Olympic Destroyer (2018)
|Date||December 2017 through February 2018 (culmination on February 9, 2018)|
|Suspected actor||Russian Federation (official attribution made by the US and the UK)|
|Target||The Winter Olympics hosted in Pyeongchang, South Korea. In particular, the operation targeted computers supporting the 2018 PyeongChang Winter Olympic Games, South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (IOC) officials.|
|Method||From December 2017 through February 2018 by spear-phishing campaigns and malicious mobile applications, culminating on February 9, 2018 into destructive malware attack against the opening ceremony, using malware known as Olympic Destroyer. This malware was designed to knock computers offline by deleting critical system files, which would render the machines useless.
Olympic Destroyer malware was very sophisticated with respect to its traceability as it contained layers of false clues pointing at multiple potential culprits. Within the few days after its discovery, research teams from all over the world detected a number of features previously attributed to cyber-espionage and sabotage actors allegedly based in (or working for) China, Russia and North Korea. For example, the malware code seems to be designed to match the fingerprint used by the North Korean group Lazarus.
Consequently, experts recognize the fingerprint of Olympic Destroyer as a very sophisticated false flag, intentionally placed inside the malware in order to give the impression of finding a ‘smoking gun’ evidence leading to attribution to a different actor. Also the UK National Cyber Security Centre confirmed that "the GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the opening ceremony."
|Purpose||Disruption seems to be primary objective in this type of attack, causing embarrassment of the Olympic committee during the opening ceremony. Therefore, it is believed that this cyber operation did not pursue financial gains or exfiltration of data, but rather to cause chaos. One of the motivations behind this cyber operation might be the retaliation against the International Olympic Committee for its decision to ban Russia from competing under its own flag at Pyeongchang 2018 because of allegations of state-sponsored doping.|
|Result||Due to the deletion of critical system files, some of the Winter Games' internal servers, including the Olympic website, display monitors as well as the public Wi-Fi, crashed. This led to some people being unable to print out their tickets or watch the opening ceremony. However, the Olympic organizers were able to get systems working again within several hours (in contrast to damage caused by NotPetya to victims who in many cases permanently lost tens of thousands of computers, taking weeks to fully recover.|
|Aftermath||Initially, the organizers declined to name any potential suspects or motives behind the attack. Later on, the cyber operation was followed namely by condemnations and accusations towards Russia and its GRU organisation. Especially the UK and the US put a pressure on Russia. The UK publicly exposed this and other attacks as the work of the GRU. Six Russian GRU officers were even charged by the US in connection with worldwide deployment of destructive malware and other disruptive actions in cyberspace, which included the Olympic Destroyer incident.
It is believed that the same author (GRU) is behind a cyber reconnaissance against officials and organisations affiliated to the 2020 Olympic and Paralympic Games to take place in Tokyo before they were postponed.
|Analysed in||Scenario 21: Misattribution caused by deception|
- Andy Greenberg, ‘The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History’ (Wired, 17 October 2019)
- U.S. Department of Justice, ‘Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace’ (justice.gov, 19 October 2020)
- Foreign, Commonwealth & Development Office, ‘UK exposes series of Russian cyber attacks against Olympic and Paralympic Games’ (gov.uk, 19 October 2020)
- See also Kim Sengupta, ‘Britain accuses Russia of cyberattacks on Tokyo 2020 Olympics’ (Independent, 20 October 2020)
- Jim Finkle, ‘'Olympic Destroyer' malware targeted Pyeongchang Games: firms’ (Reuters, 12 February 2018).
- On more technical aspects of the cyber operation, see Chirstopher Kanaracus, ‘‘Olympic Destroyer’ Malware Behind Winter Olympics Cyberattack, Researchers Say’ (threatpost, 12 February 2018) and Warren Mercer, Paul Rascagneres, ‘Olympic Destroyer Takes Aim At Winter Olympics’ (Talos, 12 February 2018).
- ‘The Olympic False Flag: How infamous OlympicDestroyer malware was designed to confuse cybersecurity community’ (kaspersky, 8 March 2018)
- National Cyber Security Centre, ‘UK and partners condemn GRU cyber attacks against Olympic and Paralympic Games’ (ncsc.gov.uk, 19 October 2020)
- Alfred Ng, Daniel van Boom, ‘Winter Olympics cyberattack designed to cause chaos’ (cnet, 12 February 2018)
- Karolos Grohmann, ‘Russia banned from Pyeongchang Winter Olympics’ (Reuters, 5 December 2017); Ippolito Forni, ‘2020 Tokyo Summer Olympics From a CTI Perspective’ (EclecticIQ, 12 August 2019)
- Andy Greenberg, ‘'Olympic Destroyer' Malware Hit Pyeongchang Ahead of Opening Ceremony’