Hackers responsible for Winter Olympic Games 2018 cyber attacks are back
June 2018 came with news reporting about phishing attack looking very similar to other incidents from the past. Similar TTP's and operation make researchers to believe that this is the same unidentified hacker group which attacked Winter Olympics 2018 servers during the opening ceremony. According to researchers, these attacks share many similarities, no matter that targets are different:
In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. They continue to use a non-binary executable infection vector and obfuscated scripts to evade detection.
At the moment, it is known that the group has targeted computers in France, Switzerland, Russia, Ukraine, and Germany. The main purpose is to get access to these computers that are owned by people affiliated with an upcoming biochemical threat conference.
The whole tactic with this attack is spreading misleading email messages having the infected attachment. When victim is convinced to download such document to his/hers computer, malicious macros immediately execute multiple scripts. Later while working in the background, they can install payload and take control over the victims' system.
The malicious attachment is named as Spiez Convergence, which is identical to the name of biochemical threat research event held in Switzerland and organized by the company Spiez Laboratory. The company had already hit the titles in the investigation of Salisbury attack involving past Russian spy Skripal.
Also, it is known that other spear-phishing documents were sent to Ministry of health in Ukraine.
However, it is yet unknown who is behind these attacks. Various researchers advise research organizations to be cautious and work on increasing the strength of their IT security.
Same technique used in Olympic Destroyer spear-phishing campaign
Olympic Destroyer was first noticed during Pyeongchang Olympics when organizers, suppliers and partners were hacked by malware. The attack was named as a master operation because of the difference and difficulty, but researchers could identify the specific threat. An excessive amount of false flags helped experts name these attackers:
The deceptive behavior of Olympic Destroyer, and its excessive use of various false flags, which tricked many researchers in the infosecurity industry, got our attention. Based on malware similarity, the Olympic Destroyer malware was linked by other researchers to three Chinese speaking APT actors and the allegedly North Korean Lazarus APT; some code had hints of the EternalRomance exploit, while other code was similar to the Netya and BadRabbit targeted ransomware.
Malicious spam emails can spread various types of malware
Questionable spam emails and their attachments can spread a handful of different cyber infections. First of all, they can be filled with advertisements and other commercial content that can easily redirect you to malicious website seeing to swindle your personal information. Also, spam emails can contain safe-looking attachments filled with macro viruses. They can infect your system with trojan virus and other viruses used for spreading ransomware. Finally, take into account such attacks that can also be implemented with the help of spam.
You can avoid getting these infections if you pay enough attention while browsing online and decline offers that seem too good to be true. Always make sure you double check emails, especially if they come from people that you don't know. If you can also find typo or grammar mistakes, the best way to deal with such email is to delete it without opening and downloading any attachments.