Winter Olympics Gold Medal for False Flag Goes to … ?

Anti-Malware , Breach Response , Cybercrime

Researchers: To Foil Attribution, Attackers Planted Code Previously Tied to Lazarus Group

Winter Olympics Gold Medal for False Flag Goes to ... ?
Spear-phishing document tied to “Olympic Destroyer” malware distribution (Source: Kaspersky Lab)

Whoever unleashed malware built to disrupt last month’s Winter Olympics in Pyeongchang, South Korea, designed it to look like it had been executed by a group of hackers tied to North Korea.

See Also: How to Scale Your Vendor Risk Management Program

Security researchers at Moscow-based security firm Kaspersky Lab say that numerous clues point to attackers having run “an intricate false flag operation” by planting code previously seen in attacks tied to a hacking group called Lazarus.

The U.S. government, among others, says that Lazarus – also known as APT37, Group 123, Hidden Cobra and Reaper – is tied to the Pyongyang-based government of North Korea. The group has also been fingered as being behind numerous high-profile attacks against banks and cryptocurrency exchanges, including the 2016 heist of $81 million from the central bank of Bangladesh’s account at the Federal Reserve Bank of New York, perpetrated via fraudulent SWIFT interbank money-moving messages (see Bankshot Trojan Targets Turkish Financial Sector).

The malware used against the Olympic Winter Games, named “Olympic Destroyer” by researchers, wreaked havoc just before the opening ceremonies, including disrupting attendees’ ability to print tickets or use WiFi. At the time, the International Olympic Committee confirmed to Information Security Media Group that the disruptions “were caused by a cyberattack.” But the IOC refused to speculate about who might have launched the attack (see Attribution Games: Don’t Rush to Blame).

Further complicating any attempt to attribute the attack: Vitaly Kamluk, head of the APAC research team at Kaspersky Lab, said at the firm’s Security Analysts Summit last week that he believes that Olympic Destroyer was designed to be a false flag operation.

“We can say with 100 percent confidence that the attribution to Lazarus is false,” he told summit attendees, the Register reports.

Costin Raiu, director of Kaspersky Lab’s global research and analysis team, says the “subtle false flag” may well have been designed to sow doubt and confusion over the attackers’ identity and future efforts to attribute any malware attacks to a specific group or nation-state.

Among the false flags, Olympic Destroyer includes a rich header – an undocumented structure created whenever code gets generated in Microsoft Visual Studio – that is identical to Bluenoroff malware previously tied to Lazarus. Many malware researchers look at rich headers to help determine whether or not code matches previously seen samples.

But Kaspersky Lab has concluded that the rich header in many versions of Olympic Destroyer malware was forged, having been “deliberately copied from the Bluenoroff samples,” in part because it has no connection to the contents of the binary file in which it appears.

“It is not possible to completely understand the motives of this action, but we know for sure that the creators of Olympic Destroyer intentionally modified their product to resemble the Bluenoroff samples produced by the Lazarus group,” Kaspersky Lab says.

The security firm adds that while Olympic Destroyer was designed to wait for 60 minutes before shutting an infected PC down and leaving it unbootable, its researchers have now found a subsequent version in which the time delay was removed. This version appears to have been unleashed after the main attack began, suggesting that “the attackers were probably in a rush and didn’t want to wait before shutting down the systems” at additional targets.

In the later version of the malware, however, the attackers failed to fake the rich header information by cutting and pasting the version from Bluenoruff, the Kaspersky Lab researchers say.

Spear-Phishing Emails

Previous researchers have detailed how the Olympic Destroyer malware functioned (see Hackers Win Olympic Gold Medal for Disruption).

In its latest research, meanwhile, Kaspersky Lab reports that the malware appears to have been carried by spear-phishing emails with a Winter Olympics theme that in some cases were addressed to “” – and cc’d to victims. The emails, which first began appearing last December, carried malicious Microsoft Office attachments.

Spear-phishing email tied to Olympic Destroyer malware distribution appears to have been sent from South Korea’s National Counter-Terrorism Center, but the sender’s actual server IP address ties to a server in Singapore. (Source: Kaspersky Lab)

“The documents contained nothing but slightly formatted gibberish to make it look like the text had an encoding problem, encouraging the user to press a button to ‘enable content,'” Kaspersky Lab says.

Screenshot of attachment from a spearphishing email (Source: Kaspersky Lab)

“When the victim ‘enables content,’ the document starts a cmd.exe with a command line to execute a PowerShell scriptlet that, in turn, downloads and executes a second stage PowerShell scriptlet and, eventually, backdoors the system,” after which wiper malware gets unleashed, it adds.

