, as well as a response from the Office for Personal Data Protection and the MGTO on the topic, but did not receive a response from any of these entities by press time.