Organizers of the 2018 Winter Olympics in Pyeongchang, South Korea confirmed on Sunday that hackers targeted the event's opening ceremony.
But, they didn't disclose who was behind the cyber attack.
Now, researchers from Cisco's Talos Intelligence Group believe they've discovered a piece of malware, referred to as the 'Olympic Destroyer,' that may have been used in the attack.
Additionally, researchers from cyber security firms CrowdStrike and FireEye confirmed similar findings in statements to Reuters.
Before the opening ceremony began, the official Pyeongchang website went down, which meant customers were unable to print tickets or access other information.
The attack also left the Olympic stadium without WiFi, while internet and television were disrupted in the press center.
The website wasn't brought back online until 12 hours after servers had been hit.
'We know the cause of the problem but that kind of issues occurs frequently during the Games,' Pyeongchang organizing committee spokesman Sung Baik-you told Reuters.
'We decided with the International Olympic Committee we are not going to reveal the source [of the attack],' he added.
The Talos report sheds a light on how the malware attack may have been carried out.
According to researchers Warren Mercer and Paul Rascagneres, who co-authored the study, the attack wasn't carried out with the goal of stealing information.
Instead, the attack was meant to disrupt the games.
'The samples analyzed appear to perform only destructive functionality,' the researchers wrote in a blog post on Monday.
'There does not appear to be any exfiltration of data,' they added.
The 'destructive' nature of the Olympic Destroyer malware aimed to 'render the machine unusable' by deleting shadow copies and event logs.
A shadow copy is a technology in Microsoft Windows that manually or automatically takes screenshots of computer files or processes even when they are in use.
In this way, the attack worked to delete data, both originals and copies, on the server, while wiping all methods of recovery in an attempt to cover up its own tracks.
The researchers said the hackers may have had some Winter Olympic credentials before carrying out the attack, suggesting that the systems were already compromised to begin with.
'The malware author knew a lot of technical details of the Olympic game infrastructure such as username, domain name, server name and obviously password,' they explained.
'...By using the hard coded credentials within this malware it's also possible the Olympic infrastructure was already compromised previously to allow the exfiltration of these credentials,' according to the report.
The report also notes that some of the communication channels used in Olympic Destroyer are similar to those deployed in high-profile ransomware attacks such as BadRabbit and Wannacry cousin Nyetya, both of which crippled systems worldwide last summer.
Co-authors Mercer and Rascagneres added that it's possible the attacks were carried out remotely, but they didn't speculate about whether any particular group or country was responsible for the attacks.
Leading up to the Olympics, security experts had warned that Russian hackers may have been striking as revenge after 47 of their athletes and coaches were banned following allegations of a doping program.
However, Russian officials were quick to discount any claims that Russian hackers were planning to launch attacks on the infrastructure connected to the Pyeongchang Olympic Games.
'We know that Western media are planning pseudo-investigations on the theme of 'Russian fingerprints' in hacking attacks on information sources related to the hosting of the Winter Olympic Games in the Republic of Korea,' Russia's foreign ministry told Reuters.
'Of course, no evidence will be presented to the world,' they added.
No comments:
Post a Comment