Warnings that the 2018 Winter Olympic Games would be the target for hackers came true almost immediately as the Pyeongchang computer system was hit with a “destroyer” cyberattack knocking its website and other services offline.
“Analysis shows that actors are again favouring legitimate pieces of software as PsExec functionality is identified within the sample. The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This is something we have witnessed previously with BadRabbit and Nyetya,” wrote Talos researchers Warren Mercer and Paul Rascagneres.
Other than confirming the attack Olympic organizers refused to comment on the incident, Reuters reported.
“It’s pretty easy for attackers to hide their origins or use VPNs etc., so the IOC is probably doing the right thing of not blaming until they are sure. Forensics/attribution is really hard work especially given sophisticated attackers! Also from a PR perspective, they probably don’t want to do anything until the games are over,” said Vyas Sekar, assistant professor of Electrical and Computer Engineering at Carnegie Mellon University.
Crowdstrike Intelligence said that in November and December of 2017 it had observed a credential harvesting operation operating in the international sporting sector. At the time it attributed this operation to Fancy Bear, but only with a medium level of confidence and Adam Meyers, CrowdStrike’s VP of Intelligence, said there is no evidence connecting Fancy Bear to the Olympic attack.
Talos and Crowdstrike obtained samples of the malware and found that it is a binary file with the initial injection placing two info stealers to be used to find additional credentials enabling the malware to spread laterally through the Olympic computer system. It also used hard coded credentials found within the binary file itself.
The initial evidence indicates that the hacker has a great deal of knowledge of the Pyeongchang system infrastructure such as username, domain name, server name and passwords. Forty-four accounts were found in the binary file itself. The stealer supports: Internet Explorer, Firefox and Chrome. The malware parses the registry and it queries the sqlite file in order to retrieve stored credentials, the researchers said.
The destructive phase of the attack begins almost immediately by using the cmd.exe from the host to begin deleting all shadow copies on the system and by going after the systems possible recovery methods. The malware also uses the cmd.exe to shut down wbadmin.exe to make file recovery difficult. WBAdmin is a tool used by admins to recover individual files, folders and whole drives.
Next, cmd.exe is used to damage bcdedit to ensure that the Windows recovery console does not attempt to repair anything on the host.
Once the malware made any recovery harder it deleted the security windows event log making an analysis of the attack difficult.
“Wiping all available methods of recovery shows this attacker had no intention of leaving the machine useable. The sole purpose of this malware is to perform destruction of the host and leave the computer system offline,” the researchers said. “The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: “Disabled: Specifies that the service should not be started. Finally after modifying all the system configuration, the destroyer shutdowns the compromised system.”
Most of the warnings regarding cyberattacks at the Winter Olympics centered on protecting attendees from either getting hacked at the event or for falling for phishing attack that use the games as part of their social engineering scheme.