Russian hackers, with hardly a shred of deniability, have targeted the Pyeongchang Olympics for months in retaliation for the country’s doping ban, stealing and leaking documents from Olympics-related organizations. Now a more insidious attack has surfaced, one designed not to merely embarrass, but disrupt the opening ceremonies themselves. And while neither Olympics organizers nor security firms are ready to point the finger at the Kremlin, the hackers seem to have at least left behind some calling cards that look rather Russian.
Over the weekend, the Pyeongchang Olympics organizers confirmed that they’re investigating a cyberattack that temporarily paralyzed IT systems ahead of Friday’s opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets. (While Intel also scrubbed its planned live drone show during the opening ceremonies, the Pyeongchang organizing committee said in a statement that the cause was “too many spectators standing in the area where the live drone show was supposed to take place,” rather than malware.)
Now security researchers at Cisco’s Talos division have released an analysis of a piece of sophisticated, fast-spreading malware they’re calling Olympic Destroyer, which they believe was likely the cause of that outage.
“It was effectively a worm within the Olympic infrastructure that caused a denial-of-service attack,” says Talos researcher Warren Mercer.
According to a detailed blog post the Talos researchers published Monday morning, Olympic Destroyer is designed to automatically jump from machine to machine within a target network and destroy certain data on the machine, including part of its boot record, rebooting machines and then preventing them from loading. “It turns off all the services, the boot information is nuked, and the machine is disabled,” says Talos research director Craig Williams.
‘They wanted to do as much damage as they could, as fast as they could.’
Craig Williams, Cisco Talos
Talos points out that Olympic Destroyer’s disruptive tactics and spreading methods resemble NotPetya and BadRabbit, two pieces of Ukraine-targeting malware seen in the last year that the Ukrainian government, the CIA, and other security firms have all tied to Russian hackers.
But strangely, unlike those earlier malware attacks, this latest sample destroys only backup data on victim machines, while leaving the rest of the PC’s hard drive intact. The malware’s real target, the Talos researchers believe, was any data stored on servers that infected PCs could reach on the network; Olympic Destroyer would permanently corrupt those server-side files. That approach may have been designed for a faster, stealthier form of data destruction while still potentially leaving functioning malware infections behind on some victim machines, allowing the hackers to maintain access. “It might have been an optimization,” says Williams. “They wanted to do as much damage as they could, as fast as they could.” As a result, however, the Olympic organizers were able to get their systems working again within 24 hours, compared with NotPetya victims who in many cases permanently lost tens of thousands of computers and took weeks to fully recuperate.1
When WIRED reached out to the International Olympics Committee for comment, the IOC referred the inquiry to the local Pyeongchang Organizing Committee, which hasn’t responded. In other reports, however, organizers have declined to name any potential suspects or motives behind the attack.
The Talos researchers say they obtained the Olympic Destroyer malware when it was detected and uploaded by the company’s security products, though the researchers haven’t revealed the exact origin of the code. But as evidence that it did in fact target Olympics infrastructure specifically, they point to a list of 44 usernames and passwords included in the malware’s code, all for accounts on PyeongChang2018.com, the Olympics’ domain. With those accounts as a starting point, the malware then spread using Windows features like PSExec and Windows Query Language—which allow one machine to connect to another—and then scoured the next target machine’s browser data and system memory for more credentials. “It comes in with 44 logins, and then as it compromises machines it pumps more and more user data out of them,” says Williams.
As further evidence that the malware was timed to the opening ceremony, researchers at security firm Crowdstrike note that they’ve also obtained the malware, and that they first detected it on February 9, the same day as the show in Pyeongchang.2
It’s not clear how the hackers behind Olympic Destroyer first penetrated their target, or how they obtained the credentials of 44 Olympics staff members to kickstart their attack. But the Talos researchers say that the multitude of spreading techniques and those pre-seeded credentials all point to a sophisticated adversary. “Anything like this with harvested data, prepackaged to target those systems, is not amateur hour,” says Mercer. “It’s a targeted campaign designed to accomplish very specific tasks.”
Still, the Talos researchers declined to point the finger at Russia, or any other government. Despite its sophistication and relative similarity to past operations like NotPetya and BadRabbit, they point out that it’s possible other hackers may simply have adopted that earlier malware’s techniques.
‘The Russians are the leading suspects.’
Jeffrey Lewis, Center for Strategic and International Studies
But the political backdrop for the attack makes Russia by far the most likely culprit, says James Lewis, the director of the Center for Strategic and International Studies’ Technology and Public Policy Program. After all, the Russian hacker group known as Fancy Bear, widely believed to be part of its military intelligence agency GRU, has been hacking Olympics-related organizations as early as September of 2016. Those attacks, which resulted in leaks of the medical records of athletes including Serena and Venus Williams and Simone Biles, appear to be aimed at discrediting the Olympics’ anti-doping programs after Russia was banned from the games for widespread and systematic use of performance-enhancing drugs among its athletes. “The Russians are the leading suspects,” says Lewis.
In the weeks leading up to the Olympics, other signs have indicated a possibly North Korean hacking campaign targeting Olympics organizations and the Pyeongchang local government. Crowdstrike researchers note, disturbingly, that “several threat actors” had backdoor access to organizations “adjacent” to affected Pyeongchang victims. But North Korea has, by all appearances, sought to use the Olympics as an opportunity to improve its diplomatic relations with South Korea and burnish its international image. In that context, Lewis argues the Kim Regime would be unlikely to want to disrupt the games. “They really don’t have any incentive,” he says.
Russia’s government, on the other hand, has been “furious” about the doping ban, and shown itself willing to use hacking as a means of taking its revenge for that slap, Lewis says. “It’s consistent with what they’ve done before. It’s probably them,” Lewis says. “It’s another example of Russian petulance.”
1Updated at 2:45PM EST to include revised information from Cisco Talos.2Updated at 12:30PM EST to include additional research from Crowdstrike.