“The only apparent links between this email campaign and Olympic Destroyer would have been the target; however, we managed to discover a couple of connections between this weaponized document and the attack in Pyeongchang which makes us believe they are related,” Kaspersky Lab says, citing partially redacted IP addresses, email addresses and virtual server registrant details.

The security firm says it’s shared that information with law enforcement agencies.

Olympic Destroyer Includes Reused Code

An analysis of the Olympic Destroyer malware was first published by information security researchers at Cisco’s Talos group, who also studiously avoided attributing the attack to any group of nation. Other security researchers noted that code in the malware had been seen in previous attacks tied to multiple groups, including those with apparent ties to not just North Korea but also China and Russia.

Malicious code reuse does not a smoking gun make. Anyone can cut and paste attack code. Knowing who was sitting behind the keyboard, however, is an entirely different matter and often requires “sources and methods” – government-speak for not just technical but also highly sensitive human intelligence of the type gathered by spy agencies (see Beyond a Reasonable Doubt? Assessing Kremlin’s Role in Hack).

Motive: Plausible Deniability

Security firms continue to caution that just because code appears in malware, that doesn’t mean that an attack has been launched by the same group.

On Feb. 26, Cisco Talos published a blog post titled, “Who Wasn’t Responsible for Olympic Destroyer?”

“The threat actor responsible for the attack has purposefully included evidence to frustrate analysts and lead researchers to false attribution flags,” write Cisco Talos researchers Paul Rascagneres and Martin Lee.

Example press quotes suggesting attribution for Olympic Destroyer (Source: Cisco Talos)

That subterfuge could be designed to give the actual attacker plausible deniability if different security firms rushed to attribute based on code samples. “This false attribution could embolden an adversary to deny an accusation, publicly citing evidence based upon false claims by unwitting third parties,” the researchers write. “This must force one to question purely software-based attribution going forward.”

Attribution Follies

The difficulty – and geopolitical dangerousness – of attributing malware to any specific group or nation-state has led many security experts to argue that attribution is best left to governments. Furthermore, experts say, in the wake of any hack attack, breached businesses are better off devoting resources to identifying what happened and preventing a recurrence (see Breach Attribution and ‘Hack Back’: Don’t Waste Time).

For governments, publicly attributing an attack is a diplomatic matter (see Trump Administration: ‘North Korea Launched WannaCry’).

In rare cases, attribution has been included in U.S. criminal indictments filed against individuals who allegedly participated in nation-state attacks, including Chinese nationals for hacks of the health insurance company Anthem and the U.S. Office of Personnel Management, as well as 13 Russian individuals and three organizations charged with running a social media manipulation campaign designed to interfere in the U.S. political process (see Anatomy of a Russian Information Warfare Campaign).

It’s unlikely that the indicted individuals will ever seen the inside of a U.S. court room, provided they don’t attempt to vacation in or travel via countries that have extradition treaties with the U.S. But such indictments do appear to be a U.S. government attempt to at least hold foreign governments and their alleged agents publicly accountable for hack attacks (see Putin Offers Extradition Promise to US: ‘Never’).

Hackers Win Olympic Gold Medal for Disruption

Anti-Malware , Technology

Researchers Say Destructive Wiper Dubbed ‘Olympic Destroyer’ Hits Pyeonchang

Hackers Win Olympic Gold Medal for Disruption
Photo: IOC

Hackers have crashed the Winter Olympics, apparently by using destructive malware.

See Also: How to Scale Your Vendor Risk Management Program

On Friday, shortly before the opening ceremonies of the Olympic Winter Games in South Korea, the official Pyeongchang 2018 site stopped working, leaving attendees unable to print tickets. In addition, the WiFi in Pyeonchang Olympic stadium stopped working, as did televisions and internet access in the main press center, the Guardian first reported. It said the website wasn’t restored until 12 hours later, on Saturday morning.

“We can confirm that the technology issues experienced on Friday night were caused by a cyberattack,” a spokesman for the International Olympic Committee
tells Information Security Media Group.

“The situation was quickly dealt with and as result, all systems have remained stable and no competitions were ever affected. They continue to run smoothly.”

The Winter Olympics run from Feb. 9 to 25 in Pyeongchang, South Korea.

In the run up to the Olympics, officials in South Korea voiced concerns that North Korea might attempt to disrupt the games via hack attacks. But North Korea is participating in the games, and it sent a delegation led by Kim Yo Jong, the younger sister of leader Kim Jong Un, who immediately made diplomatic overtures to Seoul.

Members of the North Korean delegation (DPRK) arrive at the Gangneung Village – South Korea’s Olympic village in Pyeongchang. (Photo: Dave Thompson/IOC)

Two security firms report that they have recovered copies of the malware used in the attack.

Attribution Games

Some commentators were quick to suggest that individuals affiliated with Russia would be obvious suspects behind the online attack, with the International Olympic Committee having banned Russian athletes from competing because of doping violations. Others, however, say they have recovered malware previously used by hackers tied to China.

