Kaspersky: North Korea framed for Winter Olympics malware
Source code analysis reveals similar tactics used by Russian-speaking Sofacy group
Research into the hack attack against the computer network at the 2018 Winter Olympics has revealed the malware source code was deliberately forged to make it appear as if North Korea was behind the attack.
Olympic officials confirmed at the end of February that days before the opening ceremony in Pyeongchang, South Korea, a devastating malware attack had paralysed the event's IT infrastructure.
The cyber attack, which knocked display monitors, WiFi networks, and the Winter Olympics official website offline, was almost immediately attributed to groups in North Korea, Russia, and China given a number of similarities between the malware and other attacks.
However, an investigation by Kaspersky found evidence of source code that looked identical to the style deployed by the Lazarus Group, a notorious hacking collective with ties to North Korea and named responsible for the hack on Sony Pictures in 2014.
According to the report, the analysed code resulted in a "100% match with previously known Lazarus malware components and zero overlap with any other clean or malicious file known to date to Kaspersky Lab". A number of inconsistencies with the attack, including motivations and tactics normally associated with Lazarus, prompted further investigations into the code, revealing that it had in fact been forged to look like the North Korean group was responsible.
"To our knowledge, the evidence we were able to find was not previously used for attribution. Yet the attackers decided to use it, predicting that someone would find it," said Vitaly Kamluk, head of APAC research team at Kaspersky. "They counted on the fact that forgery of this artefact is very hard to prove."
"It's as if a criminal had stolen someone else' DNA and left it at a crime scene instead of their own. We discovered and proved that the DNA found on the crime scene was dropped there on purpose. We've always said that attribution in cyberspace is very hard as lots of things can be faked, and Olympic Destroyer is a pretty precise illustration of this."
While Kaspersky is unable to say exactly who was behind the Olympic Destroyer malware, it did find that the attackers used NordVPN and a hosting provider called MonoVM to mask their activities, both of which have been previously used by the Russian-speaking Sofacy hacking group.
That would seem to corroborate claims by two anonymous US intelligence sources that claimed the attack originated from Russia, and was made in retaliation against a decision by the Olympic Committee to ban Russian athletes for doping violations.
Yet Kaspersky also suggests the motivations of the hackers are unclear, as it's believed they had admin access to the IT systems and could have devastated Olympic infrastructure as a result, but chose only to do "light" damage by wiping backups and rebooting systems.
The most likely purpose of the attack was to test the malware's ability to fool security researchers in a real-life setting, the results from which will be used to create the perfect "false flags" for future attacks, according to Kaspersky.
26/02/2018: Russian spies 'hacked systems at the 2018 Winter Olympics'
Russian spies hacked into the systems used by authorities at the 2018 Winter Olympics in South Korea, US intelligence sources have claimed.
The military spies reportedly attempted to breach several hundred computers during the global event, and tried to make it look like North Korea did the hacking, something that is known in the security industry as a "false-flag" operation.
While officials in PyeongChang, where the Olympics was held, acknowledged that the Games were hit by a cyber attack during the opening ceremony on 9 February, they refused to confirm who was responsible. The disruption, which saw broadcast systems and the Olympics website hit, made it difficult for many attendees to print their tickets for the ceremony, and thus resulted in many empty seats during the event.
Now two anonymous US intelligence sources have told The Washington Post that the attack came from Russia, believing it was in retaliation against the International Olympic Committee's banning of the Russian team due to doping violations.
This also meant that no Russian Olympic federation officials were allowed to attend the event, and while some athletes were permitted to compete under the designation "Olympic Athletes from Russia", they were unable to display the Russian flag on their uniforms and, if they won medals, their country's anthem would not be played.
Before the end of the event on Sunday, some US officials claimed they were concerned the Russians may try and disrupt the closing ceremonies, they told the Post.
"We're watching it pretty closely," one said. "It's essentially a Korean problem," the official added. "We will help the Koreans as requested."
12/02/2018: Hackers hit 2018 Winter Olympics opening ceremony
A cyber attack disrupted the opening ceremony of the 2018 Winter Olympics on Friday, organisers have revealed.
TV and web broadcasting services were affected in the attack on the Games - hosted in Pyeongchang, South Korea - but officials said that no vital infrastructure had been damaged.
A spokesman for the committee behind the Pyeongchang Games told press on Sunday that "all issues were resolved and recovered yesterday morning".
The International Olympic Committee re-affirmed the integrity of the Games' electronic systems but said little beyond that, declining to reveal the source of the attack.
"We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure," IOC spokesman Mark Adams told Reuters, adding that "maintaining secure operations is our purpose".
In the wake of Winter Olympics hack, some have pointed to North Korea's long-standing conflict with its South Korean neighbours, as well as the list of cyber attacks the country is suspected of orchestrating, such as the WannaCry ransomware attack last May.
Others, however, have disputed this interpretation, citing the fact that North Korea is represented at the games, and the two nations marched together at the opening ceremony for the first time in over a decade.
Instead, Russia has been fingered as a potential culprit by some experts, citing the fact that the country has been banned from competing in the Games over doping scandals as a potential motive.
Russia's foreign ministry stated prior to the opening ceremony that any media allegations suggesting Russia would be behind any attacks on the Games would be false. The IOC has also advised Pyeongchang organisers not to reveal the source of the hack, with spokesman Mark Adams stating that "best international practice says that you don't talk about an attack".
Regardless of who is behind the attacks, security experts do not expect them to stop while the Games are underway.
"It is clear attacks are ongoing and are likely to continue throughout the duration of the games," said McAfee senior analyst Ryan Sherstobitoff. "What is yet to be determined is if actors are working simply to gain disruption or if their motives are greater."
The essential guide to cloud-based backup and disaster recovery
Support business continuity by building a holistic emergency planDownload now
Trends in modern data protection
A comprehensive view of the data protection landscapeDownload now
How do vulnerabilities get into software?
90% of security incidents result from exploits against defects in softwareDownload now
Delivering the future of work - now
The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.Download now