The PyeongChang 2018 Olympic Winter Games closes this weekend, having been repeatedly targeted by malicious cyber-attacks, along with several organisations associated with the Games. But the threat is far from over as it has now been claimed that the attacks are part of be an escalating threat set to impact organisations worldwide.
The original attacks saw malicious Microsoft Word documents being sent as attachments to emails masquerading as originating from the South Korean National Counter-Terrorism Center (NCTC), but now CyberInt says they are the work of a single threat actor who will continue to pose an ongoing threat long after the PyeongChang games have ended.
During Cyberint's investigation, all of the scripts executed were observed as beaconing to the same C2 domain ‘napoleon.smart.cl:443' on the Chilean IP address '220.127.116.11'. Aside from the other similarities in the lure and initial obfuscated code, this is seen as a strong indicator that the campaign is being coordinated and operated by the same threat actor.
Additionally, the domain 'patiolareina.cl' was observed as hosting two instances of the PowerShell script that references the C2 server 'minbodegaslock.cl' albeit located in a slightly path:
Based on these findings, Cyberint concluded that the threat actor responsible for the reported attack in December 2017 against organisations associated with the PyeongChang 2018 Olympic Winter Games likely tested their methods prior to the attack and currently has infrastructure in place, along with the recently detected lure, to continue their campaign against relevant targets.
Given this, users should be reminded to exercise caution when receiving unsolicited or suspicious attachments as well as taking heed of security alerts such as those displayed by Microsoft Word. Furthermore, infrastructure owners may wish to monitor their environments for any communication involving the IP addresses and hosts identified above as these may serve as an indication of compromise.
“Although these attacks have so far been aimed at organisations associated with the Winter Games, all the evidence now points to these being a carefully orchestrated attacks which will continue to pose a potential ongoing threat to all types of organisations in all geographies,” says CyberInt vice-president Elad Ben-Meir.