Destructive malware intent on sabotaging PCs is to blame for the IT problems reported during the PyeongChang 2018 Winter Olympics opening ceremony.
The issues, first reported on Friday by UK paper The Guardian, consisted of failing Internet and television systems for on-site journalists attending and reporting the opening ceremony.
While initially, Olympics organizers were quiet, officials finally admitted on Sunday that the IT failures were no accident and their network has been the victim of a malicious and coordinated cyber-attack.
New details about these attacks came to light earlier today when security researchers from Cisco's Talos division published new research on the malware used by attackers.
According to Cisco researchers, attackers deployed a never-before-seen malware strain that was intent on data destruction and data destruction only.
"There does not appear to be any exfiltration of data," Cisco Talos researchers Warren Mercer and Paul Rascagneres said about this malware, which they named Olympic Destroyer. "The samples analysed appear to perform only destructive functionality."
"The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This is something we have witnessed previously with BadRabbit and Nyetya," Mercer and Rascagneres added.
Cisco has an in-depth analysis of this threat, but we summarized an Olympic Destroyer attack below, in easy to understand steps:
As for attribution, things are murky, as they have always been when it comes to cyber-espionage operations. The two most obvious culprits are North Korea (South Korea and North Korea are still technically at war, North Korea has a long history of hacking its southern neighbor) and Russia (ICO has recently banned a large number of Russian athletes from participating in the Olympics).
Nonetheless, some observers will be quick to pile on the idea that this is most likely a Russian cyber operation.
The reasons are plenty, starting with a Twitter account that many believe is operated by Russian intelligence and which has recently dumped large amounts of hacked information in an attempt to smear the International Olympic Committee following their ban of Russian athletes.
Further, Olympic Destroyer and Bad Rabbit both use hardcoded credentials for lateral movement, an obvious clue that links —at least at the M.O. level— the two strains together.
Last year, Ukrainian intelligence and a CIA report linked the NotPetya and Bad Rabbit ransomware outbreaks to Russian intelligence operations, and voices will be quick to point out that Olympic Destroyer is a more refined version of Bad Rabbit.
But for things aren't as clear as they look. For example, Jay Rosenberg of Intezer Labs told Bleeping Computer earlier today that the malware's code has more links to cyber tools used by Chinese hackers in the past, rather than North Korea or Russia.
"Intezer has found, both in the malware targeting the Olympics from the report published by McAfee and in the report by Cisco Talos, that there are several minor code connections to known Chinese threat actors," Rosenberg told Bleeping Computer, also adding that his company will release a more in-depth report later on, as they have more time to analyze the samples unearthed by Cisco Talos researchers.
Two weeks ago, McAfee researchers published a report on a different strain of Powershell-based malware that was used to target Olympics organizers before the event's start.
Article updated with new information on Olympic Destroyer's file-wiping and binary mutation capabilities.