In addition to gathering information about guests from hotel executives’ accounts with privileged access, it is likely that these attacks were intended to set a foundation to enable further compromise of these luxury hotel networks, and to gather additional guest and device information using man-in-the-middle (MITM) attacks and detailed reconnaissance. For example, establishing persistence on a hotel router would enable attackers to infect devices using hotel Wi-Fi, monitor and record data sent over the network, and combine this information with data obtained from access to hotel keycard and reservation systems, including credit card and other personal guest information. DarkHotel has conducted such attacks historically, including the original campaign detailed by Kaspersky researchers in 2014.

Organizations should assume compromise of hotel Wi-Fi networks and monitor access to secured networks over VPN accordingly. Geofencing policies and multifactor authentication can limit the exploitation of hotel guest information. Using a secure portable router with full tunnel VPN options, such as Wireguard, can limit the ability of attackers to record data or obtain illegitimate access from international conference attendees. Devices with confidential information and intellectual property should not be connected to insecure networks. Depending on the organization’s specific risk management framework, it is recommended to issue travel devices without such information to international travelers.

https://thehackernews.com/2022/03/south-korean-darkhotel-hackers-targeted.html