Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

11:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Olympic Destroyer Returns With Attacks in Europe

Kaspersky Labs researchers believe the hackers behind the Olympic Destroyer worm that wreaked havoc at the Winter Olympics are now focusing on organizations that research chemical and biological threats in Europe.

The hacking group behind the Olympic Destroyer malware that hit the opening of the Winter Olympics in South Korea earlier this year has resurfaced in a campaign that is targeting organizations in Europe connected to efforts to protect against chemical and biological threats.

Researchers with Kaspersky Lab said this week that they have found the Olympic Destroyer operation is up and running again with tools and spear-phishing documents that have close similarities to those used during the attack in the days leading up to the opening of the Olympic Games in February in PyeongChang, South Korea. The aggressive and destructive network worm attacked vulnerable systems, essentially bringing them down so that they couldn't be used.

The malware also disrupted WiFi in the Olympic stadium, interrupted television signals and interfered with Internet access in the press area. It targeted organizers, partners and suppliers involved with the Olympics.

It's still unclear who is responsible for the Olympic Destroyer campaign, though it's assumed to be a group backed by a nation-state. Initially, it was believed the Lazarus Group, an organization believed to be backed by North Korea's military that has been suspected in a broad array of campaigns in recent years, including last year's high-profile WannaCray ransomware attacks. However, indicators associated with Olympic Destroyer created confusion and Kaspersky researchers said in March that the Olympic Destroyer cybercriminals had created sophisticated "red flags" to throw threat hunters off the trail.

Eventually Lazarus was dropped as a suspect. (See Kaspersky: Olympic Destroyer Creator Left 'False Flag' Clues .)

No group has been identified as the Olympic Destroyer creators, who it was assumed had moved on.

"The resurgence of Olympic Destroyer is surprising, as initial expectations were for the group to stay low or even disappear altogether," Kurt Baumgartner, principal security researcher at Kaspersky Lab, told Security Now in an email.

Now Olympic Destroyer is back and targeting organizations in Germany, France, Switzerland, the Netherlands and Ukraine, as well as Russia. The groups that are in the crosshairs are all involved in research about chemical and biological threats, which opens up a host of possibilities of why those industries are being targeted.

"We noticed a variety of financial and non-financial targets, which could mean that the same malware was used by several groups with different interests -- such as a group primarily interested in financial gain through cybertheft and another group looking for espionage targets," Baumgartner wrote. "This could also be a result of outsourcing, which is not uncommon among nation-state actors. In the case of chemical and biological organizations, the threat actor could be looking to cause disruption, as was the case during the 2018 Winter Olympics. Or, this overall activity could be the same group repeating techniques of previous attacks and targeting at the time of the Winter Olympics in South Korea, where the group spear-phished partners and supply chain in an attempt to reach their true targets."

The Kaspersky researchers noted that the attacks at the reconnaissance stage for the South Korean Olympics started a couple of months before the attacks began, which means that the cybercriminals behind the newest campaign may be preparing for a similar attack. Given that, the companies involved in the work that is being targeted should stay on high alert, they said.

The threat actors behind the recent attacks are using spear-fishing documents that resembled those used during the Olympics campaign, according to Kaspersky.

One document referenced the Spiez Convergence, which is a biochemical threat conference in Switzerland, while another one in Ukraine was aimed at a unit of a health and veterinary control authority. Some of the malicious documents are written in German and Russian, and all of the payloads were made to enable access to the compromised computers.

The second stage of the attack featured an open source framework known as Powershell Empire.

Kasperksy researchers believe the hackers use compromised web servers that use the open source content management system Joomla to host and control the malware, with indications that outdated versions of Joomla could be used to hack the servers.

However, researchers cautioned that the private and public sectors need to work together across borders to help analyze and fight against the new threat. However, Baumgartner said that in the current situation in the world, such cooperation isn't always easy, which plays into the hands of attackers such as those behind Olympic Destroyer.

"Unfortunately, the geopolitical situation in the world today is only aiding global segmentation of the Internet, which creates difficulties for researchers and investigators," he said. "This fragmentation will encourage [Lazarus] APT to continue intruding into the protected networks of foreign governments and commercial companies."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.