Olympic Destroyer, the malware that hit Pyeongchang 2018 Winter Olympics, is still alive and infecting new victims, according to a report published earlier today by Russian antivirus vendor Kaspersky Labs.
The company's security researchers say they've detected Olympic Destroyer infections across Europe in May and June 2018.
New victims include financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine.
"The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cybertheft and another group or groups looking for espionage targets," Kaspersky says.
"This could also be a result of cyberattack outsourcing, which is not uncommon among nation state actors," experts added. "On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention."
When the Kaspersky team is referencing Olympic Destroyer's "false flag" capabilities, it's referring to some of the malware's features, which have been borrowed from the arsenal of other cyber-espionage groups.
Previously, experts found that parts of the Olympic Destroyer malware had used portions of tools developed by North Korea-linked Lazarus Group, and three Chinese cyber-espionage groups.
In today's report, Kaspersky claims that "some of the TTPs and operational security" used in recent Olympic Destroyer campaigns resembles those used by the Sofacy APT, a Russian-linked cyber-espionage group also known as APT28 and Fancy Bear.
The Kaspersky conclusion gives credence to a February Washington Post report citing sources in the US intelligence community attributed Olympic Destroyer to Russia's cyber-espionage apparatus.
As for the recent Olympic Destroyer campaigns, Kaspersky says crooks have been using good ol' spear-phishing techniques to trick victims into opening boobytrapped Office documents.
Malicious doc used in recent #OlympicDestroyer attacks references the Spiez Convergence conf: MD5: 0e7b32d23fbd6d62a593c234bafa2311— Costin Raiu (@craiu) June 19, 2018
File Type: Microsoft Office Word
Last saved date: 2018-05-14 15:32:17 (GMT)
Known file name: Spiez CONVERGENCE.doc pic.twitter.com/ScmQOwY3D7
These documents contain macro code that runs a PowerShell script which disables PowerShell logging and downloads and infects the victim with Olympic Destroyer.
For these recent attacks, Kaspersky says hackers downloaded the Olympic Destroyer binaries from websites running Joomla 1.7.3, a very outdated version of the Joomla PHP-based CMS.
As we've covered in our two previous articles on Olympic Destroyer [1, 2], the malware's main purpose is to spread inside an internal network and wipe data from systems in an effort to prevent forensics operations or to create havoc and distract IT departments from other targets.
Attacks with data wipers are all the rage right now, as another group, believed to be North Korean in origin, has deployed the KillDisk data wiper after stealing $10 million from a Chilean bank.
The data wiper crashed the bank's systems, keeping its IT employees busy restoring the bank's main services while hackers were siphoning money from its main account.