The Winter Olympics held in Pyeongchang, South Korea, are long gone and almost forgotten. In fact, the Summer Olympics that will be held in Tokyo, Japan, are just around the corner. With only a couple of months left, we need to remember the devious Olympic Destroyer that threatened to ruin the events and ceremonies of the Winter Olympics and that performed successful attacks on different Olympics-related parties. Even months after the initial attacks were reported, this malware was attacking new targets, and that is why there is a good chance that we will see it revived in the summer of 2020. Unfortunately, the attackers behind this malware are experienced, and defending systems against it might be a challenge.
February 2018 was the first time Olympic Destroyer was uncovered, hence the name. Using misleading spam emails, the attackers behind this malware were trying to invade the systems that belonged to the organizers of the event, partners, and related businesses. For example, a winter resort that was not used for any of the Olympic events but that was located nearby was attacked. According to the researchers at Securelist – who have been following the infection closely since its initial attacks – it managed to attack a software vendor that was responsible for the automation at ski resorts, two nearby hotels, an IT service provider, and attached networks. Olympic Destroyer was able to shut down display monitors, tamper with the Wi-Fi connection, and even take down the official Winter Olympics website that people were using to print tickets. If it weren’t for the security teams working for the event, chaos could have ensued.
Olympic Destroyer is a self-propagating and self-modifying infection that can steal passwords and hijack systems, after which, the attackers can manipulate them in any way. To perform successful attacks during the Winter Olympics, it used a credential stealer, a wiper, and a tool called “PsExec,” which is legitimate and was not created by cybercriminals. To get these components onto the targeted system, the attackers behind Olympic Destroyer used misleading spam emails. If the targeted user was tricked into opening the attached file and then enabling macros, malware was executed. At first, the victim might have been introduced to a Word Document file with what seemed like encoded text. Conveniently, a button called “Enable Content” was displayed at the top, but if it was clicked, the malicious payload was executed.
Once in place, Olympic Destroyer used a wiper payload to destroy files on the remote network shares. An hour was given to complete the process. In the meantime, the credential stealer was employed to collect passwords from Windows storage and the installed web browsers. In the end, the PsExec tool was employed, and this tool can be used to execute processes. After one hour, the malicious wiper module was set to delete shadow copies, disable the Windows recovery, reset backups, and clean Windows event logs. The creator of Olympic Destroyer wiper was able to forge automatically generated signatures to make it seem like it was created by Lazarus APT, but that was just a decoy set up by the actual attackers. Months after the Winter Olympics had ended, the same attackers were found to go after the financial organizations in Russia as well as laboratories in Ukraine and across Europe. Clearly, the attackers were not waiting for the next Olympic Games.
Speaking of the next Olympic Games, there is a possibility that Olympic Destroyer could strike once more, and this time, it could be more aggressive and more successful. Now is the time to ensure that malicious programs like this one do not ruin the experience for anyone involved with the Olympics. Of course, it is most important that the organizers, vendors, and other parties related are cautious about the emails they receive, open, and interact with. It is also crucial to understand that cybercriminals are on a constant lookout for new methods of malware execution. Operating systems, networks, hardware, firmware, and software must be up-to-date, and reliable security software must be implemented. Hopefully, we will be able to enjoy the Summer Olympics in 2020 without a glitch, but we need to be prepared for everything.
GReAT. March 8, 2018. OlympicDestroyer is here to trick the industry. SecureList.
GReAT. June 19, 2018. Hades, the actor behind Olympic Destroyer is still alive. SecureList.