The Olympic Destroyer Attack, What it was and Why it Should Have Been Detected
By: Mackenzie Blaisdell
While millions of viewers tuned in to watch the Winter Olympics opening ceremony in Pyeongchang, something ominous was occurring behind the scenes. Similar to the extensive planning that the Olympians put into preparing for the Olympics, threat actors had conducted in-depth research and organized to put the games under attack. The attack wiped out internet access, shut down the official Pyeongchang 2018 website, grounded newscasters’ drones, and prevented attendees from printing out their tickets to attend the ceremony, resulting in a curiously high number of vacant seats.
Security experts and Olympic officials soon thereafter confirmed that the network issues that occurred during the ceremony were indeed caused by a cyberattack. Though the systems were stabilized by Sunday, this incident raised significant concerns for officials, athletes, and viewers worldwide – wondering what the next breach could potentially look like and how much damage would result.
Investigations revealed that the cybercriminals involved had been planning this attack for quite some time. Time stamps suggest that the cyberattack had been in the works since late last year, as the destructive payload that hit the event was found to be created on December 27, 2017.
The attack used hardcoded credentials embedded in a malware named Olympic Destroyer. Experts with Cisco’s Talos team claimed they found wiper malware possibly linked to the disruption.
Those who were responsible for the Olympic Destroyer most likely conducted a sweeping cyber-espionage operation against the Games prior to initiating the attacks. The malware required authentic login credentials to verified accounts of Olympics staff to rapidly disperse a destructive payload, which deletes files like shadow backups, boot configuration data (BCD), and event logs on infected machines.
Olympic Destroyer is unusual in the sense that creators engineered it to mirror and act like a computer worm, automatically probing for and stealing user credentials before moving to other systems for login attempts. It was specifically designed to spread rapidly within an enclosed, already compromised environment to plant a malicious payload with the ability to destroy data.
Experts still don’t know how hackers managed to acquire so much information from Olympic employees, though penetrating a key supply chain IT vendor could have possibly provided them with an opportunity to conduct valuable reconnaissance. Targeting a supply chain vendor that’s connected to a well-secured organization to penetrate the latter is a common strategy used by sophisticated cybercriminals.
The attackers had passwords, user accounts, and server names for the Olympic Games infrastructure. Cisco’s Talos team shared that they identified 44 individual accounts in the code. Samples of the “Olympic Destroyer” reveal the perpetrators did not attempt to steal valuable information but merely sought to perform “destructive” functions.
Although the malware used was designed to destroy data and cause mass computer failures, the Winter Olympic cyber attackers stopped short of doing so. Talos researchers noted that these hackers undoubtedly demonstrated an ability to bring the attack past the finish line, so why did they hold back? Some security experts suspect the hackers intentionally preserved systems to foreshadow their unfinished business and stir up trepidation.
Although officials have yet to point the finger at any potential actors, many speculate that Russian hackers were behind the disruptions. As many of us recall, Russia was banned from the Games this year as the result of a doping scandal. Some Russian athletes were banned from the games entirely, while a few are still allowed to compete as individuals under the Olympic flag.
The Russian Ministry of Foreign Affairs made an effort to pre-empt any allegations of Russian hacks on the Winter Olympic Games two days prior to the opening ceremony. The agency went on to accuse the press, Western governments, and InfoSec organizations of instigating an “information war” accusing Russians of cyber interference and sabotage.
Officials have long suspected that this year’s Games would present unique cybersecurity challenges. The opening ceremony attack may be the first of many the world will witness during this year’s Olympic Games. The unfortunate reality to this is that despite all of the innovation being applied to the Olympics, there was a lack of innovation being applied to cybersecurity defenses. Detection gaps in security infrastructure and inadequate controls for early threat detection left the Olympics exposed. Credential-based theft can be difficult to detect and when compounded by weak supplier controls, create the perfect opportunity for an attacker to penetrate and move quietly throughout the network in order to build their attack. The need to close this detection gap is a fundamental reason why ball clubs, auditoriums, and other entertainment facilities have adopted deception technology. Setting deception decoys and lures for an attacker is a tried and proven approach for early detection and deceiving an attacker into revealing themselves. This early detection removes the dwell time required to establish a foothold and escalate an attack.
Life has no absolutes, but I believe this attack could have been prevented if stronger detection controls had been in place. We have seen deception-based detection work reliably time and again with our customers at their major events. It may be too late for a change in security infrastructure this year and hopefully the internet connectivity issues and malfunctioning televisions are the worst we will see. That said, organizers should view this as a shot across the bow and the Olympics security team should start actively seeking out detection technology in order to amplify their cybersecurity defenses before the next round of attacks are attempted on the Games.