Winter Olympics officials confirmed on Sunday that a cyber attack known as the Olympic Destroyer did target their networks resulting in technical failures during the opening ceremony but have refused to disclose the perpetrators responsible. The attack saw the official website knocked offline, Wi-Fi not working in the stadium and failure of internet protocol televisions at the Main Press Center. Cisco researchers threat intelligence agents Talos, CrowdStrike, and FireEye analyzed the malicious code used in the attack and determined it was designed to destroy targeted critical systems rather than steal data.
While the infection vector is still unknown, samples of the malware identified, “are not from adversaries looking for information from the gamers but instead, they are aimed to disrupt the games.” they said.
“Analysis shows that actors are again favouring legitimate pieces of software as PsExec functionality is identified within the sample,” Talos researchers Warren Mercer and Paul Rascagneres wrote in a blog post. “The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This is something we have witnessed previously with BadRabbit and Nyetya.”
The malware itself is a binary file that drops a browser credential stealer that supports Chrome, Firefox and Internet Explorer and a system stealer to swipe credentials from Local Security Authority Subsystem Service (LSASS) using a method similar to that used by Mimikatz.
The malware uses a tool called ‘bcdebit’ to make sure that the Windows recovery console cannot attempt to repair anything on the host making sure recovery is extremely difficult.
“Wiping all available methods of recovery shows this attacker had no intention of leaving the machine useable,” Talos added. “The sole purpose of this malware is to perform destruction of the host and leave the computer system offline.”
During the attack, the Olympic website’s downtime prevented visitors from accessing information or printing out tickets. Wi-Fi not working at the stadium also hindered reporters working on site.
“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after the embarrassment of the Olympic committee during the opening ceremony,” researchers said, noting that the malware author knew a lot of technical details of the Olympic Game infrastructure.
A list of 44 usernames and passwords for accounts on PyeongChang2018.com were included in the malware’s code, researchers said. It is not immediately clear how the hackers managed to obtain these credentials or infiltrate the targeted systems.
None of the cybersecurity firms have named the threat actors possibly responsible for the attack or provided any details regarding its origin.
However, suspicions have already emerged naming Russia as a likely suspect after the International Olympic Committee banned Moscow from competing over the state-sponsored doping scandal.
Over the past few months, researchers have also observed an uptick in phishing campaigns targeting several Olympics organizations by the Kremlin-linked hacking group Fancy Bear, also known as APT28. The hacker group has previously been linked to the DNC hack. CrowdStrike also said it observed credential harvesting activity against an international sporting organization in November and December 2017 that it attributed to Fancy Bear “with medium confidence”.
John Hultquist, director of analysis at FireEye’s intelligence analysis team, said: “We have anticipated an attack of some nature on the events for quite a while, particularly by a Russian actor. Actors like APT28 have unceasingly harassed organizations associated with the games and the Russians have been increasingly willing to leverage destructive and disruptive attacks.”
Russia’s foreign ministry has already dismissed any “pseudo-investigations” blaming Moscow for cyber attacks on the Winter Olympics saying “no evidence would be presented to the world”.