PyeongChang 2018 Olympics Hack Installed ‘In-Depth’ Spyware

A malware campaign targeting Pyeongchang Winter Olympics organisations installed tools capable of sending detailed information back to attackers

Researchers have uncovered in-depth surveillance tools being installed on systems involved with the upcoming Winter Olympics in Pyeongchang, South Korea.

The spyware was initially identified in late December, but McAfee’s Advanced Threat Research team now believes the four tools were placed there as part of a complex email-based phishing attack reported in January.

The tools appear to be designed to collect information on South Korean organisations involved with Pyeongchang, McAfee said in an advisory. Separately, the company’s chief scientist Raj Samani has said the campaign was probably put into place by agents acting on behalf of North Korea.

The espionage efforts are part of broader hacking activity around Pyeongchang that has also seen a Russian-linked hacker group publicly release documents stolen from Olympics organisations.

winter olympics skater skating © Herbert Kratky Shutterstock

Second-stage deployment

In January McAfee said it had discovered a successful malware campaign that involved the use of complex techniques and cutting-edge tools to disguise the attackers’ malicious code.

The campaign began on 22 December and used emails spoofed so that they appeared to have been sent by South Korea’s National Counter-Terrorism Center (NCTC). At the time, the NCTC was in fact in the process of conducting drills in the region in preparation for the Olympic Games.

The email was sent to icehockey@pyeongchang2018.com, with 333 other Olympics-related organisations listed in the BCC line, most involved either in providing infrastructure or support for the event.

Researchers found that a log file from a Czech Republic server used to relay commands to infected systems listed IP addresses from South Korea connecting to the URLs contained in the malware, indicating systems had been effectively compromised, McAfee said.

The malware initially linked to the email campaign involved a PowerShell implant that resided in the memory of targeted systems, but McAfee now believes that was only the attack’s first stage.

Espionage tools

The four spyware tools, called Gold Dragon, Brave Prince, Ghost419 and Running Rat, which appeared around the same time, were in fact downloaded by the initial code and formed a second stage, McAfee said.

The tools, which are named after phrases found in their code, are designed to be more persistent than the in-memory implant, which disappears when the system is rebooted.

While Gold Dragon mainly aims to establish persistence, other components, such as Brave Prince, are more in-depth spyware tools. Brave Prince gathers detailed logs about the system’s configuration, its hard drive’s contents, registry, scheduled tasks, running processes and more, McAfee said.

The tools all use shared elements and code, indicating a common source.

McAfee said the tools give a better idea of the malware campaign’s scope.

“Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known,” the firm said in an advisory. “The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics.”

McAfee said it expects hacking activity to continue as the Winter Olympics begins on Friday.

The Pyeongchang Winter Olympics runs through 25 February.

Do you know all about security? Try our quiz!