Cybercriminals targetted the opening ceremonies of the Pyeongchang Winter Olympics in South Korea last Friday.
The malware took down the Olympics’ official website for at least 12 hours, while the wifi network in the Olympic stadium was also affected. On top of this, the televisions and Internet connections in the main press venue were also taken down – making some attendees unable to print their tickets or get venue information.
The event’s organising committee confirmed the malware attack on their system during the opening weekend, with the full restoration of the network coming 12 hours after the attack at 8 AM local time on Saturday.
Authorities reported the cause of the downtime was a destructive type of wiper malware, believed to have been spread throughout the network through stolen login credentials.
Called the Olympic Destroyer by some researchers, the malware focused on disrupting the network and wiping data, but not stealing any of the information.
While there have been no solid leads on who was behind the attack, some experts point to hackers connected to North Korea, China, or Russia.
The malware’s purpose is to destroy the host and make sure the system remains offline
Based on a report by some experts, the attacker(s) had deep knowledge of the Olympics’ networks because they had access to a “lot of technical details of the Olympic Game infrastructure such as username, domain name, server name, and obviously password.”
Researchers added that something to consider is that the network could have already been compromised beforehand to allow hackers to exfiltrate the credentials.
The Olympic Destroyer is believed to have used two types of credential stealers: browser and system. It then spreads to other connected systems while also using legitimate Windows tools to access and act on other computer connected to the network.
This was similar to the tools employed by two other huge cyberattacks from last year, namely, Bad Rabbit ransomware and NotPetya wiper malware.
Once installed on a computer, the malware deletes all possible files copies and backup catalogues. It then shuts off the recovery mode, deletes system logs to make it harder to be tracked and to make file recovery much more difficult.
Removing all possible recovery methods also showed the malware actors planned on making the machines unusable. The malware’s purpose is to destroy the host and make sure the system remains offline.
While there are theories on who might have been behind the attack, it is still difficult to pinpoint a specific group since there is little evidence to show who was responsible.
Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.