Olympic Games target of malware, again

Posted by   Martijn Grooten on   Feb 15, 2018

The organisers of the Pyeongchang Winter Olympics have confirmed a malware attack against their computer systems. Though the attack affected the Wi-Fi during Friday's opening ceremony and knocked the event's website offline for a few hours, no permanent damage appears to have been done.

Cisco Talos researchers Warren Mercer and Paul Rascagneres have performed a thorough analysis of the malware, which is noteworthy because of the way in which it handles stolen credentials: after stealing credentials from various locations on the system, the binary is patched with these new credentials added to the existing list. The malware then uses the legitimate PsExec tool to move laterally within the target network. The abuse of PsExec for lateral movement isn't new; we have seen it used, for instance, in (Not)Petya.

The attack may be related to a reconnaissance attack against Atos, the Olympics' IT provider, a few months before the start of the Games. Interestingly, at VB2017 in Madrid, Warren and Paul spoke about such reconnaissance attacks.

Another analysis of the malware was performed by researchers at Endgame, who looked at how another legitimate tool, notepad.exe, was leveraged for shellcode injection.

It doesn't take a great insight into geopolitics to think of some obvious nation states that might be behind the attack. But even Recorded Future – which, unlike many other security firms, often doesn't hesitate to link a malware attack to a particular group or nation state – says the attack remains unattributed.

olympic-2.jpg

This isn't the first time that the Winter Olympics has been the target of a malware attack. 24 years ago, the Lillehammer Olympics were both the subject and the suspected target of the 'Olympic' or 'Olympic Aids' virus, though in the end it turned out that the destructive virus had not infected the computer systems used by the organisation.

In March 1994, Mikko Hyppönen of F-Secure (then known as Data Fellows) wrote an analysis of the virus for Virus Bulletin. We republished it in 2016 in both HTML and PDF formats and thought it worth highlighting again.

Back in 1994, attribution was easy, as the typical virus was written as an 'ego trip for [a] gang of teenagers'. The 'Olympic' virus was written by the Sweden-based 'Immortal Riot' crew.

As far as I know, in 1994, there was no doping scandal involving Swedish athletes, and the separation of the Olympics organising country, Norway, from Sweden in 1905 was not considered a politically sensitive issue. 

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

VB2018 paper: The dark side of WebAssembly

Today, we publish the VB2018 paper by Symantec researchers Aishwarya Lonkar and Siddhesh Chandrayan on the security risks that come with WebAssembly.

The Virus Bulletin conference returns home: VB2019 to take place in London

In 2019, the Virus Bulletin conference is set to return home, with VB2019 taking place in London, UK.

Guest blog: The case for increasing transparency in cybersecurity

In a guest blog post, Kaspersky Lab's Anton Shingarev considers the case for increasing transparency in cybersecurity.

VB2018 preview: Workshops

Workshops make their VB Conference debut during VB2018, giving delegates the opportunity to learn the basics of kernel-level malware analysis, Android reverse-engineering and artificial intelligence.

New article: Through the looking glass: webcam interception and protection in kernel mode

Today we publish a short article by Ronen Slavin and Michael Maltsev, researchers at Reason Software Company, who dive into the video capturing internals on Windows, and explain how this can be used by a malicious actor to steal images recorded by a…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.