The Pyeongchang Olympics have been targeted by Russians for months in retaliation for the country's doping ban, stealing and leaking documents from Olympics-related organizations. This time around, a more divisive attack has surfaced, one designed to disrupt the opening ceremonies themselves.
Although the Olympics organizers have not pointed fingers at the Kremlin, it appears that they left some calling cards that point to them.
A confirmation was issued over the weekend by the Pyeongchang Olympics organizers who confirmed that they're investigating a cyber attack that temporarily paralyzed IT systems ahead of Friday's opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets.
The security researchers at Cisco's Talos division have unveiled an analysis of a piece of sophisticated, fast-spreading malware they're calling Olympic Destroyer, which they believe was likely the cause of that outage. "It was effectively a worm within the Olympic infrastructure that caused a denial-of-service attack," says Talos researcher Warren Mercer.
Talos researchers revealed that the Olympic Destroyer is designed to automatically jump from machine to machine within a target network and destroy certain data on the machine, including part of its boot record, rebooting machines and then preventing them from loading. "It turns off all the services, the boot information is nuked, and the machine is disabled," says Talos research director Craig Williams.
The security researchers pointed out that Olympic Destroyer's disruptive tactics and spreading methods resemble NotPetya and BadRabbit, two pieces of Ukraine-targeting malware seen in the last year that the Ukrainian government, the CIA, and other security firms have all tied to Russian hackers.
Unlike those earlier malware attacks, this latest sample destroys only backup data on victim machines, while leaving the rest of the PC's hard drive intact. And in fact, the Olympic organizers were able to get their systems working again within 24 hours, while NotPetya victims in many cases permanently lost tens of thousands of computers and took weeks to fully recuperate. "It takes steps to disable the system, but it leaves computers in a state where they’re not that difficult to recover," says Wiliams. "It’s almost like they're sending a message. They could wipe the system, but they chose not."
The Olympic Destroyer malware was obtained when it was detected and uploaded by the company's security products, though the researchers haven't revealed the exact origin of the code.