Researchers Identify Malware That Disrupted Pyeongchang Olympics Launch

Sochi winter olympics logo © Martynova Anna Shutterstock

The code was preloaded with usernames and passwords for the Pyeongchang Olympic Games’ official servers, indicating a sophisticated attacker

The malware used to disrupt the Pyeongchang Olympic Games’ opening ceremony on Friday was a purely destructive tool put into place by sophisticated adversaries, according to computer security firms who say they’ve identified the code involved.

Cisco’s Talos IT security division, CrowdStrike and FireEye all said they had identified malicious code they believe was that used in the attack, which initially affected internet protocol television displays, but spread to other systems.

Officials said they shut down the affected servers to avoid further damage, a move that rendered the games’ official website inaccessible, meaning spectators couldn’t use it to print out tickets or access information. The attack also disabled Wi-Fi networks used by reporters.

The affected systems were brought back online by Saturday morning, and on Sunday officials acknowledged the issues had been caused by a cyber-attack.

Malware analysis

Intel also called off a live drone show planned for the opening ceremonies – but that was because too many spectators were gathered in the area where it was supposed to take place, the local Pyeongchang organising committee said.

Cisco said on Monday it had recovered a sample of malware code, detected and uploaded by its security products, which it believes was that used in the attack.

The firm said it wasn’t aware of how the “Olympic Destroyer” malware initially reached the event’s servers. But they found it contained 44 usernames and passwords for accounts on pyeongchang2018.com, the the official Olympics domain name, which may have helped it access internal systems.

After penetrating a system, the malware searches a machine’s browser data and system memory for more credentials, and uses Windows features such as PSExec and Windows Query Language to spread across networks.

Cisco said the techniques used to move from one system to another are similar to those used by BadRabbit and NotPetya, destructive worms that initially targeted Ukrainian systems before causing damage worldwide.

Olympic Destroyer doesn’t appear to try to steal data, but only to render systems unusable and deleting information that could be used to recover them. The worm also deletes data that could be used to analyse the malware or trace its activities.

“The purpose of this malware is to perform destruction of the host, leave the computer system offline, and wipe remote data,” Cisco said in an advisory.

The company noted that the credentials found in the malware are one of several indications that the attack was carried out by sophisticated individuals who may have previously hacked the Olympics’ infrastructure.

Earlier attacks

Researchers had, in fact, previously found Pyeongchang Olympics organisations were targeted by information-stealing malware beginning in December.

Crowdstrike said it first detected Olympic Destroyer on Friday, 9 February, indicating its release was timed to coincide with the games’ opening ceremonies.

None of the security firms who tracked Olympic Destroyer said they had identified the source of the attack, and Olympics officials declined to comment on rumours in Pyeongchang that Russia-linked hackers carried it out because of a ban due to state-sponsored doping.

The Russia-linked hacker group Fancy Bear, also thought to have hacked the Democratic National Convention (DNC) during the US presidential election campaign in 2016, has been linked to a September 2016 Olympics breach that resulted in the public release of athletes’ medical records.

Do you know all about security? Try our quiz!