High-profile events like the 2018 Winter Olympics currently taking place in Pyeongchang, South Korea, are a hot-spot for potential cybersecurity threats. Cyber criminals often use these large gatherings of people and technology as a means to steal personally identifiable information (PII) or harvest users’ credentials for financial gain.
The likelihood of these attacks taking place is now so high that US-CERT issued a bulletin ahead of this years’ Olympics reminding travellers to be aware of both cybersecurity and physical security risks – a warning we’d never have had twenty years ago.
[clickToTweet tweet=”Dubbed the ‘Olympic Destroyer’, a #cyberattack hit the #Olympics’ #computer #systems just before the 2018 Pyeongchang Games’ opening ceremony, crashing the internal #internet and #WiFi.” quote=”Dubbed the ‘Olympic Destroyer’, a cyberattack hit the Olympics’ computer systems just before the 2018 Pyeongchang Games’ opening ceremony, crashing the internal internet and Wi-Fi.”]
Despite this, it was a very different form of attack that the International Olympic Committee (IOC) needed to worry about at the start of the Games. Dubbed the ‘Olympic Destroyer’, a cyberattack hit the Olympics’ computer systems just before the 2018 Pyeongchang Games’ opening ceremony, crashing the internal internet and Wi-Fi.
What do we know so far?
While it seems as though the shutdown didn’t disrupt any of the Olympic activities or the opening ceremony itself, it has been revealed by cybersecurity researchers that the attack was aimed at data disruption and involved a brand new strain of malware which has only disruptive capabilities – similar to that of the Bad Rabbit ransomware.
From this, we can gather that the real intent of the attack was not to steal data, as originally thought, but was likely intended to disrupt the Games and bring embarrassment upon its organisers. This is where the purpose of this malware varies to the types of ransomware which proved popular for threat actors looking to make financial gains last year.
Worryingly, however, this malware follows numerous warnings to Olympics organisations after alleged Russian-endorsed cyber-attacks and phishing attacks were spotted from suspected cyber-espionage group Fancy Bear. They are also known as APT28 – the group which was condemned in 2016 for stealing information from the World Anti-Doping Agency (WADA) about US athletes and publishing it online.
Could it happen again?
It is currently unclear how these threat actors accessed the Olympic systems, however, there is a very real possibility they will be back. While the damage caused by the outage was seemingly minimal this time, the attackers apparently left a ‘calling card’ on the network, threatening a return to perform destruction, leave computer systems offline and wipe remote data.
Alongside this, researchers from McAfee’s Advanced Threat Research team have identified a new implant named Golden Dragon, which is being used to target organisations involved in the Games. Similar to an implant previously used to gain access to targeted victims’ systems and gather system information, this implant could allow threat actors to extract valuable data from the Olympic systems.
Who is the culprit?
Attribution of the attack is currently unclear and, at this point in time, it is too early to say whether this was a nation-state attack or that of someone looking to show off their cyber skills on the big stage.
Rumours are circulating about how the most obvious culprits may be North Korean or Russian threat actors, given growing tension between North Korea and the USA as well as Russia’s ban from officially competing in this year’s Winter Olympics. However, none of these theories have been confirmed.
The Fancy Bear hack team should also be considered frontrunners when it comes to attribution, following a tweet that was made in early January by the Fancy Bear Twitter account threatening the IOC and WADA. Hours after this tweet, the same account posted a link to the Fancy Bear domain which hosted leaked information including a set of apparently stolen emails that purportedly belong to officials from the IOC, the United States Olympic Committee and third-party groups associated with these organisations.
While attribution is difficult at this point in time, organisations involved in or linked to the Olympics need to be aware and prepare for another potential attack. With the motives behind these attacks unclear, it is important that cybersecurity chiefs remain focused on understanding the tactics, techniques and procedures (TTP) of a threat actor whilst keeping an eye on the evolution of threats in order to assess intent and identify potential future attacks on the Pyeongchang Games.
A fully qualified SANS Cyber Guardian, STIX geek and all-around nerd, Chris has led teams across both Public and Private sector Cyber Security and Intelligence arenas. Chris started out as an Intrusion Analyst, tracking and responding to incidents, and was one of the first technical analysts to help establish NCSC UK. Before joining EclecticIQ, Chris held a post as Deputy Technical Director in the NCSC specialising in technical knowledge management to support rapid response to cyber incidents, and is now the Fusion Center's Director of Intelligence Operations.