Destructive malware intent on sabotaging PCs would be to blame for the IT issues reported throughout the PyeongChang 2018 Winter Olympic games opening ceremony.
The issues initially reported on Friday by UK newspaper The Guardian, consisted of failing Web and TV systems for on-site journalists reporting and attending the opening ceremony.
While initially, Olympic games organizers were quiet, officials eventually admitted on Sunday that the IT failures were not any mishap and their network was the victim of a malicious and coordinated cyber attack.
Malware does not try to steal the data from compromised hosts
New details about these attacks came to light earlier today when security researchers from Cisco’s Talos division published new research on the malware utilized by attackers.
According to Cisco investigators, attackers deployed a never before seen malware strain which was the intent of data destruction and data destruction only.
“There doesn’t seem to be some exfiltration of data,” Cisco Talos researchers Warren Mercer and Paul Rascagneres have said about it malware, which they named Olympic Destroyer.”The samples appear to carry out only destructive functionality.”
“The destructive nature of the malware intends to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment.
This is something we have seen previously with BadRabbit and Nyetya,” Mercer and Rascagneres added.
How a destructive attack takes place
Cisco has an in-depth evaluation of the threat, but we outlined an Olympic Destroyer attack below, in easy to understand steps:
- Hackers shed Olympic Destroyer on a system.
- Olympic Destroyer deploys 2 files.
- The browser credentials stealer gathers credentials from Internet Explorer, Mozilla Firefox, and Chrome.
- The system credentials stealer gathers credentials from the Windows LSASS with a technique very comparable to that utilized by Mimikatz.
- Olympic Destroyer checks for local hosts in ARP table.
- Olympic Destroyer uses WMI to discover other hosts on the same network.
- Olympic destroyer extends to other hosts through stolen certificate and using hardcoded identification information stored in its binary option.
- Destructive behavior begins on the initial host by utilizing VSSAdmin to delete shadow volume backups.
- Olympic Destroyer uses cmd.exe and WBAdmin.exe to gently delete the OS system backup catalogue.
- Olympic Destroyer uses cmd.exe and BCEdit. Exe to disable the pre-boot Windows retrieval console.
- Olympic Destroyer deletes System & Security Windows event logs to hide its tracks.
- Olympic Destroyer disables all Windows providers on the PC.
- Olympic Destroyer shuts down the car, leaving it unable to start.
Naturally, Olympic Destroyer does not delete some of the victim’s files. Info is left undamaged, but the system will experience errors when trying to boot, mainly due to the truth that many crucial Windows providers are switched off.
Murky attribution, as always
As for attribution, things are troubled, as they have always been with regards to cyber espionage operations. The two most apparent offenders are North Korea and Russia.
Nevertheless, some observers will be quick to pile on the idea that this is more than probably a Russian cyber operation.
Several reasons are plenty, starting with a Twitter account that many believe is operated by Russian intelligence and that has lately dumped considerable amounts of hacked info in an effort to smear the International Olympic Committee following their ban on Russia athletes.
Further, Olympic Destroyer and Bad Rabbit both use hard-coded references for lateral movements, a definite clue that hyperlinks, at least in the M.O. Degree, the two strains together.
Last year, Ukrainian intelligence and a CIA report linked the NotPetya and Bad Rabbit ransomware outbreaks to Russian intelligence operations, and voices will be quick to point out that Olympic Destroyer is a more refined version of Bad Rabbit.
However, for things are not as apparent as they look. By way of example, Jay Rosenberg of Intezer Labs told Bleeping Computer earlier today that the malware code a lot more connections to cyber tools employed by Chinese hackers in the past, as opposed to North Korea or Russia.
Intezer has found, both at the malware targeting the Olympic games from the accounts published by McAfee and at the report by Cisco Talos, there are various minor code connections with famous Chinese hazard actors, Rosenberg told Bleeping Computer, also adding that his company will release a more in-depth report later on, as they’ve more time to examine the evidence discovered by Cisco Talos researchers.
Fourteen days before, McAfee researchers published a report on another breed of Powershell based malware which was used to target Olympic games organizers before the event’s start.
Source: Bleeping Computer