Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

6/20/2018
11:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Olympic Destroyer Returns With Attacks in Europe

Kaspersky Labs researchers believe the hackers behind the Olympic Destroyer worm that wreaked havoc at the Winter Olympics are now focusing on organizations that research chemical and biological threats in Europe.

The hacking group behind the Olympic Destroyer malware that hit the opening of the Winter Olympics in South Korea earlier this year has resurfaced in a campaign that is targeting organizations in Europe connected to efforts to protect against chemical and biological threats.

Researchers with Kaspersky Lab said this week that they have found the Olympic Destroyer operation is up and running again with tools and spear-phishing documents that have close similarities to those used during the attack in the days leading up to the opening of the Olympic Games in February in PyeongChang, South Korea. The aggressive and destructive network worm attacked vulnerable systems, essentially bringing them down so that they couldn't be used.

The malware also disrupted WiFi in the Olympic stadium, interrupted television signals and interfered with Internet access in the press area. It targeted organizers, partners and suppliers involved with the Olympics.

(Source: Kasperksy Labs)
(Source: Kasperksy Labs)

It's still unclear who is responsible for the Olympic Destroyer campaign, though it's assumed to be a group backed by a nation-state. Initially, it was believed the Lazarus Group, an organization believed to be backed by North Korea's military that has been suspected in a broad array of campaigns in recent years, including last year's high-profile WannaCray ransomware attacks. However, indicators associated with Olympic Destroyer created confusion and Kaspersky researchers said in March that the Olympic Destroyer cybercriminals had created sophisticated "red flags" to throw threat hunters off the trail.

Eventually Lazarus was dropped as a suspect. (See Kaspersky: Olympic Destroyer Creator Left 'False Flag' Clues .)

No group has been identified as the Olympic Destroyer creators, who it was assumed had moved on.

"The resurgence of Olympic Destroyer is surprising, as initial expectations were for the group to stay low or even disappear altogether," Kurt Baumgartner, principal security researcher at Kaspersky Lab, told Security Now in an email.

Now Olympic Destroyer is back and targeting organizations in Germany, France, Switzerland, the Netherlands and Ukraine, as well as Russia. The groups that are in the crosshairs are all involved in research about chemical and biological threats, which opens up a host of possibilities of why those industries are being targeted.

"We noticed a variety of financial and non-financial targets, which could mean that the same malware was used by several groups with different interests -- such as a group primarily interested in financial gain through cybertheft and another group looking for espionage targets," Baumgartner wrote. "This could also be a result of outsourcing, which is not uncommon among nation-state actors. In the case of chemical and biological organizations, the threat actor could be looking to cause disruption, as was the case during the 2018 Winter Olympics. Or, this overall activity could be the same group repeating techniques of previous attacks and targeting at the time of the Winter Olympics in South Korea, where the group spear-phished partners and supply chain in an attempt to reach their true targets."

The Kaspersky researchers noted that the attacks at the reconnaissance stage for the South Korean Olympics started a couple of months before the attacks began, which means that the cybercriminals behind the newest campaign may be preparing for a similar attack. Given that, the companies involved in the work that is being targeted should stay on high alert, they said.

The threat actors behind the recent attacks are using spear-fishing documents that resembled those used during the Olympics campaign, according to Kaspersky.

One document referenced the Spiez Convergence, which is a biochemical threat conference in Switzerland, while another one in Ukraine was aimed at a unit of a health and veterinary control authority. Some of the malicious documents are written in German and Russian, and all of the payloads were made to enable access to the compromised computers.

The second stage of the attack featured an open source framework known as Powershell Empire.

Kasperksy researchers believe the hackers use compromised web servers that use the open source content management system Joomla to host and control the malware, with indications that outdated versions of Joomla could be used to hack the servers.

However, researchers cautioned that the private and public sectors need to work together across borders to help analyze and fight against the new threat. However, Baumgartner said that in the current situation in the world, such cooperation isn't always easy, which plays into the hands of attackers such as those behind Olympic Destroyer.

"Unfortunately, the geopolitical situation in the world today is only aiding global segmentation of the Internet, which creates difficulties for researchers and investigators," he said. "This fragmentation will encourage [Lazarus] APT to continue intruding into the protected networks of foreign governments and commercial companies."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25968
PUBLISHED: 2021-10-19
In “OpenCMS�, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when the...
CVE-2021-20836
PUBLISHED: 2021-10-19
Out-of-bounds read vulnerability in CX-Supervisor v4.0.0.13 and v4.0.0.16 allows an attacker with administrative privileges to cause information disclosure and/or arbitrary code execution by opening a specially crafted SCS project files.
CVE-2021-41154
PUBLISHED: 2021-10-18
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions an attacker with read access to a "SVN core" repository could execute arbitrary SQL queries. The following versions contain the fix: Tuleap Community Edition 11.1...
CVE-2021-41155
PUBLISHED: 2021-10-18
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not sanitize properly user inputs when constructing the SQL query to browse and search revisions in the CVS repositories. The following versions contain the fix...
CVE-2021-41152
PUBLISHED: 2021-10-18
OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. In affected versions by manipulating the HTTP request an attacker can modify the path of a requested file download in the folder component to point to anywhere on t...