Olympic Destroyer: who hacked the Olympics?

Experts from Kaspersky Lab studied digital evidence related to the hacking attack on the 2018 Olympics in search of the actual attacker.

Experts from Kaspersky Lab presented their study of the cyberattack on the 2018 Olympic Games at the Security Analyst Summit.

Long ago, during the Olympic Games, the participating countries halted their wars and put aside their political disputes. Today, the opposite is increasingly likely. The PyeongChang Winter Olympic Games started with a scandal: unknown hackers attacked the servers just before the opening ceremonies and many spectators were unable to attend the ceremonies as they were unable to print out tickets.

As a result of the attack, malware dubbed the Olympic Destroyer took down the official Olympics website and Wi-Fi at the stadium as well as affecting broadcasts of the event. The Organizing Committee gave assurances that there would be no serious consequences, but the uproar was no laughing matter. So, it would be really interesting to find out what exactly happened and who was behind it.

How the Olympic Destroyer works

In terms of its propagation mechanism, the Olympic Destroyer is a network worm. Our experts discovered at least three launch pads that were initially infected and then used to propagate the worm: they included pyeongchang2018.com, network servers of the ski resorts and servers of Atos, the IT service provider.

From these platforms, the worm was automatically propagated in the network through Windows network shares. Along the way it stole passwords saved on infected computers, wrote them into itself and used them for subsequent propagation. The ultimate objective of the Olympic Destroyer was to purge files from network drives that the worm could reach and shut down the systems it infected.

Who spoiled the party?

Journalists and bloggers churned out rumors about who tried to disrupt the opening ceremonies of the Olympic Games and why. North Korea was suspect even before the Games started: North Koreans were allegedly spying on the Organizing Committee’s computers.

Then, naturally, suspicion fell on Russians: after all, only select members of the Russian team were allowed to compete under severe restrictions and the national flag was banned. But when the investigators detected similarities between the Olympic Destroyer and malware made by Chinese cyber criminals, suspicion shifted to China.

Kaspersky Lab carries out an investigation

While the general public speculated, cyber security experts continued to hunt for evidence. Kaspersky Lab also carried out its own investigation.

At first, like many others, our experts suspected North Korean cyber criminals, more specifically, the Lazarus Group. After studying a sample of the Olympic Destroyer, the researchers found a series of digital fingerprints pointing directly to Lazarus as the author.

However, as our experts dug deeper, they found more and more discrepancies. After a thorough re-evaluation of all discovered “exhibits” and a detailed study of the code, they realized that what appeared to be conclusive evidence was actually a skillful imitation — a so called false flag.

On top of this, when our experts were studying the Olympic Destroyer, they discovered some evidence pointing to a totally different author — the Russian-speaking hacker group Sofacy (also known as APT28 and Fancy Bear). However, we cannot rule out the possibility that this evidence is also false. When it comes to top-level cyber espionage, you can never be 100% sure of anything.