Olympic Destroyer: Calculated Provocation or an Amateur's best shot?

An attempted cyberattack tried to disrupt the Winter Olympics before the Games had officially started. Details about the intrusion and attempted attack during the opening ceremonies are still sparse but the malware used in the incident, first written about by the Talos Security team, gives some clues about what the South Koreans are dealing with.

The malware, dubbed Olympic Destroyer by Talos, was designed for CNA, and while some systems were affected (Wi-Fi at Pyeongchang Olympic Stadium and in the press room stopped working and the Winter Olympics website and some television systems were offline), these incidents didn’t equal a successful payload execution. There was no serious destruction.

Also, the program was incredibly noisy in the way it attempted destroy systems. It relied on widely used techniques to propagate, operates using command lines rather than more standard system APIs and wasn’t a worm like other high-profile wiping attacks in 2017.

In stark contrast to the simplicity of the destructive element, the network propagation element is unique as the malware “dynamically updates this list after using the password stealers. A new version of the binary is generated with the newly discovered credentials,” according to Talos. Additionally, the malware treats endpoints and servers differently and attempts to do far more damage to servers than to endpoints. This information leads to three likely scenarios for motivation and attribution.

Someone got lucky. The level of sophistication in the destructive payload indicates a clunky piece of malware and a relatively low chance of success against the Games’ well-defended network. This attempted attack was probably the closest a glory seeker has come to pulling off a major cyberdisruption at the Olympics. Dumb luck accounts for a lot of hacking and a plausible scenario is that a relatively unknown hacker(s) managed to get network access and let loose the best tool they had for operating without a stable interactive session. The use of command line arguments rather than stealthier API calls increased the likelihood of detection, but also made the coding easier.

Russia brought it's C game. This combination of sophisticated propagation and access coupled with a substandard destructive payload fits with how the Russians carried out the NotPetya attack. Given the failure of January’s Fancy Bear’s doxing when a Russia-linked group published emails allegedly from the International Olympic Committee and the United States Olympic Committee, the actors behind that attack may have decided to increase their level of activity to achieve their mission. Rather than burning tools and attributed capabilities, they went quick and dirty and coded something that had the potential to work as intended and change the narrative around Russian doping and the country’s ban from the Winter Olympics. Interrupting the Games’ broadcast would obviously be the gold standard, but failing to achieve this goal has done more to change the stories news outlets are reporting than Fancy Bears’ release of sensitive IOC and USOC emails.

Misdirection cannot be ruled out. The likelihood of the malware causing serious destruction was low given how noisy the destructive module of the program is and the well-documented patterns it exhibits. A good security team responds by preventing significant harm, and that’s exactly what happened in South Korea.

However, the nature of the attack and the unanswered questions around how the network was infiltrated, raises the possibility that this was a test and an attempt to draw resources away from the true target. Also, how the attack targeted endpoints and servers differently would allow other implants on the endpoint to survive while “destroying” the network. A defender’s time is finite and dealing with an attack that tries to destroy computers is going to jump to the top of any incident responder's list for remediation and investigation. The attack during the opening ceremonies has the potential to set the stage for a better, more sophisticated attack in the future that might have otherwise been thwarted.

South Korean defenders are good and lucky

As details emerge we will know more about who conducted the attack and how severe the network penetration was. One thing we’ve already know is that the South Koreans are both lucky and good. A more covert payload would have likely been more effective, but responding to this threat in real time and preventing it from having a serious impact shows how dialed in the South Korean defenders are.

Ross Rustici and Amit Serper
About the Author

Ross Rustici and Amit Serper

Analysis from Researchers Ross Rustici and Amit Serper.