Russian hackers, with barely a sprinkling of deniability, have targeted the Pyeongchang Olympics for months in retaliation for its nation's doping ban, stealing and leaking documents from Olympics-related organizations. A more insidious attack has surfaced, one designed to not only embarrass, but interrupt the opening ceremonies themselves. And while Olympics organizers nor security companies are all set to point the finger at the Kremlin, the hackers appear to have at least left behind a few calling cards which look rather Russian.
Over the weekend, the Pyeongchang Olympics organizers confirmed that they#x27;re investigating a cyberattack that briefly paralyzed IT systems ahead of Friday's launching ceremonies, shutting down display monitors, killing Wi-Fi, and shooting the Olympics website so that people were unable to publish tickets. (While Intel additionally resisted its planned live drone show throughout the opening ceremonies, the Pyeongchang organizing committee said in a statement that the cause was “too many spectators standing at the area where the live drone show was supposed to occur,” instead of malware.)
Currently security researchers at Cisco's Talos branch have released an analysis of a bit of sophisticated, fast-spreading malware that they#x27;re calling Olympic Destroyer, which they think was likely the cause of that outage.
“It was effectively a worm within the Olympic infrastructure that resulted in a denial-of-service attack,” states Talos researcher Warren Mercer.
According to a detailed site article the Talos researchers published Monday morning, Olympic Destroyer is designed to automatically jump from machine to machine in a target network and destroy certain data on the machine, including a part of its boot record, rebooting machines and then preventing them from loading. “It turns off all of the solutions, the boot information is nuked, and the machine is disabled,” states Talos research manager Craig Williams.
'They desired to do as much damage as they could, as fast as they could. '
Cisco Talos, Craig Williams
Talos points out that Olympic Destroyer's disruptive tactics and spreading methods resemble NotPetya and BadRabbit, just two bits of Ukraine-targeting malware found in the previous year that the Ukrainian government, the CIA, and other security companies have all tied to Russian hackers.
But strangely, unlike those earlier malware attacks, this newest upgrade destroys just backup data on victim machines, while leaving the remainder of the PC's hard disk intact. The malware's real goal, the Talos researchers consider, was any data stored on servers that infected PCs could reach on the network; Olympic Destroyer would eternally corrupt those server-side files. That approach might have been designed to get a faster, stealthier kind of information destruction whilst still potentially leaving working malware infections behind on some prey machines, allowing the hackers to keep access. “It may happen to be an optimization,” states Williams. “They wanted to do as much damage as they could, as fast as they could.” As a result, nevertheless, the Olympic organizers could get their systems working again within one day, compared to NotPetya sufferers who in many cases permanently dropped tens of thousands of computers and required weeks to fully recover. 1
When WIRED achieved to the International Olympics Committee for comment, the IOC referred the inquiry to the local Pyeongchang Organizing Committee, which hasn't reacted. Quite simply, however, organizers have declined to identify any potential suspects or motives behind the attack.
The Talos researchers say they got the Olympic Destroyer malware as it was detected and published by the business's security products, although the researchers haven't disclosed the exact source of the code. However, as proof that it did actually target Olympics infrastructure namely, they point to a record of 44 usernames and passwords included in the malware's code, all for accounts on PyeongChang2018.com, the Olympics' domain name. With these accounts as a starting point, the malware subsequently spread using Windows features like PSExec and Windows Query Language–that allow one machine to link to another– and then scoured another goal machine's browser data and system memory to get more credentials. “It comes in with 44 logins, and then as it compromises machines it pumps more and more user information out of them,” states Williams.
As further proof that the malware was timed to the opening ceremony, researchers at security company Crowdstrike note that they#x27;t also obtained the malware, and that they detected it on February 9, the same day as the show at Pyeongchang. Two
It's not clear how the hackers behind Olympic Destroyer first penetrated their goal, or how they got the credentials of 44 Olympics staff members to kickstart their attack. However, the Talos researchers say that the multitude of spreading techniques and people pre-seeded credentials all point to a complex adversary. “Anything like this with chosen data, prepackaged to target those systems, isn’t amateur hour,” says Mercer. “It’s a targeted campaign designed to reach very specific jobs.”
Still, the Talos researchers declined to point the finger at Russia, or any other government. Despite its sophistication and comparative similarity to past surgeries such as NotPetya and BadRabbit, they point it out's potential other hackers might merely have embraced that earlier malware's techniques.
'The Russians are the leading suspects. '
Jeffrey Lewis, Center for Strategic and International Studies
But the political background for the attack makes Russia by far the most likely culprit, says James Lewis, the manager of the Center for Strategic and International Studies' Technology and Public Policy Program. After all, the Russian hacker group known as Fancy Bear, widely thought to be portion of its army intelligence bureau GRU, was hacking Olympics-related associations as early as September of 2016. Those attacks, which resulted in flows of their medical records of athletes such as Serena and Venus Williams and Simone Biles, seem to be aimed at discrediting the Olympics' anti-doping programs after Russia was banned from the matches to get widespread and systematic use of performance-enhancing drugs one of its athletes. “The Russians are the leading suspects,” states Lewis.
In the weeks leading up to the Olympics, additional indications have indicated a possibly North Korean hacking campaign targeting Olympics organizations and the Pyeongchang local government. Crowdstrike researchers note, disturbingly, that “several danger actors” had accessibility to associations “adjoining” to influenced Pyeongchang victims. However, North Korea has, by most appearances, sought to use the Olympics as an chance to improve its diplomatic relations with South Korea and burnish its global image. In that circumstance, Lewis argues the Kim Regime would be unlikely to wish to interrupt the games. “They really don't have any incentive,” he states.
Russia's government, on the other hand, was “angry” about the doping ban, and revealed itself willing to use hacking as a means of carrying its revenge for this slap, ” Lewis states. “It's consistent with what they’t done before. It's probably them,” Lewis says. “It' s another example of Russian petulance.”
1Upgraded at 2:45PM EST to add revised information from Cisco Talos. TwoUpgraded at 12:30PM EST to add additional study from Crowdstrike.
Olympics Under Attack