Report: Destructive Malware Used to Target Olympic Infrastructure
Researchers said Monday the Olympics were hit by new and destructive data-wiping malware last week.
When reports came out over the weekend that computer systems at this year’s Olympic Games in Pyeongchang were hit by a cyberattack, it was unclear if anything substantive would immediately come to light around the attack. Especially given the difficulties of attribution, geopolitics at play, and the fact the Olympics – a worldwide spectacle – just started three days ago.
On Monday however researchers said with "moderate confidence" that they've been able to identify malware samples used in the attack. According to researchers with Cisco’s Talos Group, the malware – dubbed Olympic Destroyer – isn’t designed to steal data, it’s designed to sabotage machines.
Olympic Destroyer "aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment," Warren Mercer and Paul Rascagneres, researchers with the firm, said Monday morning.
PsExec, a legitimate Windows utility that lets users execute command line processes on remote machines, was integral to last summer's ExPetr/NotPetya ransomware attacks. WMI, Windows Management Instrumentation, another Windows component that can be used to gather computer system statistics, monitor system health, and manage system components, also figured into last fall’s BadRabbit ransomware campaign.
According to researchers Olympic Destroyer can jump around from machine to machine on a network, to destroy data. By leveraging cmd.exe, the command-line interpreter, the malware is able to delete shadow copies via vssadmin, a Windows utility ransomware authors have targeted over the last several years to make recovery of systems nearly impossible.
The malware also meddles with other means of data recovery, like Windows command line tools WBAdmin and BCDedit.
Compromising BCDEdit, which helps manage boot configuration data, essentially tells Windows’ recovery console not to repair anything on the host upon booting up, something that makes recovery “extremely difficult,” according to Mercer and Rascagneres.
“Wiping all available methods of recovery shows this attacker had no intention of leaving the machine useable. The sole purpose of this malware is to perform destruction of the host and leave the computer system offline,” the researchers wrote Monday.
Mercer and Rascagneres said they weren't sure how the malware infected systems but said it could been done a handful of ways, like via a binary file. If the attacker was already on the network, it’s likely it could also been done remotely, they added.
British newspaper The Guardian reported on Saturday that WiFi and some televisions at Pyeongchang Olympic Stadium and the press center stopped working before the oepning ceremony Friday. The website belonging to the Olympic Games, was also briefly offline, according to the report, something which made it impossible for users to print tickets for events. Organizers confirmed the games were targeted by attackers on Sunday but declined to provide any details around the incident. Olympic Games spokesperson Sung Baik-you said officials were looking into the incident and refuted claims Russia - which had penalties imposed for its athletes following a massive doping scandal - was behind the attack.
“They [Russia] know what happened and this is a usual thing during the Olympic Games. We are not going to reveal the source,” Baik-you told the publication, “We are taking secure operations and, in line with best practice, we’re not going to comment on the issue because it is an issue that we are dealing with.”
Destructive malware attacks have grown with alarming frequency over the last several years. Attacks have inreasingly targeted critical infrastructure firms, specifically those in the aerospace, petrochemical and energy sector.
The FBI first warned of the threat in 2014, following a hack into Sony Pictures Entertainment's network that December. The U.S. Federal Financial Institutions Examination Council (FFIEC) sent a notice (.PDF) to businesses warning of the threat a year later.
The U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned about the trend and gave details regarding wipers like DarkSeoul, Killdisk, and Destover, last March. (.PDF)
It was practically inevitable the Olympics would be targeted by hackers. The New York Times' Nicole Perlroth reported last week that 300 machines connected to the Olympic systems had been hit before the event even started and that officials in South Korea were already anticipating further attacks.