Olympic Destroyer

Destructive malware intent on sabotaging PCs is to blame for the IT problems reported during the PyeongChang 2018 Winter Olympics opening ceremony.

The issues, first reported on Friday by UK paper The Guardian, consisted of failing Internet and television systems for on-site journalists attending and reporting the opening ceremony.

While initially, Olympics organizers were quiet, officials finally admitted on Sunday that the IT failures were no accident and their network has been the victim of a malicious and coordinated cyber-attack.

Malware does not try to steal data from compromised hosts

New details about these attacks came to light earlier today when security researchers from Cisco's Talos division published new research on the malware used by attackers.

According to Cisco researchers, attackers deployed a never-before-seen malware strain that was intent on data destruction and data destruction only.

"There does not appear to be any exfiltration of data," Cisco Talos researchers Warren Mercer and Paul Rascagneres said about this malware, which they named Olympic Destroyer. "The samples analysed appear to perform only destructive functionality."

"The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This is something we have witnessed previously with BadRabbit and Nyetya," Mercer and Rascagneres added.

How a destructive attack takes place

Cisco has an in-depth analysis of this threat, but we summarized an Olympic Destroyer attack below, in easy to understand steps:

⧁  Hackers drop Olympic Destroyer on a system (initial method of compromise is currently unknown).
⧁  Olympic Destroyer deploys two files (a browser credentials stealer and a system credentials stealer).
⧁  The browser credentials stealer gathers credentials from Internet Explorer, Firefox, and Chrome.
⧁  The system credentials stealer gathers credentials from the Windows LSASS (Local Security Authority Subsystem Service) with a technique similar to that used by Mimikatz.
⧁  Olympic Destroyer samples also come with a list of hardcoded credentials. The malware generates a new binary for itself to which it adds the newly harvested credentials to the pre-existing list of hardcoded credentials.
⧁  Olympic Destroyer checks ARP table for local hosts.
⧁  Olympic Destroyer uses WMI to find other hosts on the same network.
⧁  Olympic Destroyer spreads to other hosts via stolen credentials and using hard-coded credentials stored within its binary (by employing the legitimate PsExec tool and by deploying the newly generated binary on new victim hosts).
⧁  Destructive behavior begins on the original host by using VSSAdmin to delete shadow volume copies (hinders future data recovery).
⧁  Olympic Destroyer uses cmd.exe and WBAdmin.exe to quietly delete the OS system backup catalog (hinders future data recovery).
⧁  Olympic Destroyer uses cmd.exe and BCEdit.exe to disable the pre-boot Windows recovery console (OS does not attempt to repair itself).
⧁  Olympic Destroyer deletes System & Security Windows event logs to hide its tracks.
⧁  Olympic Destroyer disables all Windows services on the PC.
⧁  Olympic Destroyer lists mapped file shares and wipes writable files for each share.
⧁  Olympic Destroyer shuts down the machine, leaving it unable to start.

Murky attribution, as always

As for attribution, things are murky, as they have always been when it comes to cyber-espionage operations. The two most obvious culprits are North Korea (South Korea and North Korea are still technically at war, North Korea has a long history of hacking its southern neighbor) and Russia (ICO has recently banned a large number of Russian athletes from participating in the Olympics).

Nonetheless, some observers will be quick to pile on the idea that this is most likely a Russian cyber operation.

The reasons are plenty, starting with a Twitter account that many believe is operated by Russian intelligence and which has recently dumped large amounts of hacked information in an attempt to smear the International Olympic Committee following their ban of Russian athletes.

Further, Olympic Destroyer and Bad Rabbit both use hardcoded credentials for lateral movement, an obvious clue that links —at least at the M.O. level— the two strains together.

Last year, Ukrainian intelligence and a CIA report linked the NotPetya and Bad Rabbit ransomware outbreaks to Russian intelligence operations, and voices will be quick to point out that Olympic Destroyer is a more refined version of Bad Rabbit.

But for things aren't as clear as they look. For example, Jay Rosenberg of Intezer Labs told Bleeping Computer earlier today that the malware's code has more links to cyber tools used by Chinese hackers in the past, rather than North Korea or Russia.

"Intezer has found, both in the malware targeting the Olympics from the report published by McAfee and in the report by Cisco Talos, that there are several minor code connections to known Chinese threat actors," Rosenberg told Bleeping Computer, also adding that his company will release a more in-depth report later on, as they have more time to analyze the samples unearthed by Cisco Talos researchers.

Two weeks ago, McAfee researchers published a report on a different strain of Powershell-based malware that was used to target Olympics organizers before the event's start.

Article updated with new information on Olympic Destroyer's file-wiping and binary mutation capabilities.

Related Articles:

New AcidPour data wiper targets Linux x86 network devices

Researchers sinkhole PlugX malware server with 2.5 million unique IPs

New Brokewell malware takes over Android devices, steals data

CoralRaider attacks use CDN cache to push info-stealer malware

Hackers hijack antivirus updates to drop GuptiMiner malware