Sports Events: An Early Warning System for Cyber Attacks

OlympicDestroyer is Back and the Target Should Concern Us All

Olympic Destroyer, Campaign1

Hours before the 2018 Winter Olympics in February 2018 the computing systems of several high-profile Olympics sponsors, organizers, and facility operators were infected with malware that spread worm-like through their networks.  That malware, dubbed OlympicDestroyer (OD), was found to be a computer worm that was a Wiper. Wipers are a class of malware that destroys data in file systems and on end points. The threat actors apparently wanted to disrupt the Olympics and destroy as many of the computing systems and infrastructure facilities as was possible.  According to published reports from Talos, LastLine, SecureList and others, the computer services operator Atos was infected, as was the Olympic Organizing Committee and an unnamed ski lodge.  The Worm wreaked havoc, temporarily, but, the Olympics did proceed as planned.

The attack strategy was a familiar one.  At least a month before the Olympics began the threat actors began a sophisticated email spearphishing campaign with an Olympics-themed subject line and a weaponized Microsoft Word document loaded with a macro.  A second infection vector contained a weaponized graphic image that targeted Korean-language users of Microsoft Office Neo.   Once someone within a network either opened the Word document or viewed the weaponized image the binary was downloaded to the victim machine and the malware began its journey through the victim network.

The initial infection was used as a launchpad into the network.  Before completely wiping the files and shadow copies of a system a child process of OlympicDestroyer would collect all of credentials on the system from both the Windows shares and the browser. Those credentials were then deployed, along with a new instance of the malware, to other vulnerable machines on the network.  This was accomplished by OD by “living off the land”…. That is, by using a legitimate tool from the internal administrative toolset included with Windows called PsExec.  The threat actors are able to hide in plain sight by moving through a network with this tool.

After about a month of sustained spearphishing at least three victim networks were infected.  The OD launched a few hours before the opening ceremony to ensure maximum damage and cause chaos at that critical time.

Olympic Destroyer Campaign2   

You may say that this is old news.  But, no, it is not.  The Olympic Destroyer Campaign2 is now upon us.  Only this time the target is an upcoming conference in Switzerland in September 2018 on biochemical warfare.  The conference:

“intends to inform participants about latest advances on chemistry making biology and biology making chemistry, as well as the adoption of such advances by the bio-technology and chemistry industries.”

Importantly the discussion of biological arms control is at the top of the agenda. Come and hear about this latest campaign using the Olympic Destroyer infection vectors and malware.

Please register for Olympic Destroyer Campaign2 on Aug 13, 2018 6:00 PM Eastern Daylight Time at:

This time, the targeting is much more dangerous: biochemical warfare specialists, laboratories, policy-makers, and global conference participants in the Spiez CONVERGENCE, a conference coming up in September on biochemical warfare agents. This case study serves as an ideal example for illustrating the importance of cyber threat analysis and threat intelligence sharing.

After registering, you will receive a confirmation email containing information about joining the webinar.

An Early Warning System Canary in a cage

It is a cliché to speak of the canary in the mine, however, it appears now that high-profile global sports events are the new canary for threat actor actions.

I don’t like the direction this one is going.

You must be logged in to post a comment Login