Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development
Hackers Win Olympic Gold Medal for Disruption
Researchers Say Destructive Wiper Dubbed 'Olympic Destroyer' Hits PyeonchangHackers have crashed the Winter Olympics, apparently by using destructive malware.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
On Friday, shortly before the opening ceremonies of the Olympic Winter Games in South Korea, the official Pyeongchang 2018 site stopped working, leaving attendees unable to print tickets. In addition, the WiFi in Pyeonchang Olympic stadium stopped working, as did televisions and internet access in the main press center, the Guardian first reported. It said the website wasn't restored until 12 hours later, on Saturday morning.
"We can confirm that the technology issues experienced on Friday night were caused by a cyberattack," a spokesman for the International Olympic Committee tells Information Security Media Group.
"The situation was quickly dealt with and as result, all systems have remained stable and no competitions were ever affected. They continue to run smoothly."
The Winter Olympics run from Feb. 9 to 25 in Pyeongchang, South Korea.
In the run up to the Olympics, officials in South Korea voiced concerns that North Korea might attempt to disrupt the games via hack attacks. But North Korea is participating in the games, and it sent a delegation led by Kim Yo Jong, the younger sister of leader Kim Jong Un, who immediately made diplomatic overtures to Seoul.
Two security firms report that they have recovered copies of the malware used in the attack.
Attribution Games
Some commentators were quick to suggest that individuals affiliated with Russia would be obvious suspects behind the online attack, with the International Olympic Committee having banned Russian athletes from competing because of doping violations. Others, however, say they have recovered malware previously used by hackers tied to China.
Multiple information security experts have cautioned that attempting to attribute the attacks now - or potentially in the future - is irresponsible, noting that early reports on cyberattack attribution are wildly unreliable and often detract from organizations having failed to maintain proper information security defenses (see Ransomware Report: Is China Attribution Merely Hype?).
For their part, Olympics organizers refused to speculate.
"There was a cyberattack and the server was updated yesterday during the day and we have the cause of the problem," Pyeongchang 2018 spokesman Sung Baik-you told reporters on Sunday, adding that attempted disruptions were not unusual during the Olympic Games.
"We are not going to reveal the source," he said. "We are taking secure operations and, in line with best practice, we're not going to comment on the issue because it is an issue that we are dealing with."
Outside Analysis: Wiper Malware Suspected
Information security researchers at Cisco's Talos group say they identified the malware used in the attack "with moderate confidence" although they say it's unclear how the malicious code infected IOC systems.
"The samples identified, however, are not from adversaries looking for information from the games but instead they are aimed to disrupt the games," Talos security researchers Warren Mercer and Paul Rascagnères write in a Monday blog post. "The samples analyzed appear to perform only destructive functionality. There does not appear to be any exfiltration of data."
They say the malware is designed to delete shadow copies in Windows and to spread via PsExec (psexec.exe) and Windows Management Instrumentation (wmic.exe), which are legitimate tools built into Windows. Such functionality has been seen with both the NotPetya and BadRabbit attacks (see Teardown of 'NotPetya' Malware: Here's What We Know).
Winter Olympic disruption occurred over the weekend as reported by @guardian newspaper. Today @r00tbsd and I dissect the malware we believe was used during this attack in our latest post about a destructive piece of malware we call #OlympicDestroyer https://t.co/3d8nMf2jAZ
— Warren Mercer (@SecurityBeard) February 12, 2018
The researchers say the first stage of what they dubbed as "Olympic Destroyer" malware drops multiple executable files onto an infected system, including a browser credential stealer - designed to retrieve stored credentials. It also drops a system credential stealer designed to steal legitimate credentials from Windows Local Security Authority Subsystem Service, or LSASS, in a technique that resembles one used by Mimikatz, an open source Windows security tool, they say.
During the initial infection stage, the malware also attempts to move laterally across the network by copying itself to remote systems reachable via the network. "The malware author knew a lot of technical details of the Olympic Game infrastructure,such as username, domain name, server name and obviously password," the researchers write. "We identified 44 individual accounts in the binary."
The initial infection also drops a destructive wiper on the infected system designed to delete backup files, leave systems unbootable and then shut down.
The attack appears to have been highly targeted. "Basically it's another automated lateral movement wiper, which absolutely intends to make systems unbootable and wipe backups. Interesting they hard coded credentials - stops it spreading around world," tweets U.K.-based information security researcher Kevin Beaumont.
Likely Goal: Embarrassment
The Cisco Talos researchers say attackers likely gained access to the targeted environment before unleashing the wiper to ensure they could time it to coincide with Friday's opening ceremony.
"Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony," they write.
Meanwhile, Darien Huss, a targeted threat researcher Proofpoint, says that one of the filenames in the malware is "evtchk.txt," which also appeared in the malware that was used to hack the central bank of Bangladesh, as documented in April 2016 by Sergei Shevchenko, a security researcher at BAE Systems (see Report: DOJ Sees Bangladesh Heist Tie to North Korea).
The evtchk.txt filename in Olympic Destroyer is interesting, just remembered where I have seen similar before (Bluenoroff SWIFT): https://t.co/T6Zloa9EPQ https://t.co/GOFfmupU1j Maybe just a coincidence though cc: @r00tbsd @SecurityBeard pic.twitter.com/3D4AeyWtT1
— Darien Huss (@darienhuss) February 12, 2018
"Maybe just a coincidence though," Huss says.
Signs of Credential Gathering
Some researchers say attackers affiliated with Russia have recently been seen gathering credentials for organizations tied to the Winter Olympics.
"In November and December 2017, CrowdStrike Intelligence observed credential harvesting activity against an entity operating in the international sporting sector and attributed it to Russian threat actor Fancy Bear with medium confidence," Adam Meyers, vice president of intelligence at cybersecurity CrowdStrike tells Information Security Media Group.
Fancy Bear is the company's name for a group of APT attackers - also known as APT28, Group 74, Pawn Storm, Sofacy, Strontium and Tsar Team - with apparent ties to Russia's GRU military intelligence unit (see Microsoft Battles Fancy Bear Hackers - With Lawyers).
Meyers says CrowdStrike also recovered the wiper malware that appears to have been used in the Friday attack. He says that while the malware was first spotted on Friday, it has a build timestamp of Dec. 27, 2017, and contains hardcoded credentials that "belong to multiple target entities involved in running computer and network infrastructure for the Olympic Winter Games."
But there's no direct evidence that the credential harvesting attacks CrowdStrike witnessed were used to build the targeted wiper malware. "While there is currently no confirmed connection between this activity and the destructive attack, a similar reconnaissance phase was likely carried out in preparation of this recent operation," Meyers said.
This story has been updated with revised commentary from CrowdStrike.