Kaspersky: North Korea framed for Winter Olympics malware

Source code analysis reveals similar tactics used by Russian-speaking Sofacy group

Research into the hack attack against the computer network at the 2018 Winter Olympics has revealed the malware source code was deliberately forged to make it appear as if North Korea was behind the attack.

Olympic officials confirmed at the end of February that days before the opening ceremony in Pyeongchang, South Korea, a devastating malware attack had paralysed the event's IT infrastructure.

The cyber attack, which knocked display monitors, WiFi networks, and the Winter Olympics official website offline, was almost immediately attributed to groups in North Korea, Russia, and China given a number of similarities between the malware and other attacks.

However, an investigation by Kaspersky found evidence of source code that looked identical to the style deployed by the Lazarus Group, a notorious hacking collective with ties to North Korea and named responsible for the hack on Sony Pictures in 2014.

According to the report, the analysed code resulted in a "100% match with previously known Lazarus malware components and zero overlap with any other clean or malicious file known to date to Kaspersky Lab". A number of inconsistencies with the attack, including motivations and tactics normally associated with Lazarus, prompted further investigations into the code, revealing that it had in fact been forged to look like the North Korean group was responsible.

"To our knowledge, the evidence we were able to find was not previously used for attribution. Yet the attackers decided to use it, predicting that someone would find it," said Vitaly Kamluk, head of APAC research team at Kaspersky. "They counted on the fact that forgery of this artefact is very hard to prove."

"It's as if a criminal had stolen someone else' DNA and left it at a crime scene instead of their own. We discovered and proved that the DNA found on the crime scene was dropped there on purpose. We've always said that attribution in cyberspace is very hard as lots of things can be faked, and Olympic Destroyer is a pretty precise illustration of this."

While Kaspersky is unable to say exactly who was behind the Olympic Destroyer malware, it did find that the attackers used NordVPN and a hosting provider called MonoVM to mask their activities, both of which have been previously used by the Russian-speaking Sofacy hacking group.

That would seem to corroborate claims by two anonymous US intelligence sources that claimed the attack originated from Russia, and was made in retaliation against a decision by the Olympic Committee to ban Russian athletes for doping violations.

Yet Kaspersky also suggests the motivations of the hackers are unclear, as it's believed they had admin access to the IT systems and could have devastated Olympic infrastructure as a result, but chose only to do "light" damage by wiping backups and rebooting systems.

The most likely purpose of the attack was to test the malware's ability to fool security researchers in a real-life setting, the results from which will be used to create the perfect "false flags" for future attacks, according to Kaspersky.

26/02/2018: Russian spies 'hacked systems at the 2018 Winter Olympics'

Russian spies hacked into the systems used by authorities at the 2018 Winter Olympics in South Korea, US intelligence sources have claimed.

The military spies reportedly attempted to breach several hundred computers during the global event, and tried to make it look like North Korea did the hacking, something that is known in the security industry as a "false-flag" operation.

While officials in PyeongChang, where the Olympics was held, acknowledged that the Games were hit by a cyber attack during the opening ceremony on 9 February, they refused to confirm who was responsible. The disruption, which saw broadcast systems and the Olympics website hit, made it difficult for many attendees to print their tickets for the ceremony, and thus resulted in many empty seats during the event.

Now two anonymous US intelligence sources have told The Washington Post that the attack came from Russia, believing it was in retaliation against the International Olympic Committee's banning of the Russian team due to doping violations.

This also meant that no Russian Olympic federation officials were allowed to attend the event, and while some athletes were permitted to compete under the designation "Olympic Athletes from Russia", they were unable to display the Russian flag on their uniforms and, if they won medals, their country's anthem would not be played.

Before the end of the event on Sunday, some US officials claimed they were concerned the Russians may try and disrupt the closing ceremonies, they told the Post.

"We're watching it pretty closely," one said. "It's essentially a Korean problem," the official added. "We will help the Koreans as requested."

12/02/2018: Hackers hit 2018 Winter Olympics opening ceremony

A cyber attack disrupted the opening ceremony of the 2018 Winter Olympics on Friday, organisers have revealed.

TV and web broadcasting services were affected in the attack on the Games - hosted in Pyeongchang, South Korea - but officials said that no vital infrastructure had been damaged.

A spokesman for the committee behind the Pyeongchang Games told press on Sunday that "all issues were resolved and recovered yesterday morning".

The International Olympic Committee re-affirmed the integrity of the Games' electronic systems but said little beyond that, declining to reveal the source of the attack.

"We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure," IOC spokesman Mark Adams told Reuters, adding that "maintaining secure operations is our purpose".

In the wake of Winter Olympics hack, some have pointed to North Korea's long-standing conflict with its South Korean neighbours, as well as the list of cyber attacks the country is suspected of orchestrating, such as the WannaCry ransomware attack last May.

Others, however, have disputed this interpretation, citing the fact that North Korea is represented at the games, and the two nations marched together at the opening ceremony for the first time in over a decade.

Instead, Russia has been fingered as a potential culprit by some experts, citing the fact that the country has been banned from competing in the Games over doping scandals as a potential motive.

Russia's foreign ministry stated prior to the opening ceremony that any media allegations suggesting Russia would be behind any attacks on the Games would be false. The IOC has also advised Pyeongchang organisers not to reveal the source of the hack, with spokesman Mark Adams stating that "best international practice says that you don't talk about an attack".

Regardless of who is behind the attacks, security experts do not expect them to stop while the Games are underway.

"It is clear attacks are ongoing and are likely to continue throughout the duration of the games," said McAfee senior analyst Ryan Sherstobitoff. "What is yet to be determined is if actors are working simply to gain disruption or if their motives are greater."

Picture: Shutterstock

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

22 Sep 2020
Hackers could trick scientists into making deadly toxins
hacking

Hackers could trick scientists into making deadly toxins

30 Nov 2020
What is AES encryption?
Advanced Encryption Standard (AES)

What is AES encryption?

30 Nov 2020
UK's Huawei 5G ban brought forward to September 2021
Security

UK's Huawei 5G ban brought forward to September 2021

30 Nov 2020

Most Popular

46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020
macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020