As athletes battle it out on the rinks and slopes of the Pyeongchang Olympics, a quieter fight is underway on Olympic networks. The “Olympic Destroyer” attack has reportedly caused disruptions to the event’s Wi-Fi network and took down the official web site just as events were getting underway.
The Guardian first reported technical issues on the Olympic network during the opening ceremonies, which were later confirmed by Olympic officials to have been caused by a cyber attack. Web site users were unable to access information or print tickets for 12 hours and the Wi-Fi in the Olympic stadium wasn’t working; The Guardian also said that televisions and internet service at the main press center were also affected.
Cisco’s Talos Security blog said that according to its analysis, the attack was aimed specifically at disruption rather than information-gathering, adding that “the malware author knew a lot of technical details of the Olympic Game infrastructure such as usernames, domain name, server names and obviously passwords.”
“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony,” Talos researchers Warren Mercer and Paul Rascagneres wrote. “Disruption of services included the Olympic website being offline, meaning individuals could not print their tickets. The opening ceremony reporting was degraded due to WiFi failing for reporters on site.”
Update on #OlympicDestroyer – malware patches binaries incorporating harvested credentials for lateral movement and other new information, check out the latest update: https://t.co/odptmuBM1g pic.twitter.com/dUKbBPbP8f
— Talos Group (@TalosSecurity) February 13, 2018
Meanwhile, McAfee is tracking malware dubbed Gold Dragon targeted at the Olympics which has been circulating for some time, with new aspects appearing just as the event began. McAfee noted that Gold Dragon is a Korean-language implant that it believes is the second-stage payload of an Olympics-related attack that was noticed in early January. That earlier attack, PowerShell, created an encrypted channel to the attacker’s computer but was not a fully functioning backdoor, and “did not contain a mechanism to persist beyond a simple scheduled task”; McAfee said it was a basic information-gathering mechanism to identify targets of interest. Gold Dragon, which appeared the same day that the Olympics began, “has a much more robust persistence mechanism than the initial PowerShell implant and enables the attacker to do much more to the target system.” It is one of four related implants for information gathering, although McAfee said that the Gold Dragon malware “has limited reconnaissance and data-gathering capabilities and is not full-fledged spyware.”
— McAfee Labs (@McAfee_Labs) February 14, 2018
McAfee also noted that an email phishing attack was also launched against many Olympics and Olympics supporting organizations in late December, targeting email addresses with a malicious Microsoft Word document that claimed (in Korean) to be “Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.” The document laid the groundwork for a hacker to gain remote access to an infected machine in order to install more spyware. Trend Micro has also been tracking targeting of international athletic organizations since the second half of 2017.
Image copyright: andreykuzmin / 123RF Stock Photo