‘Olympic Destroyer’ Malware Behind Winter Olympics Cyberattack, Researchers Say

The malware’s sole purpose was to take down systems, not steal data, Cisco Talos researchers say.

Winter Olympics officials have confirmed that a cyberattack occurred during the games’ opening ceremony on Feb. 9, but are remaining mum on the source of the attack. Researchers say the attack employed malware, dubbed Olympic Destroyer, that was written with the sole intention of destroying systems, not to steal data.

“Maintaining secure operations is our purpose,” said International Olympic Committee (IOC) spokesman Mark Adams,” told Reuters. “We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure. ”

Researchers at Cisco Talos have “moderate confidence” they have identified the malware and are calling it Olympic Destroyer, according to a blog post.

“The infection vector is currently unknown as we continue to investigate,” the researchers wrote. “The samples identified, however, are not from adversaries looking for information from the games but instead they are aimed to disrupt the games. The samples analyzed appear to perform only destructive functionality. There does not appear to be any exfiltration of data.”

Its goal is to make devices unusable by “deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment,” in similar fashion to the Bad Rabbit and Nyeyta ransomwares, they wrote.

First, Olympic Destroyer delivers a binary containing multiple files to victimized machines. The malicious files are obfuscated and given randomly generated names, Talos said. At this time, is unclear how the binary is delivered, but multiple methods are possible, they added.

The binary contains two “stealing modules”. One steals credentials stored in Internet Explorer, Firefox and Chrome browsers. The second steals system credentials from Local Security Authority Subsystem Service using a method similar to that found in the open-source penetration testing tool Mimikatz, according to Talos.

Once the malware has infected systems hosting the site, it deletes all shadow copies on the system using the vssadmin.exe command. It also uses wbadmin.exe to destroy files, Talos notes: “This step is executed to ensure that file recovery is not trivial – WBAdmin can be used to recover individual files, folders and also whole drives so this would be a very convenient tool for a sysadmin to use in order to aid recovery.”

Third, the malware takes advantage of a command called BCDEdit, which is used to set up and tweak boot configurations on Windows machines. The malware’s actions “ensure that the Windows recovery console does not attempt to repair anything on the host,” Talos said.

“Wiping all available methods of recovery shows this attacker had no intention of leaving the machine useable,” Talos added. “The sole purpose of this malware is to perform destruction of the host and leave the computer system offline.”

The cyberattack managed to take down the official Winter Olympics’ website on Feb. 9 for about 12 hours, leaving attendees unable to print tickets. It also affected the games’ television feeds.

The games are taking place in Pyeongchang, South Korea, about 50 miles from the North Korean border. North Korea is competing in the Olympics in a move that South Korean officials hope will help thaw the countries’ frosty relationship, and thus speculation on the cyberattackers’ identity hasn’t centered on North Korea.

In January, researchers at multiple companies reported that the Russia-linked Fancy Bear hacking group had been sending spearphishing emails with malicious Word documents to South Korean organizations as well as groups linked to the Olympics.

Russia’s foreign ministry issued a statement referring disdainfully to “pseudo-investigations” blaming the country for cyberattacks on the games, saying “no evidence would be presented to the world.” Talos’s investigation makes no claims about the attack’s origins.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.