Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

// // //
11:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Olympic Destroyer Returns With Attacks in Europe

Kaspersky Labs researchers believe the hackers behind the Olympic Destroyer worm that wreaked havoc at the Winter Olympics are now focusing on organizations that research chemical and biological threats in Europe.

The hacking group behind the Olympic Destroyer malware that hit the opening of the Winter Olympics in South Korea earlier this year has resurfaced in a campaign that is targeting organizations in Europe connected to efforts to protect against chemical and biological threats.

Researchers with Kaspersky Lab said this week that they have found the Olympic Destroyer operation is up and running again with tools and spear-phishing documents that have close similarities to those used during the attack in the days leading up to the opening of the Olympic Games in February in PyeongChang, South Korea. The aggressive and destructive network worm attacked vulnerable systems, essentially bringing them down so that they couldn't be used.

The malware also disrupted WiFi in the Olympic stadium, interrupted television signals and interfered with Internet access in the press area. It targeted organizers, partners and suppliers involved with the Olympics.

(Source: Kasperksy Labs)
(Source: Kasperksy Labs)

It's still unclear who is responsible for the Olympic Destroyer campaign, though it's assumed to be a group backed by a nation-state. Initially, it was believed the Lazarus Group, an organization believed to be backed by North Korea's military that has been suspected in a broad array of campaigns in recent years, including last year's high-profile WannaCray ransomware attacks. However, indicators associated with Olympic Destroyer created confusion and Kaspersky researchers said in March that the Olympic Destroyer cybercriminals had created sophisticated "red flags" to throw threat hunters off the trail.

Eventually Lazarus was dropped as a suspect. (See Kaspersky: Olympic Destroyer Creator Left 'False Flag' Clues .)

No group has been identified as the Olympic Destroyer creators, who it was assumed had moved on.

"The resurgence of Olympic Destroyer is surprising, as initial expectations were for the group to stay low or even disappear altogether," Kurt Baumgartner, principal security researcher at Kaspersky Lab, told Security Now in an email.

Now Olympic Destroyer is back and targeting organizations in Germany, France, Switzerland, the Netherlands and Ukraine, as well as Russia. The groups that are in the crosshairs are all involved in research about chemical and biological threats, which opens up a host of possibilities of why those industries are being targeted.

"We noticed a variety of financial and non-financial targets, which could mean that the same malware was used by several groups with different interests -- such as a group primarily interested in financial gain through cybertheft and another group looking for espionage targets," Baumgartner wrote. "This could also be a result of outsourcing, which is not uncommon among nation-state actors. In the case of chemical and biological organizations, the threat actor could be looking to cause disruption, as was the case during the 2018 Winter Olympics. Or, this overall activity could be the same group repeating techniques of previous attacks and targeting at the time of the Winter Olympics in South Korea, where the group spear-phished partners and supply chain in an attempt to reach their true targets."

The Kaspersky researchers noted that the attacks at the reconnaissance stage for the South Korean Olympics started a couple of months before the attacks began, which means that the cybercriminals behind the newest campaign may be preparing for a similar attack. Given that, the companies involved in the work that is being targeted should stay on high alert, they said.

The threat actors behind the recent attacks are using spear-fishing documents that resembled those used during the Olympics campaign, according to Kaspersky.

One document referenced the Spiez Convergence, which is a biochemical threat conference in Switzerland, while another one in Ukraine was aimed at a unit of a health and veterinary control authority. Some of the malicious documents are written in German and Russian, and all of the payloads were made to enable access to the compromised computers.

The second stage of the attack featured an open source framework known as Powershell Empire.

Kasperksy researchers believe the hackers use compromised web servers that use the open source content management system Joomla to host and control the malware, with indications that outdated versions of Joomla could be used to hack the servers.

However, researchers cautioned that the private and public sectors need to work together across borders to help analyze and fight against the new threat. However, Baumgartner said that in the current situation in the world, such cooperation isn't always easy, which plays into the hands of attackers such as those behind Olympic Destroyer.

"Unfortunately, the geopolitical situation in the world today is only aiding global segmentation of the Internet, which creates difficulties for researchers and investigators," he said. "This fragmentation will encourage [Lazarus] APT to continue intruding into the protected networks of foreign governments and commercial companies."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.