Attacks/Breaches

2/12/2018
06:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Cyberattack Aimed to Disrupt Opening of Winter Olympics

Researchers who identified malware targeting the 2018 Winter Olympics say the attackers had previously compromised the Games' infrastructure.

A cyberattack targeting the 2018 Winter Olympics in Pyeongchang, South Korea aimed to cause disruption at the start of the Games and required deep knowledge of the infrastructure - a sign the attackers had previously compromised it, according to researchers.

The attack took place prior to the Opening Ceremonies held on Friday, Feb. 9 and interfered with TV and Internet systems. Olympics officials confirmed technical issues affecting non-critical systems and completed recovery within 12 hours. On Sunday, Feb. 11, they confirmed that a cyberattack had taken place but didn't offer additional details.

Researchers at Cisco Talos identified malware samples used in the attack "with moderate confidence" and report the infection vector is currently unknown. Evidence indicates the actors responsible were not seeking information or monetary gain: Their primary goal was likely to cause destruction.

'Olympic Destroyer'

The so-called "Olympic Destroyer" malware studied by Cisco renders machines unusable by deleting shadow copies and event logs, and tries to use PsExec and WMI to move across the environment. Talos analysts point out they had previously seen this behavior in both the BadRabbit and Nyetya (NotPetya) attacks.

The initial malware sample is a binary that drops multiple files onto the target machine. From there, the malware moves laterally throughout the network, using two information stealers and hardcoded credentials within the binary. Talos found 44 individual accounts in the library and says the malware author knew several technical details about the Olympics infrastructure including usernames, domain name, server names, and passwords.

"This is a targeted attack and this involves some reconnaissance," says Craig Williams, director of Cisco Talos outreach. "The attacker came into the campaign knowing a large number of accounts. That involves, obviously, a phishing campaign or an intelligence-gathering campaign."

A key takeaway is this malware doesn't use an exploit to spread, Williams continues. It spreads through normal tools using valid credentials, a tactic that will help attackers evade most security tools.

The destructive part of the attack starts during execution. After files are written to disk, the malware deletes all possible shadow copies on the system. It then takes steps to complicate file recovery and ensure the Windows recovery console doesn't try to repair anything on the host.

"Wiping all available methods of recovery shows this attacker had no intention of leaving the machine usable," Talos researchers report. The purpose of the malware is to perform destruction of the host, leave the system offline, and wipe remote data. It also disables all services on the system.

Earlier Attacks on the Olympics

This isn't the first instance of an attack targeting the 2018 Winter Games.

McAfee Advanced Threat Research previously detected a fileless attack targeting organizations involved with the Pyeongchang Olympics. The threat used a PowerShell implant to connect target machines with the attacker's server and transfer system-level data. At the time, researchers were unsure what happened after the attacker gained access.

Now they say this attack had a second-stage payload in the form of Gold Dragon, a Korean-language implant detected in December 2017. Gold Dragon has stronger persistence than the original PowerShell payload and expanded capabilities for profiling target systems. It lets an attacker gather information on system processes, files, registry content, and data.

In early February, prior to the Opening Ceremonies, researchers updated their findings to report another variant of the fileless implant in a new malicious document. This document had the same metadata properties and same information as the campaign discovered in January.

"It's an indication the attacker has resumed deploying a new version of this implant," says Ryan Sherstobitoff, senior analyst of major campaigns at McAfee. "Gold Dragon is a more persistent type of implant that gave them far-reaching capabilities on the network."

Targeted attacks have different stages of payloads, he explains. The first gives them access; the second installs something more persistent. In this case, the earlier fileless attack could have given a threat actor the entry to drop Gold Dragon on the target network.

Sherstobitoff emphasizes there is no indication the attacker behind the earlier campaign is connected to the Opening Ceremonies-timed attack. However, Gold Dragon could have given them the level of access to collect the information they needed to conduct it.

CrowdStrike identified samples of a previously unknown malware family seemingly designed for data destruction. Earliest samples were detected on Feb. 9, the day of the Opening Ceremonies. All samples have sets of hard-coded credentials belonging to Olympics-related targets that let threat actors spread in a target network. Several attackers had access to organizations related to the targets through malicious backdoors, CrowdStrike reports, but it can't confirm whether anyone used this access to deliver malware.

Too Soon to Determine Whodunnit

"I don't want to say it's trivial, but it's not the most complicated piece of malware," says Warren Mercer, Cisco Talos technical lead for engineering, of the attack his team studied. "There's no crazy effort to try and obfuscate their code; there are no super-advanced techniques."

However, he continues, it's likely a sophisticated attacker is at play given the previous access to Olympics systems and ability to hardcode lifted credentials. The question is, which one?

"It's a tricky question when it comes to who could be behind a threat like this," adds Williams. This could be a new threat actor or group, he says, adding that many well-funded campaigns have pockets of developers. Attribution is further complicated by the publicity of widespread attacks like NotPetya, which have given rise to "copycats" who may be responsible, he notes.

Meanwhile, the US-CERT has issued a statement on cybersecurity at the Olympics and offered guidance for attendees to protect themselves against threats including data theft and third-party monitoring, as attackers may take advantage of the large audience to spread messages.

Engin Kirda, cofounder and chief architect at Lastline, points out how denial-of-service attack campaigns are one of the easiest attacks against large events like the Olympics. Outside event attendees and organizers, and fans are often targeted with phishing emails, domain theft, ransomware, and fake social media posts. These days, employees can expect to see malicious emails related to the Games.

"If an employee falls victim to one of these attacks on a work machine, it may put their business at risk as well," Kirda notes. "IT teams should caution employees about clicking on links or attachments from Olympics-related emails."

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6499
PUBLISHED: 2019-01-21
Teradata Viewpoint before 14.0 and 16.20.00.02-b80 contains a hardcoded password of TDv1i2e3w4 for the viewpoint database account (in viewpoint-portal\conf\server.xml) that could potentially be exploited by malicious users to compromise the affected system.
CVE-2019-6500
PUBLISHED: 2019-01-21
In Axway File Transfer Direct 2.7.1, an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request with %2e instead of '.' characters, as demonstrated by an initial /h2hdocumentation//%2e%2e/ substring.
CVE-2019-6498
PUBLISHED: 2019-01-21
GattLib 0.2 has a stack-based buffer over-read in gattlib_connect in dbus/gattlib.c because strncpy is misused.
CVE-2019-6497
PUBLISHED: 2019-01-20
Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter.
CVE-2018-18908
PUBLISHED: 2019-01-20
The Sky Go Desktop application 1.0.19-1 through 1.0.23-1 for Windows performs several requests over cleartext HTTP. This makes the data submitted in these requests prone to Man in The Middle (MiTM) attacks, whereby an attacker would be able to obtain the data sent in these requests. Some of the requ...