Olympic Destroyer

The opening ceremony of the Winter Olympics held in Pyeongchang, South Korea was disrupted by a cyber-attack caused by a malware variant designed to destroy data. The malware used in the incident, dubbed Olympic Destroyer by researchers at Cisco Talos, caused faulty Wi-Fi connections, disrupted television and internet services, and knocked the main press center offline. Olympic Destroyer is a Windows-based malware that works by dropping files onto the target system to steal computer account credentials and passwords stored in web browsers such as Internet Explorer, Chrome, and Firefox. Once these passwords are obtained from the target system, they are used by the hackers behind the campaign to move laterally through the network and destroy data. Based on the steps that Olympic Destroyer takes during the infection process, it is evident that its primary function is to destroy the target host and take the system offline, leaving the system's administrator with limited means of recovery. Although the initial distribution method of this campaign is currently unknown, the malware contains hardcoded credentials from systems associated with the Winter Olympics, suggesting that the attackers already had some form of access to these systems before this attack. Researchers also believe that the individual or group behind the campaign also knew several technical details about the Olympic Game infrastructure such as domain names and server names prior to the attack. Although this attack targeted systems used to support and promote the Winter Olympics, it highlights the risks posed by compromised credentials and emphasizes the importance of maintaining data backups. The NJCCIC would like to take this opportunity to remind members that the best way to ensure the integrity and availability of data before, during, and after a cyber-attack is by implementing a comprehensive data backup and recovery plan that includes regularly testing backups, storing them off the network, and keeping them in a secure location. Additionally, members are strongly encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, and establish strong identity and access management controls, including multi-factor authentication.