“This attacker had no intention of leaving the machine usable,” a team of researchers at Cisco’s Talos threat intelligence division wrote in an analysis Monday. “The purpose of this malware is to perform destruction of the host” and “leave the computer system offline.”
In an interview, Talos researchers noted that there was a nuance to the attack that they had not seen before: Even though the hackers clearly demonstrated that they had the ability to destroy victims’ computers, they stopped short of doing so. They erased only backup files on Windows machines and left open the possibility that responders could still reboot the computers and fix the damage.
“Why did they pull their punch?” asked Craig Williams, a senior technical leader at Talos. “Presumably, it’s making some political message” that they could have done far worse, he said.
Talos’s findings matched those of other internet security companies, like CrowdStrike, which determined on Monday that the attacks had been in the works since at least December. Adam Meyers, vice president of intelligence at CrowdStrike, said his team had discovered time stamps that showed the destructive payload that hit the opening ceremony was constructed on Dec. 27 at 11:39 a.m. Coordinated Universal Time — which converts to 6:39 a.m. Eastern Time, 2:39 p.m. in Moscow and 8:39 p.m. in South Korea.
Attackers clearly had a target in mind: The word Pyeongchang2018.com was hard-coded into their payload, as was a set of stolen credentials belonging to Pyeongchang Olympic officials. Those stolen credentials allowed attackers to spread their malware throughout the computer networks that support the Winter Games on Friday, just as the opening ceremony was timed to begin.
Security companies would not say definitively who was behind the attack, but some digital crumbs led to a familiar culprit: Fancy Bear, the Russian hacking group with ties to Russian intelligence services. Fancy Bear was determined to be the more brazen of the two Russian hacking groups behind an attack on the Democratic National Committee ahead of the 2016 presidential election.
Beginning in November, CrowdStrike’s intelligence team witnessed Fancy Bear attacks that stole credentials from an international sports organization, Mr. Meyers said. He declined to identify the victim but suggested that the credential thefts were similar to the ones that hackers would have needed before their opening ceremony attack.
On Wednesday, two days before the ceremony, the Russian Ministry of Foreign Affairs made an apparent attempt to pre-empt any accusations of Russian cyberattacks on the Games. In a statement, released in English, German and Russian, the agency accused Western governments, press and information security companies of waging an “information war” accusing Russia of “alleged cyber interference” and “planning to attack the ideals of the Olympic movement.”
This was not the first Olympic opening ceremony that was a target for hackers. In the lead-up to the 2012 London Games, investigators uncovered attack tools and the blueprints to the Olympic stadium’s building management systems on a hacker’s computer.
It appeared that hackers planned to take out the power to the stadium, said Oliver Hoare, who led cybersecurity matters for the London Games. But officials successfully prevented an attack.
Continue reading the main story