Cyber Crime - Macau Hotels - SVA Comment

PJ INVESTIGATION PROMPTED BY MGTO REPORT

The Judiciary Police (PJ) investigation into the DarkHotel malware threat in Macau was prompted by a complaint made about the case by the Macao Government Tourism Office (MGTO), the MGTO has confirmed in a statement to the Times.

The same office also acknowledged that its email account, which is commonly used to communicate with hotels, was hacked, leading them to suspend this account and change all communication to other methods.

“At the end of last year, MGTO received a report from one local hotel about a suspicious email sent from this office. Following an investigation, MGTO found that an email from this office to communicate with hotels had been appropriated to send emails out automatically. MGTO immediately stopped using this email address and informed local hotels to be aware of spear-phishing emails,” MGTO said to the Times, adding that the case was immediately reported to the Macao Cybersecurity Incident Alert and Response Centre (CARIC).

According to the office, “The PJ is following up on the case, with MGTO in communication with CARIC to find ways to improve the level of security on the Internet.”

MGTO also said that, so far, no reports have been received from local hotels about any damage resulting from this case.

As the Times reported last week, the PJ confirmed that it received a report relating to a threat involving DarkHotel malware initially reported by Trellix, a privately-held cybersecurity firm that had earlier reported that at least 17 hotels in Macau had been targeted with attempted cyberattacks using DarkHotel between November last year and January this year.

On the hotel industry side, the vice-chairman of the Macau Hotel Association, Rutger Verschuren, also told the Times that local hotels are generally safe from malware attacks such as the DarkHotel spear-phishing spyware and malware-spreading campaigns, as they possess “the latest sophisticated malware security systems in place.”

Similar to the statements made by MGTO, Verschuren, who is the Area Vice President for Artyzen Hospitality Group, also noted that he is not aware of reports of different hotels being potentially targeted or in any way affected by this malware.

Nonetheless, and as a precautionary measure, he said the company has informed all employees of the potential threat, but affirmed that they had not encountered malware attempts from DarkHotel so far, nor had any data breaches occurred. “All data is safe,” he concluded.

According to the report from Trellix, a company with experience in the detection and prevention of major cyberattacks and a vendor of cybersecurity hardware and software, the alleged attacks on 17 hotels in Macau involved an email impersonating the MGTO, with the ‘trojan’ file disguised as an Excel spreadsheet.

They also said that the attacks, which have been ongoing for several years in different locations including Asia and the USA, normally start with a spear-phishing email directed to the hotel’s senior managerial staff, who have database access privileges.

The phishing attacks that follow are usually in the form of fraudulent communications that appear to come from reputable sources, usually via email, and that attempt to steal sensitive data such as credit card information or login and password information.

Vulnerability depends on staff awareness, training

Steve Vickers, CEO of Steve Vickers and Associates (SVA), a specialist political and corporate risk consultancy, said that the vulnerability of the hotel industry to these types of cyberattacks depends essentially on the level of awareness and response from staff, which is linked to their relevant training.

“The vulnerability to attacks like DarkHotel will depend on the system, configuration and most importantly the level of awareness, training and response testing at the hotel concerned,” Vickers told the Times. He added, “Recent experience suggests that defenders might now have as little as 45 minutes to mitigate against ransomware once an attack commences and the files start to be encrypted”.

For SVA, the entities and companies must focus their mitigation efforts on “an early detection and very swift response” to cyberattacks, as several minutes can make the whole difference to tackling the problem.

According to SVA, cybersecurity threat analysis shows that most of the attacks have a “dwell time” of two to three days before the encryption of files and other highly damaging processes takes place. However, they mentioned that “things seem to be speeding up now.”

As for recommendations to the local hotel industry, Vickers said, “As far as Macau hotels are concerned, we would recommend testing and retraining, as well as discreet internal profiling of potential aggressors. The recent implosion of junket and related operators in Macau has created many dissatisfied parties; some with a deep grudge and empty pockets.”

“SVA has advised various organizations as to how best to protect their legitimate business interests,” taking into account this potential new threat, which comes in connection with the crackdown on the junkets’ activity.