Researchers discovered new details in the “Olympic Destroyer” malware which targeted the Winter Olympics in Pyeongchang, South Korea shedding more light on the malware's intentions and background information on the attack.
Cisco Talos researchers originally thought the malware only targeted single endpoints but now believe the malware also wipes files on shared network drives, according to a recently updated blog post detailing the malware.
Furthermore researchers believe the sole purpose of the attack was to shut down systems at the games and not to steal information. The malware includes a binary that targets machines with a pair of “stealing modules,” one designed to grab user credentials embedded in popular web browsers and another to steal them from Windows' Local Security Authority Subsystem Service.
The updated blog also noted that the threat actors behind the malware knew a lot of technical details of the Olympic Game infrastructure such as usernames, domain name, server names and passwords suggesting a prior compromise had taken place before the initial attack, Talos researcher Craig Williams tweeted.
Cyberscoop researchers came to a similar conclusion and found that Atos, the IT provider for the Olympics, was hacked months before the Olympics compromising Atos employee usernames and passwords suggesting the most recent attack was part of a larger cyber-espionage initiative, according to a 14 February report.
Researchers said the breach was most likely by the same hackers that targeted the Olympics and that the hackers were in Atos systems until at least December 2017.
Despite the new information, it is still unclear who is behind the attacks, although some have speculated Russia may be as it was banned from competing as a country due to a doping scandal however, Russian athletes who weren't involved were still allowed to compete under the Olympic banner.
Priscilla Moriuchi, director of strategic threat development, Insikt Group at Recorded Future told SC Media it's important to not jump to conclusion since accurate attribution is both more crucial and more difficult to determine than ever.
“Hasty attribution of attacks such as this one on the Winter Games in Pyeongchang can have substantial negative real-world consequences and as a result merit thorough, expert, and meaningful analysis,” Moriuchi said.
Researchers also warn that more attacks may be on the horizon as the Olympics provide an opportunity for a wide range of attacks including phishing emails, domain theft, ransomware and fake social media posts.
“IT teams should caution employees about clicking on links or attachments from Olympics-related emails,” Lastline co-founder and chief architect Engin Kirda told SC Media. “It is also always a good idea to use the latest technologies for preventing cyber-attacks like behaviour-based detectors (such as sandboxes) to check attachments for exploits that may infect a system.”