Researchers: We Found the Olympic-Disrupting Malware

They're calling the malware 'Olympic Destroyer' and say they have "moderate confidence" that it was used to disrupt the Opening Ceremony.

|
Feb 12 2018, 2:28pm

Image: Ian MacNichol/Getty Images

On Sunday, The Guardian reported that Winter Olympics organizers confirmed that hackers targeted the event’s opening ceremony. Disruptions included faulty stadium WiFi and television and internet service at the main press centre going down. Now, researchers at Talos, part of cybersecurity firm Cisco, say they’ve found a piece of malware that is likely linked to the outages.

The news signals the increased use of malware that is focused on causing destruction rather than stealing information, and comes as state-sponsored hackers around the world, including Iran and Russia, continue to use destruction-focused malware.

“The attacker was quite sure to disrupt services but they did not make it a full scale machine wiping mission, for now,” Warren Mercer, technical leader at Talos told Motherboard in an email.

Talos, which dubs the malware “Olympic Destroyer,” said in a blog post Monday morning it has “moderate confidence” that the malware it has identified was used in the Opening Ceremony hack.

Windows-based Olympic Destroyer carries out a number of different tasks, according to Talos: it drops several files onto the target which then steal passwords stored in a browser, either Internet Explorer, Firefox, or Chrome, as well as the computer’s system passwords. It may then use these passwords in order to move through the target network. The latter uses a technique similar to that in Mimikatz, an established tool for grabbing passwords that Russian hackers have adopted. Olympic Destroyer drops a legitimate Microsoft tool, called PsExec, to move throughout a target.

Most importantly, the malware also gets to work on wiping a target’s machine, and attempts to cover up its own tracks.

“Wiping all available methods of recovery shows this attacker had no intention of leaving the machine useable. The sole purpose of this malware is to perform destruction of the host and leave the computer system offline,” the Talos blog post reads.

Talos writes it is not clear how this malware was delivered to a target. However, the program does include Winter Olympic credentials pre-loaded into it, suggesting that the attackers may already have had some form of access to Olympic systems before deploying the Opening Ceremony attack.

“The malware contained hard coded credentials based on Pyeongchang2018.com as the domain. This is the official Olympics domain for the Winter Games,” Mercer told Motherboard, adding that Talos was ultimately unable to confirm the passwords’ validity.

Mercer told Motherboard the samples are available on malware search engine Virus Total, and that Talos obtained corroborating information from AMP, Cisco Talos’ Advanced Malware Protection product.

At the time of writing, at least 39 anti-virus products detect Olympic Destroyer as malicious, according to Virus Total.

Although Talos does not point to any particular group or country as being responsible for the malware’s creation or deployment, it does note a number of similarities with other malware campaigns. One technique used as a communication channel to the initial stage of the malware is the same as one used during the recent BadRabbit and Nyetya attacks. The United States’s CIA has attributed Nyetya—also known as NotPetya, which ravaged computers especially in Ukraine—to Russian military intelligence, the Washington Post reported in January.

However, cybersecurity firm Intezer has found similarities with code previously linked to Chinese government-affiliated hackers, a company spokesperson told Motherboard in an email.

Likely Russian hackers have already been on the offensive against the Olympics and sports world writ-large. In January, the self-titled “Fancy Bears’ Hack Team,” believed to be Russian state-sponsored, resurfaced and released several small caches of documents stolen from the World Anti-Doping Association.

In December, the International Olympic Committee banned Russia from participating in the Winter Olympics, after investigations uncovered a wide-spanning, state-sponsored effort to give Russian athletes performance-enhancing drugs.

Update: This post has been updated with comment from Warren Mercer, technical leader at Talos. It has also been updated to note that a second cybersecurity firm has found similarities with code previously linked to Chinese government-affiliated hackers.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.