The threat actors behind the InterContinental Hotels Group (IHG) cyber–attack reported earlier this month admitted doing it ‘for fun.’
The hackers made the admission to the BBC over the weekend, saying they are a couple from Vietnam who tried to conduct a ransomware attack against IHG and upon failing, decided to delete the data they had originally obtained.
“In this instance, it, fortunately, looks like IHG was able to prevent the attackers from deploying ransomware, but in retaliation, they deleted the data they had accessed, putting the hotel chain in a no–win situation,” Jordan Schroeder, managing CISO at Barrier Networks, told Infosecurity Magazine.
The threat actors called themselves ‘TeaPea,’ and said they gained initial access to IHG systems via a successful phishing attack that tricked an employee into downloading malware through an email attachment and capturing their two–factor authentication (2FA) code.
They would have then accessed the most sensitive parts of IHG’s computer systems after finding login details for the company’s internal password vault, with the password reportedly being ‘Qwerty1234.’
“Being able to recover from unexpected events quickly and easily must also be a focus. The stakes are high, and there are simply no guarantees on the path an attacker will take or what they will end up doing,” Schroeder added.
“When it comes to defenses, these must include good password practices, but using a password that is Qwerty1234 is not an example of this. Unfortunately, this password keeps showing up on ‘most–used passwords’ lists.”
An IHG spokeswoman later told the BBC that the password vault details were not insecure but refused to provide details about how TeaPea managed to break into the hotel chain’s systems.
“This goes to show that resilience should always be the priority. Stopping attackers getting into systems must be the focus because once they are in, organizations then have very little control over what will happen to their data next,” Schroeder said.
“Instead, implement strong, unique passwords, implement MFA, use Privileged Access Management (PAM) to protect key accounts, deploy layered security to prevent lateral movement, and train employees regularly on phishing and cybercrime.”
Almost two weeks after the attack, IHG confirmed that customer–facing systems are now returning to normal but that some services may remain intermittent.