This Week in Security: The Olympics Gets ‘Meddled’ With

In this day and age, no large public event is off limits from some form of attack or compromise. The Olympic games are certainly no exception here. From well-crafted phishing lures (which start well before the actual games) to outright malicious and destructive attacks, we have seen the whole range during past Olympic games.

The same holds true for the current Olympic games in Pyeonchang. News of a cyber ‘event’ quickly spread early this week in the form of an outage which affected availability of the official Pyeongchang 2018 website, media services in the main Olympic press center, and wireless services in the Pyeonchang Olympic stadium.

With news and data quickly circulating, the event was ultimately connected to a destructive malware campaign dubbed “Olympic Destroyer.” Little is known or disclosed regarding the initial infection vector.

Primary characteristics of the malware components include:

•    Lateral movement via WMI and PsExec
•    Destroys local logs and VSS data
•    Contains hardcoded credentials (specific to the target environment)
•    Credential stealing mechanism is supplemented by stolen credentials acquired via browser-based credential stealer and a Mimikatz-like stealer (LSASS based)

NOTE: Some firms were initially reporting the use of the ETERNALROMANCE SMB exploit within Olympic Destroyer. Those reports (including tweets from Microsoft) have since been withdrawn as further analysis shows no use of the flaw in currently circulating samples.


Based on current analysis, the primary goal is destruction and disruption. Our team is continuing to monitor and analyze this situation.

There are some important points to stress here. Attribution and true intent are often complex and unfold over time. Jumping to conclusions around ‘who’ is behind this attack and ‘why’ (this early in the timeline) does little to further the discourse. If history is any guide, this event is not solitary but rather (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Blog. Read the original post at: Cylance Blog