“This attacker had no intention of leaving the machine usable,” a team of researchers at Cisco’s Talos threat intelligence division wrote in an analysis on Monday. “The purpose of this malware is to perform destruction of the host” and “leave the computer system offline.”
Talos researchers noted there was a nuance to the attack that they had not seen before: even though the hackers demonstrated that they had the ability to destroy victims’ computers, they stopped short of doing so. They erased only backup files on Windows machines and left open the possibility that responders could still reboot the computers and fix the damage.
Fireworks explode behind the Olympic flame during the opening ceremony of the 2018 Winter Olympics in Pyeongchang, South Korea.
“Why did they pull their punch?” asked Craig Williams, a senior technical leader at Talos. “Presumably, it’s making some political message” that they could have done far worse, he said.
Talos’ findings matched those of other internet security companies, like CrowdStrike, which determined that the attacks had been in the works since at least December. Adam Meyers, vice president of intelligence at CrowdStrike, said his team had discovered time stamps that showed the destructive payload that hit the opening ceremony was constructed on December 27 at 11:39 am Coordinated Universal Time — which converts 8:39 pm in South Korea.
Attackers clearly had a target in mind: the word Pyeongchang2018.com was hard-coded into their payload, as was a set of stolen credentials belonging to Pyeongchang Olympic officials. Those stolen credentials allowed attackers to spread their malware throughout the computer networks that support the Winter Games last Friday, just as the opening ceremony was timed to begin.
Security companies would not say who was behind the attack, but some digital crumbs led to a familiar culprit: Fancy Bear, the Russian hacking group with ties to Russian intelligence services.
On Wednesday, two days before the ceremony, the Russian Ministry of Foreign Affairs made an apparent attempt to pre-empt any accusations of Russian cyberattacks on the Games. In a statement, released in English, German and Russian, the agency accused Western governments, press and information security companies of waging an “information war” accusing Russia of “alleged cyber interference” and “planning to attack the ideals of the Olympic movement.”
This was not the first Olympic opening ceremony that was a target for hackers. In the lead-up to the 2012 London Games, investigators uncovered attack tools and the blueprints to the Olympic Stadium’s building management systems on a hacker’s computer.
It appeared that hackers planned to take out the power to the stadium, said Oliver Hoare, who led cybersecurity matters for the London Games. But officials successfully prevented an attack.