Fancy Bear used Eternal Blue 3 months after it was leaked by a mysterious group.

A Russian government-sponsored group accused of hacking the Democratic National Committee last year has likely been infecting other targets of interest with the help of a potent Windows exploit developed by, and later stolen from, the National Security Agency, researchers said Friday.

Eternal Blue, as the exploit is code-named, is one of scores of advanced NSA attacks that have been released over the past year by a mysterious group calling itself the Shadow Brokers. It was published in April in the group's most damaging release to date. Its ability to spread from computer to computer without any user action was the engine that allowed the WCry ransomware worm, which appropriated the leaked exploit, to shut down computers worldwide in May. Eternal Blue also played a role in the spread of NotPetya, a follow-on worm that caused major disruptions in June.
Now, researchers at security firm FireEye say they're moderately confident the Russian hacking group known as Fancy Bear, APT 28, and other names has also used Eternal Blue, this time in a campaign that targeted people of interest as they connected to hotel Wi-Fi networks. In July, the campaign started using Eternal Blue to spread from computer to computer inside various staff and guest networks, company researchers Lindsay Smith and Ben Read wrote in a blog post. While the researchers didn't directly observe those attacks being used to infect guest computers connected to the network, they said a related campaign from last year used the control of hotel Wi-Fi services to obtain login credentials from guest devices.

In the earlier attack, the APT 28 members used a hacking tool dubbed Responder to monitor and falsify NetBIOS communications passed over the infected networks.

"Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine," the FireEye researchers wrote. "APT 28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network." The researchers continued:

In the 2016 incident, the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials. These 12 hours could have been used to crack a hashed password offline. After successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the victim's network, and accessed the victim's OWA account. The login originated from a computer on the same subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network.
We cannot confirm how the initial credentials were stolen in the 2016 incident; however, later in the intrusion, Responder was deployed. Since this tool allows an attacker to sniff passwords from network traffic, it could have been used on the hotel Wi-Fi network to obtain a user’s credentials.

The attack observed in July used a modified version of Eternal Blue that was created using the Python programming language and later made publicly available, Fire Eye researchers said in an e-mail. The Python implementation was then compiled into an executable file using the publicly available py2exe tool.

Beware of hotel Wi-Fi

Over the past few years, hotel Wi-Fi has emerged as a frequent vehicle for advanced hackers to target people of interest who happen to be connected. In 2014, researchers at security firm Kaspersky Lab said a group it dubbed Dark Hotel had been infecting hotel networks for at least seven years. In a separate report a year later, Kaspersky Lab researchers uncovered evidence suggesting a separate hacking group with ties to the creators of the Stuxnet worm infected hotel conference rooms in an attempt to monitor high-level diplomatic negotiations the US and five other nations held with Iran over its nuclear program.

Fancy Bear is one of two Russian government hacking groups accused of breaking into DNC servers last year. According to security firm CrowdStrike, Fancy Bear breached DNC defenses in April 2016. By then, a separate Russian-government group known as Cozy Bear had been inside the DNC network for at least eight months. Russia has denied any involvement in the hacks, but US intelligence agencies have almost unanimously agreed the Russian government leaders from the highest levels approved of the breach of the DNC.
Fancy Bear used a spear phishing campaign to distribute a booby-trapped Microsoft Word document to several unnamed hotels, FireEye said. When the document was opened on computers that allowed Word macros to execute, the machines were infected by Fancy Bear malware known as Gamefish. Once a computer was infected, it attempted to infect other computers connected to the same Wi-Fi network.

It's not clear how successful the Eternal Blue exploit was in the July campaign. By then, it had been four months since Microsoft released a Windows update patching the critical vulnerability the NSA attack exploited. The considerable damage caused by WCry in May prompted many holdouts to finally install the fix. Still, it's conceivable that some computers the hacking group considered key hadn't yet patched the underlying flaw in the Windows implementation of the server message block protocol. In such a case, the added Eternal Blue exploit could have proved invaluable to the hackers.