Skip to main content

Woburn, MA – June 19, 2018 –Kaspersky Lab researchers tracking Olympic Destroyer, the cyberthreat that infamously struck the opening of the Winter Olympic Games in Pyeongchang with a destructive network worm, have discovered that the hacking group behind it is still active. It now appears to be targeting Germany, France, Switzerland, the Netherlands, Ukraine and Russia, with a focus on organizations involved in protection against chemical and biological threats. 

Olympic Destroyer is an advanced threat that hit organizers, suppliers and partners of the Winter Olympic Games 2018 in Pyeongchang, South Korea with a cyber sabotage operation based on a destructive network worm. Many indicators pointed in different directions for the origins of the attack, causing some confusion in the information security industry in February 2018. A few rare and sophisticated signs discovered by Kaspersky Lab suggested that Lazarus group, a North Korea-linked threat actor, was behind the operation; however, in March, the company confirmed that the campaign featured an elaborate and convincing false flag operation, and Lazarus was unlikely to be the source. Researchers have now found the Olympic Destroyer operation is back in action, using some of its original infiltration and reconnaissance toolset, and focusing on targets in Europe. 

The threat actor is spreading its malware through spear-phishing documents that closely resemble the weaponized documents used in preparation for the Winter Olympics operation. One such decoy document referred to the ‘Spiez Convergence,’ a biochemical threat conference held in Switzerland and organized by the Spiez Laboratory, an organization that played a key role in the Salisbury attack investigation. Another document targeted an entity of the health and veterinary control authority of Ukraine. Some of the spear-phishing documents uncovered by researchers carry words in Russian and German. 

All final payloads extracted from the malicious documents were designed to provide generic access to the compromised computers. An open-source and free framework, widely known as Powershell Empire, was used for the second stage of the attack. 

The attackers appear to use compromised legitimate web servers to host and control the malware. These servers use a popular open-source content management system (CMS) called Joomla. The researchers found that one of the servers hosting the malicious payload used a version of Joomla (v1.7.3) released in November 2011, which suggests that a very outdated variant of the CMS could have been used by the attackers to hack the servers.

Based on Kaspersky Lab telemetry and files uploaded to multi-scanner services, the interests of this Olympic Destroyer campaign appear to have been entities in Germany, France, Switzerland, the Netherlands, Ukraine and Russia. 

“The appearance, at the start of this year, of Olympic Destroyer with its sophisticated deception efforts, changed the attribution game forever and showed how easy it is to make a mistake with only fragments of the picture that are visible to researchers,” said Vitaly Kamluk, security researcher, Global Research and Analysis Team, Kaspersky Lab. “The analysis and deterrence of these threats should be based on cooperation between the private sector and governments across national borders. We hope that by sharing our findings publicly, incident responders and security researchers will be better equipped to recognize and mitigate such an attack at any stage in the future.” 

In the previous attack during the Winter Olympic Games, the beginning of the reconnaissance stage was a couple of months before the epidemic of the self-modifying destructive network worm. It is highly possible that Olympic Destroyer is preparing a similar attack with new motives. That is why Kaspersky Lab advises biological and chemical threat research entities to stay on high alert and launch an out-of-schedule security audit where possible.

Kaspersky Lab products successfully detect and block Olympic Destroyer-related malware.

For further information on the return of Olympic Destroyer, including Indicators of Compromise, read the blog on Securelist.

About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 20 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com

Media Contact

Jessica Bettencourt
 781.503.7851
 Jessica.Bettencourt@kaspersky.com

Olympic Destroyer returns, targeting chemical and biological threat protection entities in Europe

Kaspersky Lab researchers find the infamous cyberthreat that struck the 2018 Winter Olympic Games is still active and targeting new organizations
Kaspersky Logo