A highly destructive and complicated threat that impacted last year’s Winter Olympics.
While the Olympics attack might have been a one-off, the group behind it is not going to rest.
Last year started out with a bang. Cyber-security experts were still feeling the effects of the one-two punch of WannaCry and NotPetya, and were hoping for a quieter start to the year. These aspirations were quickly shattered when Talos discovered that the disruptions to the opening ceremony of the 2018 Winter Olympics in Pyeongchang, South Korea were caused by malware.
The malware was highly destructive and tailored for the environment it was in. Its name may be linked with a historic occasion, but the threat from Olympic Destroyer lives on.
During the opening ceremonies, Wi-Fi stopped working in the stadium and media areas of the Winter Olympics, and the official web site of the games was taken down. A large-scale interruption like this poses myriad challenges including data privacy risks, tarnished brand reputation, and a drop in customer satisfaction.
Eventually, it became clear that this disruption was a cyberattack, and longer-term investigation would show that the malware displayed two traits: 1) it was wiper malware designed to destroy assets (rather than execute as ransomware, for example), and 2) more interestingly, it was crafted to hide its origin and trick researchers. This was an advanced attack blending sophisticated malware techniques with devious strategy.
The delivery method of Olympic Destroyer is up for speculation. What’s clear is that, once inside a target network, it moves within that network, and it moves fast.
Our best analysis in the aftermath of the Pyeongchang attack is that it moved like a worm: quick and highly destructive. The file steals passwords, erases backup data, and targets data stored on servers, causing maximum devastation in the shortest possible time.
Olympic Destroyer was highly destructive and designed to demolish information.
The attackers used legitimate tools to perform lateral movement, in this case PsExec (a Windows protocol that allows you to run programs on remote computers). Given the very specific timing of the attack to coincide with the opening ceremony of the Olympics, the attack was remotely triggered.
Olympic Destroyer likely wanted to create plausible deniability for its authors by using pieces of old code that’s been attached to other threat actors. Some security researchers were thrown off by this as well, as some of them rushed to attribute the attack.
Whatever the actual motives, Cisco Talos found the markers of a sophisticated actor in the Olympic Destroyer malware. This tells us that, while Olympic Destroyer was a tailored attack, the group behind it is not going to rest. They will likely use this highly effective method again for stirring up further chaos, or for carrying out theft or other nefarious actions. We therefore need to be vigilant when looking for malware of this nature.
And that is how 2018 started. Let’s hope 2019 has nothing as malicious and sophisticated in store for any other major event.
https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
https://blog.talosintelligence.com/2018/02/who- wasnt-responsible-forolympic.html
https://blog.talosintelligence.com/2018/12/year- in-malware-2018-most-prominent.html