Incident Of The Week: ‘Olympic Destroyer’ Malware Strikes Winter Games
Add bookmark
In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.
Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.
In this edition of “Incident of the Week,” we examine a powerful malware attack that struck the 2018 Winter Olympics in PyeongChang, South Korea – and appeared to “pull back” as a potential show of force or political statement.
This documented incident affected internet access and telecasts and disabled the PyeongChang 2018 website. What’s more, it even reportedly altered spectators’ ability to print out tickets. Although the strain allegedly had the capability of inflicting lasting damage on the affected network, it failed to do so – instead zeroing in on backup files.
Reports first surfaced of the attack in the British media, which cited technical issues during the Opening Ceremony. Officials later confirmed these related issues – occurring on non-critical systems, with a recovery time of about 12 hours. By Feb. 11, Olympic Games officials acknowledged that they’d become victim of a cyber-attack.
See Related: Risky In Rio: No Medals For Cyber Security In 2016 Olympics
Cisco’s Talos threat intelligence division analyzed the attack postmortem, and determined “with moderate confidence” the samples used in the offensive. According to Talos’ report, the infection vector is unknown – amid the ongoing investigation. However, the page notes the samples “are not from adversaries looking for information from the games but instead they are aimed to disrupt the games.”
Analyzed samples point to “destructive functionality,” the report pointed out. Nonetheless, there were no signs of any data exfiltration.
“Analysis shows that actors are again favoring legitimate pieces of software, as PsExec functionality is identified within the sample,” the Talos report reads. “The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec and WMI to further move through the environment.”
The report stated that the attack bears similarities to that of the BadRabbit and Nyetya strains. The former propagated by encrypting user files and demanding Bitcoin payment. It was believed to spread via an Adobe Flash software “update.”
What’s more, according to a Talos report from June 2017, Nyetya was identified as a threatening malware variant that “leveraged EternalBlue, EternalRomance, WMI and PsExec for lateral movement inside an affected network.”
See Related: Incident Of The Week: RAT Malware Strains Believed To Be N. Korean
For the new variant, dubbed the “Olympic Destroyer,” the threat intelligence division pegged it as a substantial disruptor.
“It leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony,” it reads.
Again, this meant sending the PyeongChang website offline, and stifling Olympic reporting by crippling Wi-Fi.
The analysis suggested that the infection vector is unknown, but that it could have been administered remotely.
While the culprit is also unknown, the New York Times said that indications point to Fancy Bear, a hacking group connected to Russian intelligence services. The group was allegedly involved in an attack on the Democratic National Committee shortly before the 2016 presidential election.
The same report suggests that the attack could have been premeditated – with the payload constructed in late 2017.
The attack is a particular concern to today’s CISO, whose mission is to preside over enterprises of all sizes. For the large enterprise, public sector or large committee-type operation, these crippling malware attacks can be extremely bothersome, seeing as they’re useful platforms for nation-state actors to make political statements.
Be Sure To Check Out: Incident Of The Week: Media Site Targeted In DDoS Attack, Method On The Rise
