Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Who medals in the Olympics cyberattacks: Russia, China, N. Korea—or USA?

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings Your humble blogwatcher, dba RJA
 

The 2018 Winter Olympics have been hacked—at least twice. In a precisely targeted and complex attack, the opening ceremony was disrupted by bricking a number of computers.

Pyeongchang organizers won’t say who was behind the two attacks, dubbed Olympic Destroyer and Gold Dragon. Many fingers point at Putin’s Russia. And another attack appears to have China’s or North Korea’s prints all over it.

There’s a mysterious NSA connection, too. In this week’s Security Blogwatch, we get ready to grumble.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Perhaps Brian May’s best Queen song 

Games on for cyber attacks

What’s the craic, Karolos Grohmann? Games organizers confirm cyber attack, won't reveal source:

Pyeongchang Winter Olympics organizers confirmed … the Games had fallen victim to a cyber attack. … The Games’ systems, including the internet and television services, were affected.

“Maintaining secure operations is our purpose,” said International Olympic Committee (IOC) spokesman Mark Adams. … Asked if organizers knew who was behind the attack, Adams said: “I certainly don’t know.”

“We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on [the] Games,” Russia’s foreign ministry said.

Did someone mention Western media? As if by magic, here’s Andy Greenberg:

Russian hackers … have targeted the Pyeongchang Olympics for months in retaliation for the country's doping ban, stealing and leaking documents. … Now a more insidious attack has surfaced, one designed not to merely embarrass, but disrupt the opening ceremonies themselves. And … the hackers seem to have at least left behind some calling cards that look rather Russian.

[It] temporarily paralyzed IT systems ahead of Friday's opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets. … Security researchers at Cisco's Talos division have released an analysis of a piece of sophisticated, fast-spreading malware they're calling Olympic Destroyer.

Still, the Talos researchers declined to point the finger at Russia. … Despite its sophistication and relative similarity to … NotPetya and BadRabbit, they point out that it's possible other hackers may simply have adopted that earlier malware's techniques.

But the political backdrop for the attack makes Russia by far the most likely culprit, says James Lewis, the director of the Center for Strategic and International Studies' Technology and Public Policy Program. After all … Fancy Bear, widely believed to be part of [Russia’s] military intelligence agency GRU, has been hacking Olympics-related organizations as early as September of 2016. … Russia's government … has been "furious" about the doping ban, and shown itself willing to use hacking as a means of taking its revenge for that slap, Lewis says.

"The Russians are the leading suspects," says Lewis. "It's consistent with what they’ve done before. … It's another example of Russian petulance."

What would Mother Russia say? Here’s the state-run Russian “news” agency Россия Сегодня—Malware Targeting Servers of Olympics:

On Saturday, media reported that the servers of the organizers of the Pyeongchang 2018 Winter Olympics had been attacked during the opening ceremony.

On Wednesday, the Russian Foreign Ministry said … that Western media planned to blame Russia for hacking attacks on digital infrastructure related to the 2018 Olympics adding that no evidence would be submitted in support of such allegations, as it had previously been the case more than once.

And thus spake an anonymous correspondent for the state-funded “independent” ТВ-Новости—Cyberattack targeted PyeongChang opening ceremony:

North and South Korea’s joint march may have hogged attention … but somewhere in the cybersphere a virus was lurking. … All issues had been resolved by the day after the ceremony, but it is not yet known who was behind the attack.

However, the attempted sabotage was not behind the last-minute cancelation of a planned drone spectacle. Organizers said the light show was abandoned as there were too many spectators gathered in the space planned for the exhibition.

What other evidence is there? Nicole “@NicolePerlroth” Perlroth adds:

Forensics show the attackers were out to disrupt the games since at least December 27, when timestamps show they created a destructive payload, at 11:39 AM UTC, which converts to … 2:39 PM in Moscow.

Here's the weird part. Even though attackers' code clearly demonstrated the ability to "brick" Olympic computers … the attackers stopped short of pulling their final punch. … Why?

