Olympic Destroyer, the threat actor that caused a crippling sabotage attack on the networks supporting this year’s Winter Games in Pyeongchang, South Korea, has resurfaced with a spy campaign – and with a wider target range.
The new campaign began last month and is ongoing, employing spear-phishing documents that share much in common with the weaponized documents used in the Olympics attack. According to analysis from Kaspersky Lab, these indicators – such as using a non-binary executable infection vector and obfuscated scripts to evade detection – point to the same group being behind both attacks.
Now, however, the group is targeting financial organizations in Russia, and, of concern, biological and chemical threat prevention laboratories in Europe and Ukraine.
New Victim Profiles
Kaspersky Lab researchers examined some of the phishing lures to find out more about the targets, based on decoy documents, email subjects and file names. For instance, two of the decoy documents reference the Salisbury poison attack on Russian double agent Sergey Skripal and his daughter in London earlier this year.
One of the documents observed in the attacks references the nerve agent used to poison them; another references Spiez Convergence, a biochemical threat research conference held in Switzerland. The sponsor, Spiez Laboratory, was involved in the Skripal attack investigation.
“Further analysis of other related files suggests that the target of [yet another] document is working in the biological and epizootic threat prevention field,” Kaspersky researchers said in a post published Tuesday.
The lures also suggest that they were “probably prepared with the help of a native [Russian] speaker and not automated translation software,” researchers noted. For instance, one of the documents included a lure image with perfect Russian language in it, and the Cyrillic messages inside this and previous documents are in perfect Russian.
There are ties to the Ukraine too. For instance, once the user enables the macro, a decoy document is displayed, taken very recently from the official website of the Ukrainian Ministry of Health.
These could all be red herrings however – during the Pyeongchang attacks, Olympic Destroyer planted several false flags meant to confuse and misdirect attribution efforts. Various aspects were calculated to make the threat actor look like the Lazarus APT, which is widely believed to be associated with North Korea.
All of this makes it difficult to determine whoever is behind the latest Olympic Destroyer attacks.
“The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e., a group primarily interested in financial gain through cybertheft and another group or groups looking for espionage targets,” researchers noted. “This could also be a result of cyberattack outsourcing, which is not uncommon among nation-state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already exceled at this.”
Kaspersky Lab said that various TTPs could point to the Sofacy/Fancy Bear APT, a well-known Russian-speaking gang, but that it can only assess this with “low-to-moderate confidence.”
A Sophisticated Actor
In any event, this shadowy group behind the attacks uses a sophisticated level of expertise when it comes to the kill chain. The infection procedure relies on multiple different technologies, mixing VBA code, Powershell and MS HTA, with JScript– and is unique enough to act as further evidence for a relationship with the Olympic’s attack.
It starts with an embedded malicious macro in the spear-phishing document that is heavily obfuscated, the researchers noted, with a randomly-generated variable and function name. Its purpose is to execute a Powershell command.
“This VBA code was obfuscated with the same technique used in the original Olympic Destroyer spear-phishing campaign,” the researchers said. “The obfuscator is using array-based rearranging to mutate original code, and protects all commands and strings, such as the command and control (C2) server address. There is one known obfuscation tool used to produce such an effect: Invoke-Obfuscation.”
This Powershell script also disables logging in order to avoid leaving traces, and it goes on to decrypt additional payloads downloaded from Microsoft OneDrive. The decryption relies on a hardcoded 32-byte ASCII hexadecimal alphabet key – another technique used in the Olympics attack.
After another round of Powershell scripting and decrypting, the final payload is the Powershell Empire agent, which allows fileless control of the compromised hosts for lateral movement and information-gathering.
Spy Today, Destroy Tomorrow
The fact that the payload is a cyberespionage tool suggests that the actors are in a reconnaissance phase. Unfortunately, this could be a prelude to something much worse, if past is prologue.
“Olympic Destroyer was a cyber-sabotage attack based on the spread of a destructive network worm,” the researchers said. “The sabotage stage was preceded by reconnaissance and infiltration into target networks to select the best launchpad for the self-replicating and self-modifying destructive malware.”
That larger cyber-sabotage stage was meant to “destroy and paralyze infrastructure of the Winter Olympic Games, as well as related supply chains, partners and even venues at the event location.” It’s possible that the same pattern will play out here.
Kaspersky Lab is advising all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.
“It’s no surprise that the actors behind successful cyberattacks that disrupted the Pyeongchang Olympics are now targeting other organizations,” said Aaron Higbee, CTO and co-founder of Cofense (formerly PhishMe), via email. “Regardless of the sector being targeted, phishing is a serious threat because it works, often making their way past stacks of expensive technology layers and email gateways to land in an unsuspecting user’s inbox. In this case, it appears that the attackers are likely using spear-phishing emails that look like they’re coming from a trusted source, a tactic our research has shown to be particularly successful.”