A cyber attack was launched on the Winter Olympics during the opening ceremony last Friday, disrupting the stadium’s WiFi, the official Pyeongchang 2018 site and more. Olympic officials have not suggested who is responsible for the attack, but the malware believed to have been used in has now been identified by Cisco Talos.
Dubbed ‘Olympic Destroyer’, the malware appears only destructive in functionality. It aims to render machines unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This has been seen in both BadRabbit and Nyetya. Stephen Moore, Chief Security Strategist at Exabeam commented below.
Stephen Moore, Chief Security Strategist at Exabeam:
“Some believe this malware was created for destructive purposes only; however, this could in fact be a diversion tactic for future gain. The malware clears security logs, deletes backups, stops services and steals both browser and system-level credentials. Once the assets are harvested for their accounts, they are made inert and void of investigative value. The fascinating part of Olympic Destroyer is its worm-like capabilities for internal propagation. From the infected machine, it grabs the names of the other systems in the current network. This, combined with system credential theft, provides a virtual ‘fast lane’ for a rapid proliferation across the network and widespread compromise. Without proper logging, visibility and activity analytics, the future stages of the attack could go unnoticed.”