The Olympic Games have always been a symbol of global unity and cooperation, mixed in with friendly competition of course. However, this can also mark the games as a target for groups that don’t share that worldview. This year, the Winter Olympics opening ceremony was targeted by a cyberattack focused on disruption and destruction of systems. The attack resulted in the official website being offline for roughly 12 hours, preventing attendees from accessing tickets and information, as well as disrupting the Wi-Fi at the stadium and various news coverage feeds.
Security researchers at Cisco’s Talos group analyzed the malware and have dubbed it Olympic Destroyer. While it is still unclear how the systems became initially infected, Talos has disclosed some details of how the malware operates. The malware is contained within a binary file which is responsible for propagation across the network. It checks the Address Resolution Protocol (ARP) table on the system to discover additional targets, as well as using the Windows Management Instrumentation Query Language (WQL) to run the request “SELECT ds_cn FROM ds_computer” to find other systems. These are carried out using legitimate administrative tools included with Windows, PsExec and WMI. The other function of the binary file is to drop 2 modules, the credential stealers.
The stealer modules focus on different types of credentials: a web browser module and a system module. The web browser stealer parses the SQLite file in the registry to access stored credentials for
Internet Explorer, Firefox, and Chrome. The system module gathers credentials
from the Local Security Authority Subsystem Service (LSASS), a Windows process
that enforces security policy for the system. Once credentials have been
gathered, the binary file is updated to include the credentials hardcoded in,
to be used on newly infected systems for further access.
After reconnaissance, the malware begins a
destruction phase to disable the system. Using the Windows command line
(cmd.exe), various tasks are carried out to prevent recovery of the system:
deletion of all shadow copies on the system, deletion of the wbadmin catalog,
using bcdedit to change the boot configuration and disable Windows recovery,
and deleting the System and Security Windows Event logs. Finally, the malware
stops and disables all Windows services and shuts down the system, preventing
it from being restarted in a usable state.
Olympic
Destroyer used
well-known Sysinternal tools included with Windows, implying the attacker knew
the targets were Windows-based. Talos also suggested the attacker knew a “lot
of technical details of the Olympic Game infrastructure such as username,
domain name, server name, and
obviously
password.”
https://threatpost.com/olympic- destroyer-malware-behind-winter- olympics-cyberattack-researchers- say/129918/
https://thehackernews.com/2018/02/p yeongchang-2018-winter-olympics.html
and The CIP from Peraton