A couple from Vietnam who claim to be behind a destructive wiper cyber attack on hotel operator IHG told the BBC how they orchestrated their operation
Published: 20 Sep 2022 15: 00
The attackers who broke into the systems of multinational hospitality operator IHG Hotels & Resorts at the beginning of September 2022 have claimed they attempted to stage a ransomware attack but instead used a data wiper malware to wreak havoc.
The attack rendered parts of IHG’s customer-facing website inoperable for a time, causing disruption to online bookings and a number of other applications, although the organisation’s site is now functioning normally.
A spokesperson said: “We prioritised the recovery of our booking channels and revenue-generating systems and were able to get those back up and running in a short period of time.
“Our security measures following the unauthorised activity in our technology systems are continuing,” they said. “We are working closely with our technology suppliers and external specialists have also been engaged to investigate the incident. At this time, we have not identified any evidence of unauthorised access to guest data. We remain focused on supporting our hotels and owners.”
The attackers, who purport to be a Vietnamese couple, go by the moniker TeaPea. They contacted the BBC late last week to share their story, and told the broadcaster they had planned to encrypt IHG’s data with ransomware, but that the IT team managed to isolate its servers before they were able to do so.
They said they thought it would be funnier to perform a damaging wiper attack, erasing the victim’s data instead.
TeaPea shared screengrabs of various compromised IHG systems, including its Outlook and Microsoft Teams instances, as proof of their activity. UK-based IHG, which operates chains including Crowne Plaza, Holiday Inn, Intercontinental and Kimpton, confirmed the shared images were legitimate.
The BBC additionally reported that TeaPea accessed IHG through a phishing attack against an employee who they tricked into giving up multifactor authentication (MFA) tokens.
They were also supposedly able to easily find login details for IHG’s internal password vault, and claimed the password for this was Qwerty1234. This information gave them deeper access to IHG’s systems.
Data wipers are a subset of malwares that erase – or wipe – data, including documents and other files, and programs on their target systems.
While in this case, IHG’s attackers appear to have operated on their own initiative, the ultimate goal of a wiper – to make it impossible for an organisation to carry out its functions by rendering its systems inoperable – makes them highly attractive as an option for state-backed advanced persistent threat (APT) groups.
Meanwhile, the June 2017 NotPetya incident, which primarily targeted Ukraine but ultimately had global impacts, manifested as a series of ransomware attacks but in fact contained a data wiper component.
More recently, a series of novel data wipers were deployed by Russian threat actors against targets in Ukraine to soften them up ahead of the invasion. One of these wipers, WhisperGate, acted similarly to NotPetya in that it was disguised as ransomware.
Read more on Data breach incident management and recovery
Hotel group IHG confirms cyber attack after two-day outage
By: Alex Scroxton
SentinelOne discusses the rise of data-wiping malware
By: Arielle Waldman
New ‘AcidRain’ malware may be connected to Viasat attack
By: Alexander Culafi
HermeticWiper poses increasing cyber risk to Ukraine
By: Arielle Waldman