CANCUN, Mexico – A postmortem of the Olympic Destroyer malware used in the PyeongChang Olympics attack reveals a deliberate attempt by adversaries to plant a false flags when it comes to attribution, according to researchers.
Days after the crippling attack on the backend networks tied to the Winter Olympic Games, a chorus of security experts attributed the attacks to everyone from Russia, Iran, China and groups such as Lazarus, the nation-state backed gang linked to North Korea.
However, security experts now believe a skilled and mysterious threat actor behind the malware intended to sow confusion among those attempting to assign attribution to the attack. Researchers called the attempt a type of cyber “fake news” attack motivate the media to point fingers in the wrong direction.
“Perhaps no other sophisticated malware has had so many attribution hypotheses put forward as the Olympic Destroyer,” said Vitaly Kamluk, researchers with Kaspersky Lab who co-authored a report released today on the attacks. “Given how politicized cyberspace has recently become, the wrong attribution could lead to severe consequences and actors may start trying to manipulate the opinion of the security community in order to influence the geopolitical agenda.”
The Olympic Destroyer malware temporarily paralyzed IT systems, shutdown display monitors, crippled Wi-Fi and shuttered the Olympics website preventing visitors from printing tickets. The destruction also included several nearby ski resort facilities in South Korea. The worm, according to researchers, disabled the operation of ski gates and lifts at the resorts.
Despite the damage, “the real interest of the cybersecurity industry lay not in the potential or even actual damage caused by the Olympic Destroyer’s attacks, but in the origin of the malware,” according to researchers. The initial rush to judgment muddied the first wave of analysis, Kamluk said.
In the days proceeding the attack a steady stream of theories emerged that were later debunked and ruled inconclusive. “How the industry responded was a disaster,” Kamluk said. “There was too much finger pointing with no certainty. ”
Kamluk likened the false flag to a criminal planting someone else’s DNA at a crime scene. “All this demonstrates how much effort attackers are willing to spend in order to stay unidentified for as long as possible,” he said.
Beyond the Lazurus false flag, researchers said Russian-speaking cyber espionage group Sofacy (also known as Fancy Bear and APT28) was also imprecisely implicated in the attack. Other bits of malware code linked Chines-affiliated cyber espionage groups APT3 (Gothic Panda), APT10 (MenuPass Group), and APT12 (IXESHE).
One gave “a 100 percent match with previously known Lazarus malware components and no overlap with any other clean or malicious file known to date to Kaspersky Lab,” researchers said. Upon a closer look “researchers concluded that the features’ ‘fingerprint’ is a very sophisticated false flag, intentionally placed inside the malware in order to give threat hunters the impression that they had found ‘smoking gun’ evidence, knocking them off the trail to more accurate attribution.”
Researchers credit their new findings on the worm-like nature of Olympic Destroyer and its ability to collect host names as it propagated and infected other systems. That meant malware samples offered clues as to where and what systems were previously targeted – helping researchers map out the malware’s journey.
Kamluk said the tricky nature of assigning attribution in the Olympic Destroyer malware case is endemic of larger industry-wide attribution challenges.
Despite the lack of attribution, Kaspersky researchers sifting through code fragments did hit on a possible clue to who (not where) was behind the attack. Researchers said a mysterious “magic number” was found in an obtuse malware function code that when put in hexadecimal format spelled “Deef Bad 7”.
“This could be random, but it appears to be a tiny little message or way the author wanted to be recognized in this attack and future ones,” Kamluk said.
Other clues included three possible malware “ground zero” infection points that included the PyeongChang Olympic webite, the French cloud provider Atos that maintained the site, or a third-party contractor who managed ski resort automation software for PyeongChang and other nearby ski areas.
Researchers believe the threat actor laid the groundwork for the attack in December with a spear phishing campaign targeting the official sponsors of the Olympic games.
“We might not know for some time who was behind the Olympic Destroyer malware,” Kamluk said. “Time is an often powerful tool for determining attribution.”