Naming the culprit behind the cyber-attack that hit the 2018 Pyeongchang Winter Olympic Games during the opening ceremony will never be nailed down with 100 percent accuracy, but industry executives have gathered some circumstantial evidence is pointing toward a Russian group.
The primary reason Russia, or someone acting on that country's behalf, has been singled out is the fact that the International Olympic Committee (IOC) banned that nation from competing due to its athletes using illegal performance enhancing drugs during previous Olympic games. However, the IOC is allowing innocent Russian athletes to compete, but only under the Olympic, and not Russian, national flag.
“That certainly seems like a motive for someone inside Russia to disrupt the games,” Richard Henderson, Absolute Software's global security strategist, told SC Media.
French Caldwell, a former White House cyber-security advisor and current chief evangelist with MetricStream, pointed out that if you anger Russia in some manner being hit with a cyber-attack is always a possible result.
“From the public reports, one thing that stands out is that initial access was gained through compromised login information of accredited users. If you know you have the Russian government as your enemy, you know there is a likelihood that they or their proxies could attack – the question is how,” Caldwell told SC Media.
The games' organisers have confirmed that an attack did take place during the opening ceremonies on 9 February hitting several non-critical systems, including its internet and television systems. Cisco Talos confirmed that the incident took place saying that while the infection vector is unknown the malware was a destroyer as there is no evidence that it attempted to remove any data. The attackers used a list of system credentials to gain access.
Crowdstrike Intelligence said that in November and December of 2017 it had observed a credential harvesting operation operating in the international sporting sector. At the time it attributed this operation to Fancy Bear, but only with a medium level of confidence and Adam Meyers, CrowdStrike's VP of Intelligence, said there is no evidence connecting Fancy Bear to the Olympic attack.
There is other evidence pointing to Fancy Bear. It has already been credited with attacking an Olympic organisation. In September 2016 the World Anti-Doping Agency (WADA) stated that the group had hacked its systems and accessed athlete data, including confidential medical related to the Rio Games; and, subsequently released some of the data in the public domain, accompanied by the threat that they will release more.
Henderson also noted that the malware itself shares many similarities with the kind previously used by both Russia and China, but even that is not a true smoking gun.
“Of course, we can expect that various state-sponsored groups will learn from earlier campaigns and malware and integrate components into their future attacks, muddying the waters when it comes to being able to conclusively point the finger at one specific group,” he said.
Interestingly, South Korea's primary cyber-opponent, North Korea, is unlikely to be behind any attack as the country is using the games to help thaw relations with its southern neighbour. Several high-ranking North Korean officials, including North Korean leader Kim Jong Un's sister Kim Yo Jong and North Korea's nominal head of state Kim Yong Nam, attended the opening ceremony sitting with South Korean president Moon Jae-in. The two nation's athletes also marched together during the event.