Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

6/20/2018
11:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Olympic Destroyer Returns With Attacks in Europe

Kaspersky Labs researchers believe the hackers behind the Olympic Destroyer worm that wreaked havoc at the Winter Olympics are now focusing on organizations that research chemical and biological threats in Europe.

The hacking group behind the Olympic Destroyer malware that hit the opening of the Winter Olympics in South Korea earlier this year has resurfaced in a campaign that is targeting organizations in Europe connected to efforts to protect against chemical and biological threats.

Researchers with Kaspersky Lab said this week that they have found the Olympic Destroyer operation is up and running again with tools and spear-phishing documents that have close similarities to those used during the attack in the days leading up to the opening of the Olympic Games in February in PyeongChang, South Korea. The aggressive and destructive network worm attacked vulnerable systems, essentially bringing them down so that they couldn't be used.

The malware also disrupted WiFi in the Olympic stadium, interrupted television signals and interfered with Internet access in the press area. It targeted organizers, partners and suppliers involved with the Olympics.

It's still unclear who is responsible for the Olympic Destroyer campaign, though it's assumed to be a group backed by a nation-state. Initially, it was believed the Lazarus Group, an organization believed to be backed by North Korea's military that has been suspected in a broad array of campaigns in recent years, including last year's high-profile WannaCray ransomware attacks. However, indicators associated with Olympic Destroyer created confusion and Kaspersky researchers said in March that the Olympic Destroyer cybercriminals had created sophisticated "red flags" to throw threat hunters off the trail.

Eventually Lazarus was dropped as a suspect. (See Kaspersky: Olympic Destroyer Creator Left 'False Flag' Clues .)

No group has been identified as the Olympic Destroyer creators, who it was assumed had moved on.

"The resurgence of Olympic Destroyer is surprising, as initial expectations were for the group to stay low or even disappear altogether," Kurt Baumgartner, principal security researcher at Kaspersky Lab, told Security Now in an email.

Now Olympic Destroyer is back and targeting organizations in Germany, France, Switzerland, the Netherlands and Ukraine, as well as Russia. The groups that are in the crosshairs are all involved in research about chemical and biological threats, which opens up a host of possibilities of why those industries are being targeted.

"We noticed a variety of financial and non-financial targets, which could mean that the same malware was used by several groups with different interests -- such as a group primarily interested in financial gain through cybertheft and another group looking for espionage targets," Baumgartner wrote. "This could also be a result of outsourcing, which is not uncommon among nation-state actors. In the case of chemical and biological organizations, the threat actor could be looking to cause disruption, as was the case during the 2018 Winter Olympics. Or, this overall activity could be the same group repeating techniques of previous attacks and targeting at the time of the Winter Olympics in South Korea, where the group spear-phished partners and supply chain in an attempt to reach their true targets."

The Kaspersky researchers noted that the attacks at the reconnaissance stage for the South Korean Olympics started a couple of months before the attacks began, which means that the cybercriminals behind the newest campaign may be preparing for a similar attack. Given that, the companies involved in the work that is being targeted should stay on high alert, they said.

The threat actors behind the recent attacks are using spear-fishing documents that resembled those used during the Olympics campaign, according to Kaspersky.

One document referenced the Spiez Convergence, which is a biochemical threat conference in Switzerland, while another one in Ukraine was aimed at a unit of a health and veterinary control authority. Some of the malicious documents are written in German and Russian, and all of the payloads were made to enable access to the compromised computers.

The second stage of the attack featured an open source framework known as Powershell Empire.

Kasperksy researchers believe the hackers use compromised web servers that use the open source content management system Joomla to host and control the malware, with indications that outdated versions of Joomla could be used to hack the servers.

However, researchers cautioned that the private and public sectors need to work together across borders to help analyze and fight against the new threat. However, Baumgartner said that in the current situation in the world, such cooperation isn't always easy, which plays into the hands of attackers such as those behind Olympic Destroyer.

"Unfortunately, the geopolitical situation in the world today is only aiding global segmentation of the Internet, which creates difficulties for researchers and investigators," he said. "This fragmentation will encourage [Lazarus] APT to continue intruding into the protected networks of foreign governments and commercial companies."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6017
PUBLISHED: 2020-12-03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code ...
CVE-2020-6021
PUBLISHED: 2020-12-03
Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DL...
CVE-2020-6111
PUBLISHED: 2020-12-03
An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and...
CVE-2020-5680
PUBLISHED: 2020-12-03
Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
CVE-2020-5638
PUBLISHED: 2020-12-03
Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors.