Cybersecurity experts are confirming that a computer malware attack dubbed “Olympic Destroyer” hit select networks and Wi-Fi systems at the Winter Games in Pyeongchang on Friday, but they would not say for sure whether Russia or North Korea are to blame.
Users with a @pyeongchang2018.com email address were targeted in the attack, which lasted less than an hour on Friday night, experts said.
The Pyeongchang Organizing Committee for the 2018 Olympic & Paralympic Games (POCOG) confirmed the cyber-attack caused a malfunction of internet protocol televisions (IPTVs) at the Main Press Center, according to South Korea’s Yonhap News.
Yonhap reports that POCOG was forced to “shut down the servers to prevent further damage, leading to the closure of the Pyeongchang 2018 website.”
“Due to the shutdown of the website, spectators who purchased tickets to 2018 Winter Games events were unable to print their reservations,” Yonhap says.
According to Wired, “neither Olympics organizers nor security firms are ready to point the finger at the Kremlin, the hackers seem to have at least left behind some calling cards that look rather Russian.”
The magazine writes that Cisco’s Talos division, which deals with cyber threats, “points out that Olympic Destroyer’s disruptive tactics and spreading methods resemble NotPetya and BadRabbit, two pieces of Ukraine-targeting malware seen in the last year that the Ukrainian government, the CIA, and other security firms have all tied to Russian hackers.”
Some have speculated that Russian hackers may have targeted the Olympics because the country’s athletes were barred from competing under the Russian Federation flagged due to a doping scandal that dates to the 2014 games in Sochi.
The malware “turns off all the services, the boot information is nuked, and the machine is disabled,” Talos research director Craig Williams was quoted by Wired as saying.
However, the malware deliberately pulls its punches. The software designed to wipe computer files “intentionally holds back from inflicting maximum damage. Instead of deleting all the files on a computer, it only deleted those related to booting up, meaning an average tech could fix it with relative ease. Researchers have never seen that sort of restraint before from that kind of malware,” according to Talos, Buzzfeed writes.
A separate hacking operation, dubbed Operation GoldDragon, has attempted to infect target computers belonging to South Korean Olympics-related organizations with three separate malicious tools, according to the computer security firm McAfee Inc. The spyware “would enable hackers to deeply scour the compromised computers’ contents. McAfee identifies those malicious tools by the names GoldDragon, BravePrince, and GHOST419.”
McAfee traced the phishing scheme that provided entry for the spyware “to a remote server in the Czech Republic, registered with fake credentials to a South Korean government ministry. And they found publicly accessible logs on that remote server that showed victim machines were in fact connecting to it from South Korea, a sign of actual infections,” Wired reports.
Although McAfee won’t say for sure, the company’s chief scientist, Raj Samani, says his working theory is that the spyware attack is a North Korean operation.
“It is clear attacks are ongoing and are likely to continue throughout the duration of the games. What is yet to be determined is if actors are working simply to gain disruption, or if their motives are greater,” McAfee Advanced Threat Research senior analyst Ryan Sherstobitoff says, according to ZdNet.