Olympic Games target of malware, again

Posted by   Martijn Grooten on   Feb 15, 2018

The organisers of the Pyeongchang Winter Olympics have confirmed a malware attack against their computer systems. Though the attack affected the Wi-Fi during Friday's opening ceremony and knocked the event's website offline for a few hours, no permanent damage appears to have been done.

Cisco Talos researchers Warren Mercer and Paul Rascagneres have performed a thorough analysis of the malware, which is noteworthy because of the way in which it handles stolen credentials: after stealing credentials from various locations on the system, the binary is patched with these new credentials added to the existing list. The malware then uses the legitimate PsExec tool to move laterally within the target network. The abuse of PsExec for lateral movement isn't new; we have seen it used, for instance, in (Not)Petya.

The attack may be related to a reconnaissance attack against Atos, the Olympics' IT provider, a few months before the start of the Games. Interestingly, at VB2017 in Madrid, Warren and Paul spoke about such reconnaissance attacks.

Another analysis of the malware was performed by researchers at Endgame, who looked at how another legitimate tool, notepad.exe, was leveraged for shellcode injection.

It doesn't take a great insight into geopolitics to think of some obvious nation states that might be behind the attack. But even Recorded Future – which, unlike many other security firms, often doesn't hesitate to link a malware attack to a particular group or nation state – says the attack remains unattributed.

olympic-2.jpg

This isn't the first time that the Winter Olympics has been the target of a malware attack. 24 years ago, the Lillehammer Olympics were both the subject and the suspected target of the 'Olympic' or 'Olympic Aids' virus, though in the end it turned out that the destructive virus had not infected the computer systems used by the organisation.

In March 1994, Mikko Hyppönen of F-Secure (then known as Data Fellows) wrote an analysis of the virus for Virus Bulletin. We republished it in 2016 in both HTML and PDF formats and thought it worth highlighting again.

Back in 1994, attribution was easy, as the typical virus was written as an 'ego trip for [a] gang of teenagers'. The 'Olympic' virus was written by the Sweden-based 'Immortal Riot' crew.

As far as I know, in 1994, there was no doping scandal involving Swedish athletes, and the separation of the Olympics organising country, Norway, from Sweden in 1905 was not considered a politically sensitive issue. 

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

New paper: LokiBot: dissecting the C&C panel deployments

First advertised as an information stealer and keylogger when it appeared in underground forums in 2015, LokiBot has added various capabilities over the years and has affected many users worldwide. In a new paper researcher Aditya Sood analyses the…

VB2019 presentation: Building secure sharing systems that treat humans as features not bugs

In a presentation at VB2019 in London, Virtru's Andrea Limbago described how, by exploring data sharing challenges through a socio-technical lens, it is possible to make significant gains toward the secure sharing systems and processes that are vital…

VB2019 presentation: Attor: spy platform with curious GSM fingerprinting

Attor is a newly discovered cyber-espionage platform, use of which dates back to at least 2014 and which focuses on diplomatic missions and governmental institutions. Details of Attor were presented at VB2019 in London by ESET researcher Zuzana…

Why we encourage newcomers and seasoned presenters alike to submit a paper for VB2020

With the call for papers for VB2020 currently open, we explain why, whether you've never presented before or you're a conference circuit veteran, if you have some interesting research to share with the community we want to hear from you!

VB2019 paper: The cake is a lie! Uncovering the secret world of malware-like cheats in video games

At VB2019 in London, Kaspersky researcher Santiago Pontiroli presented a paper on the growing illegal economy around video game cheats and its parallels with the malware industry. Today we publish both Santiago's paper and the recording of his…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.