South Korean hacking group carried out ‘phishing’ cyberattacks in 17 local hotels – Company

A South Korean hacking group carried out a campaign of ‘phishing’ cyber attacks starting in November, 2021 and targeting 17 ‘luxury’ hotels in Macau, cybersecurity company Trellix alleged.

Trellix was created after Symphony Technology Group (STG) acquired McAfee Enterprise for US$4 billion and FireEye for US$1.2 billion and merged both cybersecurity companies together in 2021.

According to a Trellix advanced threat research team, the attacks have been carried out by DarkHotel, a suspected South Korean advanced persistent threat group, known for targeting law enforcement, pharmaceuticals and automotive manufacturers, along with other industries.

In an announcement, the cyberscurity company stated that the attack started with a ‘spear phishing’ email directed to the hotel’s management staff in roles like the vice president of HR, assistant manager and front office manager.

‘Phishing’ attacks are the practice of sending fraudulent communications that appear to come from a reputable source, usually email, sometimes with the goal of stealing sensitive data like credit card and login information, or installing malware on the victim’s machine.

Trellix indicated that on December 7, 2021, an email was sent to seventeen different hotels in the Macao area from the Macao Government Tourism Office (MGTO) with an attachment to the email an Excel file.

The names of the 17 hotels were able to be identified by examining the mail headers of the phishing mail, but the names are not revealed by the company.

The company noted that the server used to spread this campaign was trying to impersonate a legitimate government website domain for the Federated States of Micronesia ( so as to mislead the receiver into believing it was actually a mail sent by the Public Security Forces Affairs Bureau domain (

“Based on targeting, we suspect the group was trying to lay the foundation for a future campaign involving these specific hotels. After researching the event agenda for the targeted hotels, we did indeed find multiple conferences that would have been of interest to the threat actor,” the company says.

“For instance, one hotel was hosting an International Environment Forum and an International Trade & Investment Fair, both of which would attract potential espionage targets”.

International Trade & Investment Fair

Both events were to be held in 2021 at The Venetian, a Sands China integrated resort, however, the company noted that due to the rapid rise of COVID-19 in Macau and Mainland China most of the events were cancelled or postponed, leading the hacking group to stop carrying out their phishing activities after January 18, 2022.

Trellix also revealed that in December 2021, Macau SAR security forces became aware of the attack, prompting a public announcement by the Public Security Police Force at the time addressing the campaign.

The statement at the time indicated that notification from the Cyber Security Incident Alert and Emergency Response Center of the Police Department had been received that a web domain name ( with a highly similar name to the official web page of the Macao Security Forces has been discovered, with ‘unlawful elements’ believed to be using this email to send fraudulent emails to commit illegal acts.

“This campaign demonstrates that the hospitality sector is indeed a valid target for espionage operations. Executives should be aware that the (cyber) security of their respective organizations doesn’t stop at the edge of their network,” Trellix concluded.

The SAR Office of the Secretary for Security previously warned that Macau recorded an increase in ‘online crime’ in 2021 with authorities reporting a growing increase in cybercrime in the last two years.

According to the data from the Macau Cybersecurity Incident Alert and Response Centre (CARIC) a significant proportion of cyber threats in Macau consisting of phishing attacks (37 per cent) and active attacks (32 per cent).

Under the Macau Cybersecurity Law introduced in 2019, public and private critical infrastructure operators have to maintain adequate management and security levels for their information networks and computer systems, adopt cybersecurity systems and establish reporting mechanisms.

CARIC also started operating in December, 2019 and is coordinated by the Judiciary Police, the Public Administration and Civil Service Bureau (SAFP) and the Macau Post and Telecommunications Bureau (CTT).

The centre is primarily responsible for cybersecurity risk alert, cybersecurity incident response and coordination, and the relevant administrative and technical support, with critical infrastructure entities having to report any cybersecurity issues to the centre.