The Pyeongchang Winter Olympics taking place in South Korea was disrupted over the weekend following a malware attack before in addition to during the opening ceremony on Friday.
The cyber attack coincided with 12 hours of downtime on the official website for the Winter Games, the collapse of Wi-Fi from the Pyeongchang Olympic stadium in addition to the failure of televisions in addition to internet at the main press center, leaving attendees unable to print their tickets for events or get venue information.
The Pyeongchang Winter Olympics organizing committee confirmed Sunday in which a cyber attack hit its network helping run the event during the opening ceremony, which was fully restored on 8 am local time on Saturday—in which’s full 12 hours after the attack began.
Multiple cybersecurity firms published reports on Monday, suggesting in which the cause of the disruption was “destructive” wiper malware in which had been spread throughout the Winter Games’ official network using stolen credentials.
Dubbed “Olympic Destroyer” by the researchers at Cisco Talos, the wiper malware majorly focuses on taking down networks in addition to systems in addition to wiping data, rather than stealing information.
The Talos researchers would certainly not comment on attribution, nevertheless various security experts have already began attributing the Olympic Destroyer malware to hackers linked to either North Korea, China or Russia.
According to the analysis by Cisco Talos, the attacker had intimate knowledge of the Pyeongchang 2018 network’s systems in addition to knew a “lot of technical details of the Olympic Game infrastructure such as username, domain name, server name, in addition to obviously password.”
“The additional factor to consider here is actually in which by using the hard-coded credentials within This specific malware the idea’s also possible the Olympic infrastructure was already compromised previously to allow the exfiltration of these credentials,” researchers said.
The Olympic Destroyer malware drops two credential stealers, a browser credential stealer in addition to a system stealer, to obtain required credentials in addition to then spreads to additional systems as well using PsExec in addition to Windows Management Instrumentation (WMI), two legitimate Windows administration tools used by network admins to access in addition to carry out actions on additional PCs on a network.
The researchers noted in which both built-in tools were also abused by the Bad Rabbit ransomware in addition to NotPetya wiper malware last year.
Once installed, the malware then first deletes all possible “shadow” copies of files in addition to Windows backup catalogs, turn off recovery mode in addition to then deletes system logs to cover its tracks in addition to doing file recovery difficult.
“Wiping all available methods of recovery shows This specific attacker had no intention of leaving the machine useable. The sole purpose of This specific malware is actually to perform destruction of the host in addition to leave the computer system offline,” reads the Talos blog post.
the idea’s difficult to accurately attribute This specific cyber attack to a specific group or nation-state hackers due to sparse of technical evidence to support such a conclusion as well as hackers often employing techniques to obfuscate their operations.