Some at Cisco Talos tell me this was presumably to send a political message that the damage could have been a lot worse. They … left open the possibility that organizers could still recover ... (insert Jaws music) THIS TIME.

O RLY? Not according to Kevin “@GossiTheDog” Beaumont:

Try running it on a box with BitLocker. Windows doesn’t boot, and you can’t boot recovery console, and you can’t mount disk (due to BitLocker) on another system.

The code cycles through every Windows service and changes the Startup type to Disabled. I urge y'all to try that, but not on your work PC. Windows doesn't boot, as it needs key services to function.

It also uses bcdedit.exe to set recoveryconsole to no, which kills the recovery console - so if you use something like BitLocker, how do you recover? … If you have key in AD (which is super doable, in my case just needed AD table modifications) then you’re in a good place. If you didn’t set that up, prepare for fun.

And that wasn’t the only notable attack. Scott Neuman looks to North Korea:

A separate hacking operation, dubbed Operation Gold Dragon, has attempted to infect target computers belonging to South Korean Olympics-related organizations … according to the computer security firm McAfee. … Although McAfee won't say for sure, [its] working theory is that the spyware attack is a North Korean operation.

But this Anonymous Coward ain’t buying it:

North Korea is trying to play nice guy right now. Getting caught hacking would be detrimental. Russia on the other hand is banned from the entire games and pissed about it. It's kind of a "duh" as far as motive.

And neither is this one:

Well one of those countries is actually finally making positive strides in international relations with its neighbour at these games and the other has gained itself the honour of being the only country humiliated and banned from taking part because it had a state sponsored doping ring trying to help its athletes come top.

So given only one nation isn't taking part in the games through its own stupid fault, given that nation takes things really really badly when it doesn't get its way like a petulant child, and given that nation has invested billions in and actively engaged in cyber warfare in recent years, which do you think it's most likely to be?

[Russia has] the most prolific aggressive cyber operations in the world right now whose purpose seems to be nothing more than bolstering national pride to keep Putin in power.

Um, but what about China? Jay Rosenberg examines the Code Similarities:

We have found numerous small code fragments scattered throughout different samples of malware in these attacks that are uniquely linked to APT3, APT10, and APT12 which are known to be affiliated with Chinese threat actors.

APT3, also known as Pirpi and Buckeye, is a threat group based in China that has been attributed to China’s Ministry of State Security. … We also see the biggest code overlap with the credential stealer in Pirpi’s toolset.

APT10, also known as menuPass Group, has been attributed as a Chinese cyber espionage group. … Specifically, this fragment of shared code is a function for generating AES keys. Also, it is important to mention that this code was seen only in APT10.

APT12, also known as Beebus, is another threat actor that has been linked to cyber espionage by the Chinese government. … After analyzing one of the binaries from the McAfee report … we found code connections to Beebus, an additional malware Gold Dragon that was used in this attack, and an unattributed APT called CONFUCIUS. … We saw a few full-function overlaps between multiple samples of Beebus and Brave Prince.

This is not a definitive statement whatsoever of whether China is behind the attacks or not, but when deeply analyzing the code, there are several unique links to Chinese threat actors.

And what of the NSA connection? Microsoft’s Defender team, @WDSecurity, tweets thuswise:

Fresh analysis of the #cyberattack against systems used in the Pyeongchang #WinterOlympics reveals #ETERNALROMANCE SMB exploit.

Yes, the very same exploit stolen from the NSA’s TAO group in 2016. As Edward Snowden said at the time:

Circumstantial evidence and conventional wisdom indicates Russian responsibility. [It] is likely a warning that someone can prove US responsibility for any attacks that originated from this malware.

That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.

[It] looks like a somebody sending a message.

Meanwhile, bestweasel hilariously ponders what comes next:

The athletes formerly known as Russians had no gold medals but now the scoreboard says 10 and something rude about NATO.

The moral of the story? What if you were targeted by malware like this? Would you detect the initial scans? Would you be able to recover easily?

And finally …

In the long run we are all dead

 Perhaps Brian May’s best Queen song


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Jascha Luelsdorf (cc0)

Keep learning

Read more articles about: SecurityInformation Security