The hacking group behind the Olympic Destroyer malware that hit the opening of the Winter Olympics in South Korea earlier this year has resurfaced in a campaign that is targeting organizations in Europe connected to efforts to protect against chemical and biological threats.
Researchers with Kaspersky Lab said this week that they have found the Olympic Destroyer operation is up and running again with tools and spear-phishing documents that have close similarities to those used during the attack in the days leading up to the opening of the Olympic Games in February in PyeongChang, South Korea. The aggressive and destructive network worm attacked vulnerable systems, essentially bringing them down so that they couldn't be used.
The malware also disrupted WiFi in the Olympic stadium, interrupted television signals and interfered with Internet access in the press area. It targeted organizers, partners and suppliers involved with the Olympics.
It's still unclear who is responsible for the Olympic Destroyer campaign, though it's assumed to be a group backed by a nation-state. Initially, it was believed the Lazarus Group, an organization believed to be backed by North Korea's military that has been suspected in a broad array of campaigns in recent years, including last year's high-profile WannaCray ransomware attacks. However, indicators associated with Olympic Destroyer created confusion and Kaspersky researchers said in March that the Olympic Destroyer cybercriminals had created sophisticated "red flags" to throw threat hunters off the trail.
Eventually Lazarus was dropped as a suspect. (See Kaspersky: Olympic Destroyer Creator Left 'False Flag' Clues .)
No group has been identified as the Olympic Destroyer creators, who it was assumed had moved on.
"The resurgence of Olympic Destroyer is surprising, as initial expectations were for the group to stay low or even disappear altogether," Kurt Baumgartner, principal security researcher at Kaspersky Lab, told Security Now in an email.
Now Olympic Destroyer is back and targeting organizations in Germany, France, Switzerland, the Netherlands and Ukraine, as well as Russia. The groups that are in the crosshairs are all involved in research about chemical and biological threats, which opens up a host of possibilities of why those industries are being targeted.
"We noticed a variety of financial and non-financial targets, which could mean that the same malware was used by several groups with different interests -- such as a group primarily interested in financial gain through cybertheft and another group looking for espionage targets," Baumgartner wrote. "This could also be a result of outsourcing, which is not uncommon among nation-state actors. In the case of chemical and biological organizations, the threat actor could be looking to cause disruption, as was the case during the 2018 Winter Olympics. Or, this overall activity could be the same group repeating techniques of previous attacks and targeting at the time of the Winter Olympics in South Korea, where the group spear-phished partners and supply chain in an attempt to reach their true targets."
The Kaspersky researchers noted that the attacks at the reconnaissance stage for the South Korean Olympics started a couple of months before the attacks began, which means that the cybercriminals behind the newest campaign may be preparing for a similar attack. Given that, the companies involved in the work that is being targeted should stay on high alert, they said.
The threat actors behind the recent attacks are using spear-fishing documents that resembled those used during the Olympics campaign, according to Kaspersky.
One document referenced the Spiez Convergence, which is a biochemical threat conference in Switzerland, while another one in Ukraine was aimed at a unit of a health and veterinary control authority. Some of the malicious documents are written in German and Russian, and all of the payloads were made to enable access to the compromised computers.
The second stage of the attack featured an open source framework known as Powershell Empire.
Kasperksy researchers believe the hackers use compromised web servers that use the open source content management system Joomla to host and control the malware, with indications that outdated versions of Joomla could be used to hack the servers.
However, researchers cautioned that the private and public sectors need to work together across borders to help analyze and fight against the new threat. However, Baumgartner said that in the current situation in the world, such cooperation isn't always easy, which plays into the hands of attackers such as those behind Olympic Destroyer.
"Unfortunately, the geopolitical situation in the world today is only aiding global segmentation of the Internet, which creates difficulties for researchers and investigators," he said. "This fragmentation will encourage [Lazarus] APT to continue intruding into the protected networks of foreign governments and commercial companies."
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.