What is Olympic Destroyer? Malicious file-wiping malware hits Pyeongchang to embarrass organisers
"Disruption is the clear objective in this type of attack," Cisco Talos researchers said.
Cybersecurity experts say they have identified a destructive malware dubbed "Olympic Destroyer" that was likely used in a cyberattack on the Pyeongchang Winter Olympics during the opening ceremony last week. Winter Olympics officials confirmed on Sunday that a cyberattack did target their networks resulting in technical failures during the opening ceremony but have refused to disclose the perpetrators responsible.
The attack saw the official website knocked offline, Wi-Fi not working in the stadium and failure of internet protocol televisions at the Main Press Center.
Researchers at Cisco's threat intelligence arm Talos, CrowdStrike and FireEye analysed the malicious code used in the attack and said it was designed to destroy targeted critical systems rather than steal data.
With "moderate confidence", Talos researchers said they have identified the malware used in the attack that appeared to perform "only destructive functionality".
While the infection vector is still unknown, samples of the malware identified "are not from adversaries looking for information from the games but instead they are aimed to disrupt the games," they said.
"Analysis shows that actors are again favouring legitimate pieces of software as PsExec functionality is identified within the sample," Talos researchers Warren Mercer and Paul Rascagneres wrote in a blog post. "The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This is something we have witnessed previously with BadRabbit and Nyetya."
The malware itself is a binary file that drops a browser credential stealer that supports Chrome, Firefox and Internet Explorer and a system stealer to swipe credentials from Local Security Authority Subsystem Service (LSASS) using a method similar to that used by Mimikatz.
It then deletes all shadow copies on the system and then uses wbadmin.exe to destroy all system files "to ensure that file recovery is not trivial". The malware also uses a tool called bcdedit to make sure that the Windows recovery console cannot attempt to repair anything on the host making sure recovery is "extremely difficult".
"Wiping all available methods of recovery shows this attacker had no intention of leaving the machine useable," Talos added. "The sole purpose of this malware is to perform destruction of the host and leave the computer system offline."
During the attack, the Olympic website's downtime prevented visitors from accessing information or printing out tickets. Wi-Fi not working at the stadium also hindered reporters working on site.
"Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony," researchers said, noting that the malware author knew a lot of technical details of the Olympic Game infrastructure.
A list of 44 usernames and passwords for accounts on PyeongChang2018.com were included in the malware's code, researchers said. It is not immediately clear how the hackers managed to obtain these credentials or infiltrate the targeted systems.
Who was behind the cyberattack?
None of the cybersecurity firms have named the threat actors possibly responsible for the attack or provided any details regarding its origin.
However, suspicions have already emerged naming Russia as a likely suspect after the International Olympic Committee banned Moscow from competing over the state-sponsored doping scandal.
Over the past few months, researchers have also observed an uptick in phishing campaigns targeting several Olympics organisations by the Kremlin-linked hacking group Fancy Bear, also known as APT28. The hacker group has previously been linked to the DNC hack.
CrowdStrike also said it observed credential harvesting activity against an international sporting organisation in November and December 2017 that it attributed to Fancy Bear "with medium confidence".
"While there is currently no confirmed connection between this activity and the destructive attack, a similar reconnaissance phase was likely carried out in preparation of this recent operation," CrowdStrike said in a statement to Forbes.
John Hultquist, director of analysis at FireEye's intelligence analysis team, said: "We have anticipated an attack of some nature on the events for quite a while, particularly by a Russian actor. Actors like APT28 have unceasingly harassed organizations associated with the games and the Russians have been increasingly willing to leverage destructive and disruptive attacks."
Russia's foreign ministry has already dismissed any "pseudo-investigations" blaming Moscow for cyberattacks on the Winter Olympics saying "no evidence would be presented to the world".