Subscribe
  • Home
  • /
  • Malware
  • /
  • Cybersecurity firm analyses Olympic Games malware

Cybersecurity firm analyses Olympic Games malware

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 09 Mar 2018
Attribution has to be taken extremely seriously.
Attribution has to be taken extremely seriously.

The Olympic Destroyer malware employed a highly sophisticated false flag to throw threat hunters off the scent of its real origin, research by Kaspersky Lab's Global Research and Analysis Team has revealed.

During the recent Winter Olympic Games held in Pyeonchang, the Olympic Destroyer worm caused a cyber attack that temporarily froze IT systems ahead of the official opening ceremony last month. The attack shut down display monitors, killed the WiFi, and took down the Olympics' Web site to prevent visitors from printing tickets.

Kaspersky Lab has also found that several ski resort facilities in South Korea suffered from this worm, which disabled the operation of ski gates and ski lifts at the resorts. Although the actual impact of attacks with this malware was limited, it clearly contained the capability to be devastating, which luckily didn't happen.

Where did it come from?

According to the security giant, what was most interesting about the malware was its origin, speculating that no other sophisticated malware has had so many attribution hypotheses put forward as this one.

"Within days of its discovery, research teams from across the globe had attributed the worm to Russia, China and North Korea, based on a number of features previously attributed to cyber espionage and sabotage actors allegedly based in these countries or working for these countries' governments."

Research teams were also trying to establish which cyber criminal group authored the Olympic Destroyer. During the course of their research they came across something that looked to be 100% evidence of the malware's connection to Lazarus - a notorious nation state-backed group linked to North Korea.

Researchers based this on a unique trace left by the attackers. "A combination of certain features of the code development environment stored in the files can be used as a 'fingerprint', in some cases identifying the malware authors and their projects."

In the sample analysed by Kaspersky Lab, the fingerprint was a 100% match to previously known Lazarus malware components, and had zero overlap with any other clean or malicious file known to date to the company. This, in combination with a variety of similarities in tactics, techniques and procedures drew researchers to the preliminary conclusion that Olympic Destroyer was yet another Lazarus operation.

"However, the motives and other inconsistencies with Lazarus tactics, techniques and procedures uncovered during the investigation by Kaspersky Lab onsite at the compromised facility in South Korea made researchers revisit the rare artefact."

A red herring

Further scrutiny of the evidence along with manual verification of each feature, revealed to researchers that the set of features didn't match the code - it had been forged to perfectly match the fingerprint used by Lazarus - to lead threat hunters off the scent of the trail to more accurate attribution.

Vitaly Kamluk, head of APAC Research Team at Kaspersky Lab, said to their knowledge, the evidence they gathered "was not previously used for attribution. Yet the attackers decided to use it, predicting that someone would find it. They counted on the fact that forgery of this artefact is very hard to prove. It's as if a criminal had stolen someone else's DNA and left it at a crime scene instead of their own. We discovered and proved that the DNA found on the crime scene was dropped there on purpose. All this demonstrates how much effort attackers are ready to spend in order to stay unidentified for as long as possible."

He said that attribution has to be taken extremely seriously, considering how politicised cyberspace has become, as the wrong attribution could lead to severe consequences. Threat actors could also try to manipulate the opinion of the security community in order to influence the geopolitical agenda.

Share