Olympic Destroyer Moves from Pyeongchang to Europe and Russia

Olympic Destroyer, the threat actor that targeted the 2018 Winter Olympics in Pyeongchang, South Korea, has launched new attacks against organizations from Russia, Ukraine and several other European countries.

To sabotage the 2018 Winter Olympics computer infrastructure, the group used a destructive network worm. Initial evidence suggested the attack was the work of the Lazarus Group, a threat actor associated with the North Korean government.

However, according to subsequent research by Kaspersky Lab, the technical similarities between the Olympic Destroyer malware and Lazarus’ tools were likely created intentionally by the attackers, a technique known in the security industry as planting a false flag. The malware also had similarities to Chinese APTs, the EternalRomance SMB exploit and the NotPetya and BadRabbit ransomware programs.

Researchers thought Olympic Destroyer might have been a one-off attack crafted specifically for the Olympic Games. However, in May and June, researchers from Kaspersky Lab detected new activity from the group in the form of spear-phishing campaigns targeting financial organizations from Russia and bio-chemical threat analysis laboratories from France, the Netherlands, Switzerland, Germany and Ukraine.

The rogue Word documents used in these campaigns contained heavily documented embedded macros that dropped payloads which combined various technologies including PowerShell, VBA, MS HTA and JScript. The final payload was Powershell Empire, a post-exploitation framework written in Python and Powershell that’s popular with penetration testers. The framework has a fileless agent with a modular architecture and encrypted communications that allows attackers to control compromised hosts.

A document used against targets in Ukraine was a malicious copy of an official document from the country’s Ministry of Health. Other documents contained Russian messages written in Cyrillic that were likely produced by a native Russian speaker and not automated translation software.

While it’s not clear who is behind Olympic Destroyer, the Kaspersky researchers have observed TTPs (tactics, techniques and procedures) as well as operational security methods similar to those used by Sofacy, a cyberespionage group also known as Fancy Bear and APT28 that’s believed to be linked to Russia’s GRU military intelligence agency.

The targets in Europe also fit Russia’s geopolitical interests. For example, one of the lure documents masqueraded as an invitation to Spiez Convergence, a biochemical threat research conference held in Switzerland.

Spiez Convergence is organized by Spiez Laboratory, which was involved in the investigation of the nerve agent attack in Salisbury that poisoned former Russian spy Sergei Skripal and his daughter. Another decoy document used in the campaign contained a news article about the same attack.

However, the Kaspersky researchers warn that drawing conclusions about attribution is difficult, especially with Olympic Destroyer, which already has proved to be masters of deception and the planting of false flags. Because of this, Kaspersky assesses the group’s connection to Sofacy with low to moderate confidence.

“Despite initial expectations for it to stay low or even disappear, Olympic Destroyer has resurfaced with new attacks in Europe, Russia and Ukraine,” the Kaspersky researchers said. “In late 2017, a similar reconnaissance stage preceded a larger cyber-sabotage stage meant to destroy and paralyze infrastructure of the Winter Olympic Games as well as related supply chains, partners and even venues at the event location. It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.”

The attacks against financial organizations in Russia might be another false flag or the result of cyberattack outsourcing, which is not unusual for nation state groups, the researchers said.

Featured eBook
Mobile-to-Mainframe: The Definitive Guide to Achieving Compliance

Mobile-to-Mainframe: The Definitive Guide to Achieving Compliance

Mainframes are a lot like banks. They hold some of the most valuable information in the world — which make them a lucrative target for everything from insider attacks to data theft. Mainframes today process over $8 trillion in credit card transactions annually, and as much as 70 percent of all corporate data still runs on the platform ... Read More
CA Technologies

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 265 posts and counting.See all posts by lucian-constantin