Olympic Destroyer

The opening ceremony of the Winter Olympics held in Pyeongchang, South Korea was disrupted by a cyber-attack caused by the Olympic Destroyer trojan designed to destroy data. This trojan caused faulty Wi-Fi connections, disrupted television and internet services, and knocked the main press center offline. Olympic Destroyer is a Windows-based malware that works by dropping files onto the target system to steal computer account credentials and passwords stored in web browsers such as Internet Explorer, Chrome, and Firefox. Once these passwords are obtained from the target system, they are used by the hackers behind the campaign to move laterally through the network and destroy data. During the initial malware execution, multiple files are written to the disk. Similar to Bad Rabbit, the malware uses the Command Prompt (cmd.exe) on the host to launch vssadmin and delete the shadow copies from the system. It then deletes WBAdmin.exe, used to manage backup configurations and recover files, along with the backup catalogue. Olympic Destroyer then manipulates BCDEdit to prevent the Windows recovery console from attempting to repair any files on the infected system. Lastly, it tries to evade detection by deleting the System & Security windows event log to make forensic analysis of the infected system more challenging. Based on the steps that Olympic Destroyer takes during the infection process, it is evident that its primary function is to destroy the target host and take the system offline, leaving the system's administrator with limited means of recovery. Although the initial distribution method of this campaign is currently unknown, the malware contains hardcoded credentials from systems associated with the Winter Olympics suggesting that the attackers already had some form of access to these systems before this attack. Researchers also believe that the individual or group behind the campaign also knew several technical details about the Olympic Game infrastructure such as domain names and server names prior to the attack.

Reporting and Technical Details: