Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

Cyberattack Aimed to Disrupt Opening of Winter Olympics

Researchers who identified malware targeting the 2018 Winter Olympics say the attackers had previously compromised the Games' infrastructure.

A cyberattack targeting the 2018 Winter Olympics in Pyeongchang, South Korea aimed to cause disruption at the start of the Games and required deep knowledge of the infrastructure - a sign the attackers had previously compromised it, according to researchers.

The attack took place prior to the Opening Ceremonies held on Friday, Feb. 9 and interfered with TV and Internet systems. Olympics officials confirmed technical issues affecting non-critical systems and completed recovery within 12 hours. On Sunday, Feb. 11, they confirmed that a cyberattack had taken place but didn't offer additional details.

Researchers at Cisco Talos identified malware samples used in the attack "with moderate confidence" and report the infection vector is currently unknown. Evidence indicates the actors responsible were not seeking information or monetary gain: Their primary goal was likely to cause destruction.

'Olympic Destroyer'

The so-called "Olympic Destroyer" malware studied by Cisco renders machines unusable by deleting shadow copies and event logs, and tries to use PsExec and WMI to move across the environment. Talos analysts point out they had previously seen this behavior in both the BadRabbit and Nyetya (NotPetya) attacks.

The initial malware sample is a binary that drops multiple files onto the target machine. From there, the malware moves laterally throughout the network, using two information stealers and hardcoded credentials within the binary. Talos found 44 individual accounts in the library and says the malware author knew several technical details about the Olympics infrastructure including usernames, domain name, server names, and passwords.

"This is a targeted attack and this involves some reconnaissance," says Craig Williams, director of Cisco Talos outreach. "The attacker came into the campaign knowing a large number of accounts. That involves, obviously, a phishing campaign or an intelligence-gathering campaign."

A key takeaway is this malware doesn't use an exploit to spread, Williams continues. It spreads through normal tools using valid credentials, a tactic that will help attackers evade most security tools.

The destructive part of the attack starts during execution. After files are written to disk, the malware deletes all possible shadow copies on the system. It then takes steps to complicate file recovery and ensure the Windows recovery console doesn't try to repair anything on the host.

"Wiping all available methods of recovery shows this attacker had no intention of leaving the machine usable," Talos researchers report. The purpose of the malware is to perform destruction of the host, leave the system offline, and wipe remote data. It also disables all services on the system.

Earlier Attacks on the Olympics

This isn't the first instance of an attack targeting the 2018 Winter Games.

McAfee Advanced Threat Research previously detected a fileless attack targeting organizations involved with the Pyeongchang Olympics. The threat used a PowerShell implant to connect target machines with the attacker's server and transfer system-level data. At the time, researchers were unsure what happened after the attacker gained access.

Now they say this attack had a second-stage payload in the form of Gold Dragon, a Korean-language implant detected in December 2017. Gold Dragon has stronger persistence than the original PowerShell payload and expanded capabilities for profiling target systems. It lets an attacker gather information on system processes, files, registry content, and data.

In early February, prior to the Opening Ceremonies, researchers updated their findings to report another variant of the fileless implant in a new malicious document. This document had the same metadata properties and same information as the campaign discovered in January.

"It's an indication the attacker has resumed deploying a new version of this implant," says Ryan Sherstobitoff, senior analyst of major campaigns at McAfee. "Gold Dragon is a more persistent type of implant that gave them far-reaching capabilities on the network."

Targeted attacks have different stages of payloads, he explains. The first gives them access; the second installs something more persistent. In this case, the earlier fileless attack could have given a threat actor the entry to drop Gold Dragon on the target network.

Sherstobitoff emphasizes there is no indication the attacker behind the earlier campaign is connected to the Opening Ceremonies-timed attack. However, Gold Dragon could have given them the level of access to collect the information they needed to conduct it.

CrowdStrike identified samples of a previously unknown malware family seemingly designed for data destruction. Earliest samples were detected on Feb. 9, the day of the Opening Ceremonies. All samples have sets of hard-coded credentials belonging to Olympics-related targets that let threat actors spread in a target network. Several attackers had access to organizations related to the targets through malicious backdoors, CrowdStrike reports, but it can't confirm whether anyone used this access to deliver malware.

Too Soon to Determine Whodunnit

"I don't want to say it's trivial, but it's not the most complicated piece of malware," says Warren Mercer, Cisco Talos technical lead for engineering, of the attack his team studied. "There's no crazy effort to try and obfuscate their code; there are no super-advanced techniques."

However, he continues, it's likely a sophisticated attacker is at play given the previous access to Olympics systems and ability to hardcode lifted credentials. The question is, which one?

"It's a tricky question when it comes to who could be behind a threat like this," adds Williams. This could be a new threat actor or group, he says, adding that many well-funded campaigns have pockets of developers. Attribution is further complicated by the publicity of widespread attacks like NotPetya, which have given rise to "copycats" who may be responsible, he notes.

Meanwhile, the US-CERT has issued a statement on cybersecurity at the Olympics and offered guidance for attendees to protect themselves against threats including data theft and third-party monitoring, as attackers may take advantage of the large audience to spread messages.

Engin Kirda, cofounder and chief architect at Lastline, points out how denial-of-service attack campaigns are one of the easiest attacks against large events like the Olympics. Outside event attendees and organizers, and fans are often targeted with phishing emails, domain theft, ransomware, and fake social media posts. These days, employees can expect to see malicious emails related to the Games.

"If an employee falls victim to one of these attacks on a work machine, it may put their business at risk as well," Kirda notes. "IT teams should caution employees about clicking on links or attachments from Olympics-related emails."

Related Content:




Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
6 Top Nontechnical Degrees for Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/21/2019
Anatomy of a BEC Scam
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/21/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-22
Authentication Bypass vulnerability in the Microsoft Windows client in McAfee Client Proxy (MCP) prior to 3.0.0 allows local user to bypass scanning of web traffic and gain access to blocked sites for a short period of time via generating an authorization key on the client which should only be gener...
PUBLISHED: 2019-11-22
Multiple cross-site scripting (XSS) vulnerabilities in POSH (aka Posh portal or Portaneo) 3.0 through 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) error parameter to /includes/plugins/mobile/scripts/login.php or (2) id parameter to portal/openrssarticle.php
PUBLISHED: 2019-11-22
Buffer overflow in CHICKEN 4.9.0 and may allow remote attackers to execute arbitrary code via the 'select' function.
PUBLISHED: 2019-11-22
generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable file names in the /tmp directory which allows attackers to gain elevated privileges.
PUBLISHED: 2019-11-22
In Pannellum from 2.5.0 through 2.5.4 URLs were not sanitized for data URIs (or vbscript:), allowing for potential XSS attacks. Such an attack would require a user to click on a hot spot to execute and would require an attacker-provided configuration. The most plausible potential attack would be if ...