Multiple information security experts have cautioned that attempting to attribute the attacks now – or potentially in the future – is irresponsible, noting that early reports on cyberattack attribution are wildly unreliable and often detract from organizations having failed to maintain proper information security defenses (see Ransomware Report: Is China Attribution Merely Hype?).

For their part, Olympics organizers refused to speculate.

“There was a cyberattack and the server was updated yesterday during the day and we have the cause of the problem,” Pyeongchang 2018 spokesman Sung Baik-you told reporters on Sunday, adding that attempted disruptions were not unusual during the Olympic Games.

“We are not going to reveal the source,” he said. “We are taking secure operations and, in line with best practice, we’re not going to comment on the issue because it is an issue that we are dealing with.”

Outside Analysis: Wiper Malware Suspected

Information security researchers at Cisco’s Talos group say they identified the malware used in the attack “with moderate confidence” although they say it’s unclear how the malicious code infected IOC systems.

“The samples identified, however, are not from adversaries looking for information from the games but instead they are aimed to disrupt the games,” Talos security researchers Warren Mercer and Paul Rascagnères write in a Monday blog post. “The samples analyzed appear to perform only destructive functionality. There does not appear to be any exfiltration of data.”

They say the malware is designed to delete shadow copies in Windows and to spread via PsExec (psexec.exe) and Windows Management Instrumentation (wmic.exe), which are legitimate tools built into Windows. Such functionality has been seen with both the NotPetya and BadRabbit attacks (see Teardown of ‘NotPetya’ Malware: Here’s What We Know).

The researchers say the first stage of what they dubbed as “Olympic Destroyer” malware drops multiple executable files onto an infected system, including a browser credential stealer – designed to retrieve stored credentials. It also drops a system credential stealer designed to steal legitimate credentials from Windows Local Security Authority Subsystem Service, or LSASS, in a technique that resembles one used by Mimikatz, an open source Windows security tool, they say.

During the initial infection stage, the malware also attempts to move laterally across the network by copying itself to remote systems reachable via the network. “The malware author knew a lot of technical details of the Olympic Game infrastructure,such as username, domain name, server name and obviously password,” the researchers write. “We identified 44 individual accounts in the binary.”

Hardcoded credentials found in the Olympic Destroyer malware. (Source: Cisco Talos)

The initial infection also drops a destructive wiper on the infected system designed to delete backup files, leave systems unbootable and then shut down.

The attack appears to have been highly targeted. “Basically it’s another automated lateral movement wiper, which absolutely intends to make systems unbootable and wipe backups. Interesting they hard coded credentials – stops it spreading around world,” tweets U.K.-based information security researcher Kevin Beaumont.

Likely Goal: Embarrassment

The Cisco Talos researchers say attackers likely gained access to the targeted environment before unleashing the wiper to ensure they could time it to coincide with Friday’s opening ceremony.

“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony,” they write.

Meanwhile, Darien Huss, a targeted threat researcher Proofpoint, says that one of the filenames in the malware is “evtchk.txt,” which also appeared in the malware that was used to hack the central bank of Bangladesh, as documented in April 2016 by Sergei Shevchenko, a security researcher at BAE Systems (see Report: DOJ Sees Bangladesh Heist Tie to North Korea).

“Maybe just a coincidence though,” Huss says.

Signs of Credential Gathering

Some researchers say attackers affiliated with Russia have recently been seen gathering credentials for organizations tied to the Winter Olympics.

“In November and December 2017, CrowdStrike Intelligence observed credential harvesting activity against an entity operating in the international sporting sector and attributed it to Russian threat actor Fancy Bear with medium confidence,” Adam Meyers, vice president of intelligence at cybersecurity CrowdStrike tells Information Security Media Group.

Fancy Bear is the company’s name for a group of APT attackers – also known as APT28, Group 74, Pawn Storm, Sofacy, Strontium and Tsar Team – with apparent ties to Russia’s GRU military intelligence unit (see Microsoft Battles Fancy Bear Hackers – With Lawyers).

Meyers says CrowdStrike also recovered the wiper malware that appears to have been used in the Friday attack. He says that while the malware was first spotted on Friday, it has a build timestamp of Dec. 27, 2017, and contains hardcoded credentials that “belong to multiple target entities involved in running computer and network infrastructure for the Olympic Winter Games.”

But there’s no direct evidence that the credential harvesting attacks CrowdStrike witnessed were used to build the targeted wiper malware. “While there is currently no confirmed connection between this activity and the destructive attack, a similar reconnaissance phase was likely carried out in preparation of this recent operation,” Meyers said.

This story has been updated with revised commentary from CrowdStrike.