Olympic Games target of malware, again

Posted by   Martijn Grooten on   Feb 15, 2018

The organisers of the Pyeongchang Winter Olympics have confirmed a malware attack against their computer systems. Though the attack affected the Wi-Fi during Friday's opening ceremony and knocked the event's website offline for a few hours, no permanent damage appears to have been done.

Cisco Talos researchers Warren Mercer and Paul Rascagneres have performed a thorough analysis of the malware, which is noteworthy because of the way in which it handles stolen credentials: after stealing credentials from various locations on the system, the binary is patched with these new credentials added to the existing list. The malware then uses the legitimate PsExec tool to move laterally within the target network. The abuse of PsExec for lateral movement isn't new; we have seen it used, for instance, in (Not)Petya.

The attack may be related to a reconnaissance attack against Atos, the Olympics' IT provider, a few months before the start of the Games. Interestingly, at VB2017 in Madrid, Warren and Paul spoke about such reconnaissance attacks.

Another analysis of the malware was performed by researchers at Endgame, who looked at how another legitimate tool, notepad.exe, was leveraged for shellcode injection.

It doesn't take a great insight into geopolitics to think of some obvious nation states that might be behind the attack. But even Recorded Future – which, unlike many other security firms, often doesn't hesitate to link a malware attack to a particular group or nation state – says the attack remains unattributed.


This isn't the first time that the Winter Olympics has been the target of a malware attack. 24 years ago, the Lillehammer Olympics were both the subject and the suspected target of the 'Olympic' or 'Olympic Aids' virus, though in the end it turned out that the destructive virus had not infected the computer systems used by the organisation.

In March 1994, Mikko Hyppönen of F-Secure (then known as Data Fellows) wrote an analysis of the virus for Virus Bulletin. We republished it in 2016 in both HTML and PDF formats and thought it worth highlighting again.

Back in 1994, attribution was easy, as the typical virus was written as an 'ego trip for [a] gang of teenagers'. The 'Olympic' virus was written by the Sweden-based 'Immortal Riot' crew.

As far as I know, in 1994, there was no doping scandal involving Swedish athletes, and the separation of the Olympics organising country, Norway, from Sweden in 1905 was not considered a politically sensitive issue. 



Latest posts:

VB2017 paper: The life story of an IPT - Inept Persistent Threat actor

At VB2017 in Madrid, Polish security researcher and journalist Adam Haertlé presented a paper about a very inept persistent threat. Today, we publish both the paper and the recording of Adam's presentation.

Five reasons to submit a VB2018 paper this weekend

The call for papers for VB2018 closes on 18 March, and while we've already received many great submissions, we still want more! Here are five reasons why you should submit a paper this weekend.

First partners of VB2018 announced

We are excited to announce the first six companies to partner with VB2018.

VB2018: looking for technical and non-technical talks

We like to pick good, solid technical talks for the VB conference programme, but good talks don't have to be technical and we welcome less technical submissions just as much.

Partner with VB2018 for extra visibility among industry peers

Partnering with the VB conference links your company to a successful and well-established event, demonstrates your commitment to moving the industry forward, allows you to meet potential clients, be visible to industry peers and build lasting…