The same malware used in recent Olympic Winter Games in Pyeongchang, tracked as Olympic Destroyer, has been used in a new wave of attacks against organizations in Germany, France, the Netherlands, Russia, Switzerland, and Ukraine.
Shortly before the opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down.
According to an analysis conducted by experts from Cisco Talos, there are many similarities between the Pyeongchang attack, which they dubbed ‘Olympic Destroyer‘ and earlier attacks such as BadRabbit and NotPetya. All of these attacks are focused on destruction and disruption of equipment not exfiltration of data or other, more subtle attacks. Using legitimate tools such as PsExec and WMI the attackers targeted the pyeongchang2018.com domain to steal browser and system credentials to move laterally in the network and then wipe the victim computer to make it unusable.
While the source of the attacks is uncertain, the Cisco Talos blog post is clear in identifying motivation, “Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony.”
Threat actors behind Olympic Destroyer planted false flags and artifacts inside the wiper to make hard the attribution. Security experts that investigated the case believe the attack was powered by a nation-state actor likely linked to North Korea, Russia or China.
Back to the present, experts from Kaspersky Lab uncovered new cyber attacks involving Olympic Destroyer in May and June.
The threat actors targeted financial companies in Russia and European organizations involved in protection against chemical and biological threats.
“In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led us to believe that we were looking at the same actor again. However, this time the attacker has new targets.” reads the analysis published by Kaspersky.
“According to our telemetry and the characteristics of the analyzed spear-phishing documents, we believe the attackers behind Olympic Destroyer are now targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine. They continue to use a non-binary executable infection vector and obfuscated scripts to evade detection.”
The attackers spread the malware via spear-phishing messages using weaponized documents, many of which referenced bio-chemical threat research.
The experts observed that the some of the emails were written in perfect Russian, likely a Russian speaker was involved in the campaigns.
The campaigns involved PowerShell scripts and Powershell Empire, the latter is an open-source framework that allows fileless control of the compromised machine, it has also a modular architecture and relies on encrypted communication.
The threat actors leveraged compromised legitimate web servers as command and control infrastructure, many servers were running vulnerable versions of the Joomla content management system.
According to the experts, the fact that hackers hit financial organizations suggests that Olympic Destroyer is currently used by several threat actors, both nation-state actors and cybercrime gangs.
Another scenario sees a foreign government that may have hired a crime gang to power the attack, or that the financial-focused attacks could be a false flag planted to make hard the attribution.
“It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits,” concluded Kaspersky Labs.
“he variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cybertheft and another group or groups looking for espionage targets. This could also be a result of cyberattack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.”
(Security Affairs – Olympic Destroyer, malware)