Olympic Destroyer widens sphere of interest

The APT actor shows interest in finances and biochemical threat prevention and research.

This time they are targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in the Netherlands, Germany, France, Switzerland, and Ukraine.

It appears that Olympic Destroyer, an advanced threat actor that was trying to sabotage the 2018 Winter Olympic Games, in South Korea, has returned. Our experts recently found traces of activity similar to Olympic Destroyer, but this time they are targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in the Netherlands, Germany, France, Switzerland, and Ukraine.

What is the trouble?

The original Olympic Destroyer used very sophisticated methods of deception. First, it used very convincing decoy documents loaded with hidden malware. Second, it implemented obfuscation mechanisms to hide its tools from protective solutions. And most peculiar, it used various false flags to complicate threat analysis.

What we’re seeing with this new threat is a new breed of spear-phishing documents, with payload that resembles the original Olympic Destroyer’s tools. There are no signs of a worm yet, but documents we’ve seen thus far may be symptomatic of a reconnaissance stage (just as in 2017, a reconnaissance stage preceded the cybersabotage). Technical information about malware and its infrastructure, along with indicators of compromise, can be found in this Securelist post.

New interests

The real news here is the new malware’s targets. Our analysis of the decoy letters shows that this time, the cybercriminals are trying to infiltrate biological- and chemical-threat-prevention laboratories. Among their new targets are also Russian financial organizations — although the financial focus may be just another false flag.

In addition to obfuscated scripts, the documents contain references to “Spiez Convergence” (a conference held in Switzerland for biochemical-threat researchers), the nerve agent presumed to be used to poison Sergei Skripal and his daughter in England, and Ukrainian healthcare ministry orders.

What it means to your business

Usually, when we talk about threats that spread by phishing, our first advice is to be more mindful about opening suspicious documents. Unfortunately, that would not work in this case — the documents are not suspicious.

Decoys created for this spear-phishing attack are tailored to be relevant to the victim, and so all we can advise for biochemical-threat-prevention and -research companies and organizations in Europe is to run unscheduled security audits. Oh, and install reliable protective solutions. Our products detect and block Olympic Destroyer–related malware.