EARLY WARNINGS
When the hackers showed up before the athletes, it didn’t surprise many. The first week in January 2018, John Leyden reported one of the first malware campaigns in his London-based newspaper, The Register. The Advanced Threat Research division of the security software company McAfee had just released a report on a campaign targeting organizations involved with the Pyeongchang Olympics. An email containing a malicious Microsoft Word document was sent to icehockey@pyeongchang2018.com with several other organizations in South Korea on the BCC line. The attack first appeared December 22, 2017, and continued through December 28, 2017.
In its technical report, McAfee noted the sophistication of the malware enclosed in the Word document, which even made use of steganography, in this case the concealment of malicious code in an image. The analysts wrote, “Based on our analysis, this implant establishes an encrypted channel to the attacker’s server, likely giving the attacker the ability to execute commands on the victim’s machine and to install additional malware.” The idea was to establish remote control of the Olympic organization’s computers.
The security firm concluded with a warning for both the agencies and the companies involved with the upcoming Olympic events to expect more of this.
OPENING CEREMONIES
On February 8, 2018, the day before the opening ceremonies, journalist Nicole Perlroth echoed McAfee’s concerns in a New York Times article titled “Winter Olympics’ Security on Alert, but Hackers Have a Head Start.” She also provided a preliminary scorecard on the email attack that had been identified by McAffee. “More than 300 Olympics-related computer systems have already been hit, with many of them compromised.” She also noted that the second stage of that same attack appeared to be now ongoing as the hackers were streaming data from the victim’s computers back to their own systems. McAfee still had no clear idea who was behind the effort, but it was well organized and had substantial resources, with “the hallmarks of a nation state,” according to their senior analyst Ryan Sherstobitoff.
Perlroth noted that the Department of Homeland Security was warning Americans leaving for the Olympic Games “that cybercriminals are likely to be targeting the Games.”
The reporter also pointed out results of the first attacks might not just affect the information on the organizer’s servers. She quoted Betsy Cooper, the executive director at the Center for Long-Term Cybersecurity at the University of California Berkeley, who had speculated, “The worst-case scenario would be attacks in which hackers tried to shut off lights in the stadium during an event, or perhaps even tampered with electronic timing results.”
Preparations were in place. The U.S. State Department had set up a security monitoring operation on one floor of its embassy in Seoul. Perlroth added, “Elsewhere in Pyeongchang, an alliance of security personnel from South Korea, various Olympic sponsors, technology suppliers and cybersecurity sleuths from around the world are monitoring computer screens and potential threats at the unmarked Security Command Center.”
One of the sentinels, John Hultquist, director of threat intelligence at the security company FireEye told the Times, “One thing is for certain: We can’t simply rely on these actors to behave themselves in this context. They’ve proven, again and again, over the past few years that they are not afraid to flout international norms and create chaos.”
OLYMPIC DESTROYER
The opening ceremonies were scheduled for Friday, February 9, 2018, and they didn’t go as planned. The online security news blog CyberScoop reported, “Hackers armed with destructive malware appear to have compromised the main IT service provider for the Winter Olympic Games months before last week’s highly publicized cyberattack.”
The IT company is Atos, and it’s hosting the Olympics’ cloud infrastructure. The opening day attack came from a destructive wiper malware named “Olympic Destroyer,” and it announced its presence on Friday, February 9, 2018, by shutting down the official website of the Winter Olympics (www.olympic.org) for hours, interrupting ticket sales and the ability to print tickets as well as blocking venue information. The downtime lasted 12 hours, extending into Saturday morning at 8 a.m.
There was a loss of local Wi-Fi in the Pyeongchang Olympic stadium and failure of televisions and internet at the main press center.
On Sunday, February 11, 2018, the Olympic officials confirmed that there had been a cyberattack but offered no further information.
Olympic Destroyer is called wiper malware because its primary purpose is to delete files (shadow backups, boot configuration files, and event logs), causing the computer to crash and become unresponsive.
Cisco’s Talos Threat Intelligence Group analyzed samples of the malware and concluded, “Wiping all available methods of recovery shows this attacker had no intention of leaving the machines usable. The purpose of this malware is to perform destruction of the host, leave the computer system offline, and wipe remote data.”
Perhaps even more ominous is Cisco’s final comment in the report: “This is something we have witnessed previously with BadRabbit and Nyetya. You might remember the attack campaigns from these two last year. BadRabbit (October 2017) was ransomware that would lock your computer and demand a BitCoin ransom, and Nyetya (June 2017) was described by Talos as wiperware that’s “significantly worse, significantly more virulent than the WannaCry ransomware and is much stealthier.”
One of the samples of Destroyer had an Atos employee credentials, which led researchers to assume that the hacker who deployed it had managed to penetrate the Atos network months before.
For the time being, Talos and others are assuming a somewhat one-dimensional disruption by Destroyer. “The samples identified are not from adversaries looking for information from the games, but instead they are aimed to disrupt the games. The samples analyzed appear to perform only destructive functionality. There does not appear to be any exfiltration of data.”
Although there are several points of similarity with previous versions of ransomware, Destroyer lacks two key elements that make that kind of malware so pernicious. According to CyberScoop, Destroyer isolates each infection, “unlike the NotPetya or WannaCry incidents before it,” and it doesn’t “destroy data resident on the system similar to previously observed ransomware families.”
Why have the attackers purposely restrained the Olympic Destroyer malware by “underwriting it with parameters that isolate each infection”? Analysts Warren Mercer of Talos and John Hultquist of FireEye don’t explain why the hackers held their fire with just the first day take-downs of the website and networks.
Perhaps the answer will arrive later in the progress of the month-long Games. Hopefully, it won’t include any further incidents.
