The Olympic Destroyer malware that has caused damage to PyeongChang 2018 Winter Olympics computer networks is much more complex than previously thought.
Discovered by Cisco Talos researchers, this malware has been deployed before the start of the Olympics and has caused downtime to internal WiFi and television systems, disrupting some operations during the games' opening ceremony.
Cisco published an initial analysis (now updated) of this threat yesterday, revealing that Olympic Destroyer was capable of mangling a computer's data recovery procedures and deleting crucial Windows services, rendering Windows computers unable to boot.
Because Olympic Destroyer was still a new threat, the original analysis was amended today with new information. Three new major pieces of information came to light today.
The biggest update relates to the discovery of a data-wiping mechanism that attempts to delete files on network shares.
"[T]he malware lists mapped file shares and for each share, it will wipe the writable files (using either uninitialized data or 0x00 depending of the file size)," an update to the original Cisco Talos analysis reveals.
While this data-wiping behavior may not delete crucial files needed for an operating system to function, it does delete files shared on network drives, files that are obviously important enough to be shared among Olympic staffers, hence hindering some operations.
Our post has been update to include the impact on network shares - Shocker - they are effectively wiped: Olympic Destroyer Takes Aim At Winter Olympics with indications of prior compromise - https://t.co/NoD5la9m7r #OlympicDestroyer @SecurityBeard @r00tbsd @TalosSecurity— Craig Williams (@security_craig) February 12, 2018
But while the discovery of a data wiping mechanism is something to take note, there is another mechanism far more interesting included in the malware's code.
According to Cisco researcher, Olympic Destroyer uses a self-patching mechanism that allows it to mutate and evolve from each infected host to another.
The initial analysis published yesterday said that Olympic Destroyer dropped two credential stealers (for browser and system passwords) on each infected host, and then used these stolen credentials along with a list of hardcoded usernames and passwords to move laterally across an infected network.
Today, Cisco researchers said they were wrong about this initial assessment after discovering Olympic Destroyer samples with different lists of hardcoded credentials.
I updated our #OlympicDestroyer post. The malware has the capability to generate new binaries with the stolen credentials (by patching the PE). The list in the screenshot comes from previous executions and was not created by the devevelopers themself https://t.co/VwkNNSI06Q— Paul Rascagnères (@r00tbsd) February 13, 2018
A closer look at the malware's behavior revealed that Olympic Destroyer takes the list of credentials found on the local computer and generates a new binary for itself, which is then dropped on other computers on the same network.
The malware adds these new credentials stolen from the current PC to its list of hardcoded credentials.
This self-mutating behavior allows Olympic Destroyer to gather more and more credentials as it spreads through a local nework, updating its binary on the fly.
"I have not seen a malware sample modify itself to include harvested creds before and I've been doing this stuff for longer than I should admit," Craig Williams, one of the Cisco Talos researchers, said today on Twitter.
"Polymorphic malware isn’t a new idea by itself, but I have never seen any examples of malware modifying itself to include harvested credentials," added Jaeson Schultz, fellow Cisco Talos researcher.
But this binary mutation behavior does not explain how Olympic Destroyer arrived on some of the infected networks. This is where the third and last of today's updates came in to shed some light, courtesy of Microsoft.
According to the Windows Defender team, Olympic Destroyer appears to have been deployed via one of the NSA exploits leaked by the Shadow Brokers last year —namely EternalRomance.
EternalRomance is one of the two NSA exploits —together with EternalBlue— that have been used by the NotPetya and Bad Rabbit ransomware strains, two of 2017 three major ransomware outbreaks.
While Olympic Destroyer was most likely created weeks if not months ago, it is only five-days-old for security researchers. Infosec experts are going to continue to dig through the Olympic Destroyer code in the coming days, and readers shouldn't be surprised if researchers amend the original analysis with new information a few times more.
But while some of the malware's mechanics are still murky, what it is sure at the moment is that Olympic Destroyer was not created for cyber-espionage or data exfiltration. The malware's sole and only purpose appears to have been destruction, an opinion shared by almost all security researchers who spoke on the matter.
Its destructive behavior stands out the best when Olympic Destroyer hits a machine protected by BitLocker. According to infosec expert Kevin Beaumont, just disabling OS services is enough to render the local machine unusable and unrecoverable. In these scenarios, there's no need to wipe data.
I’d disagree trivial to recover from. Try running it on a box with BitLocker. Windows doesn’t boot, and you can’t boot recovery console, and you can’t mount disk (due to BitLocker) on another system.— Kevin Beaumont (@GossiTheDog) February 12, 2018
Article updated post-publication with remarks made by security researcher Kevin Beaumont.