Cyber Incident Victim: InterContinental Hotels Group PLC
Date:
Aug 2022
Location:
Viet Nam
Summary
Attackers identifying as a Vietnamese couple breached InterContinental Hotels Group's systems through a phishing email that delivered malicious software, bypassing two-factor authentication. Initially intending ransomware, they pivoted to a destructive wiper attack after the company's IT team isolated servers, irreversibly deleting data and disrupting booking and check-in services globally. Access to sensitive internal systems was facilitated by discovering credentials to a corporate password vault protected by an extremely weak password ("Qwerty1234"), which was accessible to all employees. The hackers claimed no customer data was stolen but accessed corporate communications and files. The company acknowledged the breach's impact on operations but contested assertions of inadequate password security, emphasizing multiple defensive layers. Motivated by financial frustration, the attackers expressed no remorse for the disruption caused.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyber incident affecting InterContinental Hotels Group (IHG) began on or around August 29, 2022, when attackers gained unauthorized access to the company's internal IT systems. The hackers, identifying themselves as TeaPea and claiming to be a Vietnamese couple, initially attempted a ransomware attack but pivoted to a destructive wiper attack after IHG's IT team isolated servers to prevent encryption. They breached the network through a phishing email containing a malicious attachment that compromised an employee's device, bypassing two-factor authentication protections. The attackers then accessed IHG's internal password vault using credentials available to all 200,000 employees, with the password "Qwerty1234" – a commonly used weak credential. This vault access enabled movement through critical systems including Outlook emails, Microsoft Teams chats, and server directories.
IHG customers first experienced widespread disruptions to booking channels and check-in systems on September 12, 2022, which the company initially attributed to "system maintenance" in social media responses. After approximately 24 hours of sustained outages, IHG confirmed the cyberattack in a September 13 London Stock Exchange filing, acknowledging significant application disruptions. The wiper attack caused irreversible data destruction across corporate systems, though the hackers claimed no customer data was exfiltrated while admitting possession of corporate email records. IHG disputed the characterization of password vault insecurity, emphasizing their "defense-in-depth strategy" with multiple security layers, though declined to specify additional protections. By September 17, customer-facing systems were reportedly returning to normal with intermittent residual issues. The attackers expressed no remorse, citing low wages in Vietnam as motivation while downplaying the attack's financial impact on IHG.