Olympic Destroyer, Rev. 1
Hours before the 2018 Winter Olympics in February 2018 the computing systems of several high-profile Olympics sponsors, organizers, and facility operators were infected with malware that spread worm-like through their networks. That malware, dubbed OlympicDestroyer (OD), was found to be a computer worm that was a Wiper. Wipers are a class of malware that destroys data in file systems and The threat actors apparently wanted to disrupt the Olympics and destroy as many of the computing systems and infrastructure facilities as was possible. According to published reports from Talos, LastLine, SecureList and others, the computer services operator Atos was infected, as was the Olympic Organizing Committee and an unnamed ski lodge. The Worm wreaked havoc, temporarily, but, the Olympics did proceed as planned.
The attack strategy was a familiar one. At least a month before the Olympics began the threat actors began a sophisticated email spearphishing campaign with an Olympics-themed subject line and a weaponized Microsoft Word document loaded with a macro. A second infection vector contained a weaponized graphic image that targeted Korean-language users of Microsoft Office Neo. Once someone within a network either opened the Word document or viewed the weaponized image the binary was downloaded to the victim machine and the malware began its journey through the victim network.
The initial infection was used as a launchpad into the network. Before completely wiping the files and shadow copies of a system a child process of OlympicDestroyer would collect all of credentials on the system from both the Windows shares and the browser. Those credentials were then deployed, along with a new instance of the malware, to other vulnerable machines on the network. This was accomplished by OD by “living off the land”…. That is, by using a legitimate tool from the internal administrative toolset included with Windows called PsExec. The threat actors are able to hide in plain sight by moving through a network with this tool.
After about a month of sustained spearphishing at least three victim networks were infected. The OD launched a few hours before the opening ceremony to ensure maximum damage and cause chaos at that critical time.
Olympic Destroyer Rev. 2
You may say that this is old news. But, no, it is not. The Olympic Destroyer Rev. 2 is now upon us. Only this time the target is an upcoming conference in Switzerland in September 2018 on biochemical warfare. The Spiez CONVERGENCE 2018
“intends to inform participants about latest advances on chemistry making biology and biology making chemistry, as well as the adoption of such advances by the bio-technology and chemistry industries.”
Importantly the discussion of biological arms control is at the top of the agenda.
Sports Events as an Early Warning System
It is a cliché to speak of the canary in the mine, however, it appears now that high-profile global sports events are the new canary for threat actor actions. I don’t like the direction this one is going.