Story image

Rumours fly about who was behind the PyeongChang Olympics hack

16 Feb 2018

As speculation grows about who was behind the attacks on the PyeongChang Olympic Games opening ceremony, Talos Researchers identified a malware called “Olympic Destroyer” that may have been behind the attacks.

Recorded Future believes that the Olympic Destroyer malware should be treated as serious because of its destructive nature and ability to spread laterally.

It uses in-built Windows tools Psexec and WMI to infect systems and render data useless. It also use password stealing tool Mimikatz to extract credentials and continue moving across a target network.

The PyeongChang attack also included a set of Active Directory credentials and a software key, which suggests the malware had previously been used in an early reconnaissance phase.

In December, an attack on a telecommunications provider was the beginning stages of the attack on the Games.

“All samples of the Olympic Destroyer malware variant targeting the IT provider were timestamped five minutes prior to the compilation of the samples identified by Talos researchers as targeting the PyeongChang 2018 network. This suggests a parallel, two-pronged attempt to target the Olympics event, aimed at both organizers and infrastructure providers,” a report from US threat intelligence firm Recorded Future says.

The team also suggests that there are disparate code overlaps in the malware, suggesting a ‘false flag’ operation that is throwing researchers off the trail and diluting evidence.

Recorded Future has taken the analysis one step further, although there’s still no firm evidence as to who conducted the attack.

Recorded future director of strategic threat development Priscilla Moriuchi says that finding out who is behind the attacks is important because it shapes responses from government, victims and the public.

“Accurate attribution is both more crucial and more difficult to determine than ever because adversaries are constantly evolving new techniques and the expertise required to identify a sophisticated actor keeps increasing.”

The report suggests that the malware could originate from North Korea, China or Russia – but the case is not straightforward.

 “Complex malware operations make us take pause to reevaluate research methods and make sure the research community is not being misled by its own eagerness to attribute attacks,”explains Recorded Future principal security research of Inskit Group, Juan Andres Guerrero Saade.

Researchers from Intezer spotted code similarities between Olympic Destroyer and threat actors in China, including the APT3, APT10 and APT12 groups.

Recorded Future’s research group found code similarities linked with malware families belonging to the Lazarus Group in North Korea.

“The Olympic Destroyer campaign comes at a precarious time of geopolitical tensions with several possible perpetrators but conclusive proof in any one particular direction has not yet been shared,” Saade concludes.

Read further coverage of the PyeongChang Olympic hacks:

Winter Olympics hacked: Was it just disruptive or something more sinister?

Surprise - the PyeongChang Winter Olympic Games were hacked 

Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.