The Olympic Destroyer Hacks The Winter Olympics 2018 Swiping Files (Not Medals)
In total, 91 national teams participated in the Winter Olympics 2018. The Olympians were not the only stars, major companies such as Samsung and Intel showed off with self-driving cars, virtual-reality viewing stations and super-fast video streaming. This made the Winter Olympics 2018 event the most high-tech Olympic Games in history. To illustrate, Intel launched 1,200 “shooting star” drones to create aerial images of the Olympic rings. Alibaba provided the cloud service and eCommerce for the Olympics with several hundred employees that it sent to South Korea to handle the operations. Atos, a Paris-based information technology company, handled the IT side of the event. It moved all of the critical IT systems to the cloud — a first for the Olympics. All these efforts are also a dry run for the Winter Olympics in 2022 that will be hosted in China.
However, going high-tech has a downside – it’s the perfect bait for hackers. It already started at the opening ceremony, when hackers caused both LAN and Wi-Fi communications to fail during the opening ceremony on February 9, 2018, prevented tickets from being printed from the Olympics website. The hackers knew usernames, server names and passwords used for the Olympic Games infrastructure.
Dubbed the “Olympic Destroyer”, the malware works as follows:
- It is deployed via the EternalRomance exploit which was leaked by Shadow Brokers in 2017. This exploit was also used in the NotPetya and Bad Rabbit ransomware strains.
- Once the malware is on the targeted machine, it checks the network for two ways to propagate by checking the Address Resolution Protocol (ARP) table and by using WMI to get a list of all systems.
- Once it knows the best way to propagate, it steals credentials to distribute copies of itself to remote systems (using a legitimate, signed copy of PsExec and WMI).
- It then disables tools used for recovering individual files, folders, and entire drives. It also prevents the Windows recovery console to repair anything on the system, and deletes the System and Security Windows event log to avoid analysis.
- The malware starts swiping files on the machine as well as on shared network drives.
It is still unclear who is behind the attacks, although fingers have been pointed at Russia (since it was banned from competing due to a doping scandal), China and North Korea. According to one intelligence report, the Russian military agency GRU was responsible, accessing as many as 300 Olympic-related computers. It was feared during the time of the competitions that these could be abused to disrupt the closing ceremony, which ended in a remarkable show without any special cyber events. As it looks now, there was no data leakage or infrastructure damage (yet).
No matter who’s to blame, it seems that hackers armed with the destructive malware seemed to have compromised Atos which was responsible for hosting the cloud infrastructure for the Pyeongchang Games. The company was taking care of all critical IT applications – including the distribution of results in real time like the Olympic Diffusion System (ODS) – to remotely manage and host on the cloud. However, following a number of glitches during the games, it has been revealed that Atos was the victim of the pervasive cyberattack. As it stands now, a series of Atos computer systems was penetrated in December 2017.
Up till now, the malicious cyberattacks targeted solely the Winter Olympics and several organisations associated with the Games. It shows that even global events using state-of-the-art technology can be victimized by cybercrooks. Furthermore, there is a chance that the Olympic Destroyer will attack other organisations worldwide in the coming months.
So how can organizers of major events know if their cybersecurity defenses will stand up to such attacks? The answer is using Cymulate’s Breach & Assess Simulation (BAS) platform such as Cymulate’s. It allows an organization to test its security posture anytime, from anywhere. The platform uses simulated attacks that will try to bypass all security controls both relating to solutions (such as AV software) or people (e.g., click bait).
Test the effectiveness of your security controls against possible cyber threats with a 14-day trial of Cymulate’s platform.
Don’t speculate, Cymulate