Pyeongchang Winter Olympics opening disrupted by cyber attack

Servers of PyeongChang Olympic committee were hacked during the opening ceremony

Cyber attack at Pyeongchang Winter Olympics

Pyeongchang Olympics organizers have confirmed that their servers were hacked during the opening ceremony on Friday. It is currently unknown what type of malware was injected into the system, but it's vividly dubbed as “Olympic Destroyer.” It managed to temporarily paralyze IT servers, including the shutdown of display monitors, Wi-Fi, and the official website[1].

As a result, people who have purchased tickets to the event online were unable to print them. However, the website came back online at around 8 am on Sunday[2]. Currently, experts are investigating Winter Olympics malware attack and cannot comment much.

Although, no data was stolen from the compromised servers. Likewise, experts tend to believe that the cyber attack was mainly designed to disrupt the opening ceremony and embarrass PyeongChang Olympic committee. However, there are no guarantees that hackers won't switch their aims soon.

Criminals designed malware to jump from one machine to another

On Monday morning, malware researchers from Talos said that the malware was specifically programmed to jump from one computer to another with the following targets[3]:

  • Delete Shadow Volume Copies;
  • Turning off the recovery mode;
  • Rebooting the computer;
  • Preventing the machines from loading.

Craig Williams, research director at Talos, describes the activity of Olympic destroyer's developers as:

It takes steps to disable the system, but it leaves computers in a state where they’re not that difficult to recover. It’s almost like they're sending a message. They could wipe the system, but they chose not.

According to Warren Mercer and Paul Rascagneres,[4] unlike ransomware virus that swipes all essential data away, “Olympic Destroyer” is set to destruct the host, leave the system offline, and wipe remote data away. In other words, malware has been developed not to destruct, but rather to disrupt the Games.

Until no one has been found guilty, researchers are only speculating on what is standing behind the curtains. Most of them point out to one “powerful actor”[5] that might be angry for being banned from this year's Winter Olympics by the International Olympic Committee due to the doping scandal. And you know what we mean.

Cyber threat researchers found malicious programs pointing their activity to Winter Olympics days before the opening ceremony

According to the cyber threat analysts, Ryan Sherstobitoff, McAfee team found a hazardous document which was particularly targeting Pyeongchang Olympics a few days before the opening ceremony[6]:

The new document contained the same metadata properties as those related to Operation GoldDragon, and sought to gain persistence on systems owned by organisations involved with the Winter Games.

Additionally, he adds that there is a high risk that malicious actions will continue throughout the games[7]. Such beliefs are supported by the previous discovery of the malware and phishing campaign targeted at organizations which are related to the Winter Games.

While initially it was believed that the attack might have been conducted a couple of days before the beginning of the Olympics, CyberScoop recently provided a deeper insights on the attack and claims that Atos, the IT company supporting Winter Olympics, has been hacked months before the opening of Olympics.

Hackers, who developed the “Olympic Destroyer” initially known as Cisco's Talos malware, must have known the peculiarities of the Olympic Games' servers. According to them, they must have hacked the IT provider hosting the Olympics before February 9th. CyberScoop claims that:

The malware required a bank of authentic login credentials to actual accounts of Olympics staff in order to quickly propagate and spread a destructive payload, which deletes files, like shadow backups, boot configuration data (BCD) and event logs on infected machines.

VirusTotal analysis of some of Destroyer malware files revealed that a close relationship between Atos employee credentials and the person who deployed the malware. The more in-depth analysis indicates the fact that the hacker was located in France and Romania, and might have analyzed the host server of the Olympic Games since December 2017.

The criminals have designed a never-seen-before malware which aims to switch the control of the infected machines to the hackers. Malware analysts called this threat Operation PowerShell Olympics and say the following:

This particular malware has not been seen before, and it is something custom that was created by the attacker

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions

References
Files
Software
Compare