What Can We Learn from the Olympic Destroyer Malware?

Tuesday, February 20, 2018
Olympic Destroyer Cyber Threat

By now we are all aware of the commotion that ensued behind the scenes of the opening ceremonies of the Pyeongchang Olympics. Organizers have indeed confirmed an attack on non-critical computer systems. For approximately 12 hours on Friday the Olympic networks were down due to the attacks.  WiFi networks were affected, reporters at the ceremony were impacted and services were disrupted leaving the website down and tickets unprintable.  So, what does this mean?

For starters, someone targeted the opening ceremonies with the intent to disrupt. There are multiple theories out there placing blame.  One could sit down and consider who might have something to gain by such tactics.  Are they content with the results or hungry for more?  One clear point has stood out from the analysis provided thus far and that is … it could have been worse.

Samples of the event have been recovered with moderate confidence.  It is clear from these samples that hard coded credentials indicate targeting of the Olympic organization.  The malware is being labeled a wiper but with a pretty clear distinction.  Typical wiper malware targets the files on the system it resides.  In the case of Olympic Destroyer, files on remote servers appear to be the target.  Additionally, the malware attempts to spread fast throughout the targeted network using stolen credentials.  As for the systems, the malware did indeed aim to destroy.  Shadow copies deleted, recovery disabled and all services turned off are some of the big effects of the malware before the system is shutdown.

While the initial infection vector is still unknown, there were likely multiple factors affecting the success of the attack.  Educating users to look for unusual emails, reminding them not to open anything suspicious and encouraging them to report will always be a mainstay in any defensive arsenal.  Knowing your enemies and keeping well-informed of their techniques and tactics is also critical in understanding who might target your organization. 

So who is a target?  For this exact piece of malware, no one - unless you belong to the Olympic committee or utilize their computer systems.  Could a similar piece of malware appear with a different target in mind?  Absolutely.  There have been multiple occasions where code reuse leads to quick turnaround on new variants.  Keep in mind however the intent.  It is rare to see destruction of this nature with such a laissez-faire attitude.

It is hard to say if this is indicative of additional attacks during the Olympics, but clearly the assailant has sent a message.  There were clear indications in the analysis done by Talos that the attackers displayed incredible restraint in the method of destruction.  Perhaps they are satisfied at that - only time will tell.

- Fidelis Threat Research Team