Malware that disrupted the Winter Olympic games was disguised to look as if the attack had come from the usual suspects, finds Kaspersky’s probe
Kaspersky Lab has warned that the attackers behind the sophisticated cyber-attack on the recent Winter Olympic games in South Korea used ‘false flags’ to disguise the originator of the attacks.
The malware, dubbed ‘Olympic Destroyer’ disrupted the Pyeongchang Olympic Games’ opening ceremony in February, after it crippled the functioning of the internet protocol televisions in the main press centre.
The affected servers were shut down as a preventative measure, but this in turn rendered the Pyeongchang 2018 website inaccessible, and took Wi-Fi networks offline. As a result, spectators were unable to print tickets or view games information.
An investigation by Cisco’s Talos IT security division, CrowdStrike and FireEye all identified the malicious code that was believed to have been used in the attack.
Based on that code, there were suspicions that Russia-linked hackers carried it out because of a ban on their athletes due to state-sponsored doping. The malware was also attributed to China and North Korea.
However, Kaspersky Lab said that its study of the Olympic Destroyer malware, which included “a careful look at the evidence and manual verification of each feature”, found that the set of features didn’t match the code – it had been forged to perfectly match the fingerprint used by Lazarus (a nation state backed group linked to North Korea).
“The ‘false flag’ was placed inside the worm by the malware creator in order to knock threat hunters off the trail to its real origin,” said the security firm. It said the very sophisticated false flag was designed to confuse the cybersecurity community.
Besides the attack on the Winter Olympics, Kaspersky Lab said it also found that several ski resort facilities in South Korea suffered from this worm.
“Although the actual impact of attacks with this malware was limited, it clearly contained the capability to be devastating, which luckily didn’t happen,” it said. “Nevertheless, the real interest of the cybersecurity industry lay not in the potential or even actual damage caused by the Destroyer’s attacks, but in the origin of the malware.”
It said that research teams from all over the world had between them “managed to attribute this malware to Russia, China and North Korea, based on a number of features previously attributed to cyber-espionage and sabotage actors allegedly based in these countries or working for these countries’ governments”.
Kaspersky said the ‘fingerprint’ it uncovered was a very sophisticated false flag, intentionally placed inside the malware in order to give threat hunters the impression that they had found ‘smoking gun’ evidence.
“To our knowledge, the evidence we were able to find was not previously used for attribution,” Vitaly Kamluk, Head of APAC Research Team, Kaspersky Lab. “Yet the attackers decided to use it, predicting that someone would find it. They counted on the fact that forgery of this artefact is very hard to prove.”
“It’s as if a criminal had stolen someone else’ DNA and left it at a crime scene instead of their own,” said Kamluk. “We discovered and proved that the DNA found on the crime scene was dropped there on purpose. All this demonstrates how much effort attackers are ready to spend in order to stay unidentified for as long as possible. We’ve always said that attribution in cyberspace is very hard as lots of things can be faked, and Olympic Destroyer is a pretty precise illustration of this.”
Kaspersky Lab said that it had still not identified who was responsible for Olympic Destroyer “simply because it is a unique example of the implementation of very sophisticated false flags”.
Do you know all about security? Try our quiz!