Researchers Find New Twists In ‘Olympic Destroyer’ Malware

Researchers now believe attackers may have had prior access to networks and that malware was more sophisticated than originally believed.

Researchers have uncovered new wrinkles in the “Olympic Destroyer” malware attack that targeted the Winter Olympics in Pyeongchang, South Korea.

Cisco Talos researchers now believe the malware also wipes files on shared network drives. Originally researchers believed the malware only targeted single endpoints. Researchers also now believe the credentials-stealing component of the malware is more dynamic than originally thought.

Olympic Destroyer was deployed during the games’ opening ceremony on Feb. 9, and is blamed for disrupting TV broadcasts of the event and taking down the official Winter Games website. The results of the attack were far reaching and left attendees unable to print tickets and brought down the WiFi network made available for journalist covering the opening ceremonies.

Researchers at Cisco’s Talos unit said the sole purpose of the attack was to take down systems and not to steal information.

Olympic Destroyer’s goal is to make systems unusable by “deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment,” in similar fashion to the Bad Rabbit and Nyeyta ransomwares, Cisco Talos initially wrote.

Olympic Destroyer includes a binary that targets machines with a pair of “stealing modules.” One grabs any user credentials embedded in the Internet Explorer, Firefox and Chrome browsers, and the other plucks them from Windows’ Local Security Authority Subsystem Service, the Windows process that handles security policies. “The malware parses the registry and it queries the sqlite file in order to retrieve stored credentials,” Talos said.

In a tweet, Talos researcher Craig Williams, noted its analysis of attacks also suggest a “prior compromise” of targeted Olympic Games systems.  “Our post has been update to include the impact on network shares – Shocker – they are effectively wiped: Olympic Destroyer Takes Aim At Winter Olympics with indications of prior compromise,” he wrote.

Talos’s updated blog notes, “the malware author knew a lot of technical details of the Olympic Game infrastructure such as usernames, domain name, server names and obviously passwords.”

When researchers took a closer look at Olympic Destroyer binaries associated with the attack, they discovered that new credentials were added to the code with each infection.

“A new version of the binary is generated with the newly discovered credentials,” Talos wrote in an update first noted by BleepingComputer. “This new binary will be used on the new infected systems via the propagation. This feature explains why we discovered several samples with different sets of credentials that were collected from previously infected systems.”

However, the method by which the malware was delivered remains unknown, Talos added: “If the attacker already had access to the environment, this attack could have been carried out remotely. This would allow the actors to specifically pinpoint the moment of the opening ceremony and would allow them to control their time of impact.”

“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony,” the report stated.

Suggested articles