Malicious Life Podcast: Olympic Destroyer

In the midst of 35,000 exhilarated spectators eagerly chanting the time-honored countdown to kick off the 2018 Pyeongchang Winter Olympics, a sinister malware crept through the games' network, threatening to disrupt the highly-anticipated event. The obvious question in everyone’s minds was - who was responsible for the attack? Who was vile enough to launch such a potentially destructive attack against an event which, more than anything, symbolizes peace and global cooperation? – check it out...

 

Powered by RedCircle

ran-levi-headshot
About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast

Transcript

It’s November 28, 2017, and the city of Pyeongchang is bustling with activity. In a little more than three months, the beautiful mountainous South Korean city will host the opening ceremony of the 2018 Winter Olympics, and thousands of athletes, journalists and fans will flood its streets, ski lanes and world-famous Buddhist temples. 

No one was probably more busy than the members of the Pyeongchang Organizing Committee, who were responsible for the preparations. The Winter Olympics is one of the biggest sporting events in the world, and they have been working hard towards this event for the past six years. After all, South Korea’s national pride is on the line: millions of people from all over the world will be tuning in to watch the opening ceremony and the following events.

While all this commotion and activity was going on, an email landed in the mailboxes of thirty people: some were members of the organizing committee, others were ‘Olympic partners’ – employees of organizations and businesses that worked with the organizing committee, such as two local ski resorts and the company which provided the official timekeeping service of the games. The email, titled ‘List of Delegates’, was from none other than the Vice-President of the International Olympics Committee: it’s safe to assume that most, if not all the recipients of this email, opened it. 

A .zip file was attached to the email, containing a Microsoft Word document, which supposedly held the actual list of VIP delegates to the games. But when the recipients tried to open the document – they were presented with garbled and gibberish text. 

Ah. It’s probably an encoding problem: you know how it is – sometimes it’s hard to get vastly different languages such as English and Korean to play nicely in the same document… Luckily, a button appeared at the top of the document, labeled ‘Enable Content.’ That will surely fix the problem…

Since you’re listening to a podcast about cyber security, I don’t think I need to tell you that clicking on that button was a very, very bad idea. But apparently, at least some of the recipients did. Unsurprisingly, pressing the button executed a PowerShell script that downloaded and executed a second malware that planted a backdoor in the system. 

For the next three months, hundreds of similar emails were sent to many people who were somehow involved with the preparations towards the Winter Olympics, such as employees of the South Korean Ministry of Agriculture, Food and Rural Affairs, and employees of the Korean Ministry of Public Safety and Security. Crucially, some of the emails landed in the inboxes of two IT companies – the companies which provided the servers and networking equipment which formed the computing infrastructure for games: thousands of computers supporting everything from ticketing services to ski lifts. 

In the weeks leading up to the games, one of these IT companies struggled with numerous glitches and malfunctions in their network. But with a network so complicated – such bugs and hitches are to be expected, and there was more than enough time to work out all the kinks out of the system… Nobody gave the glitches a second thought. 

The Opening Ceremony

And then, on February 9th, came the moment everyone was eagerly waiting for: The 2018 Winter Olympics opening ceremony. 35,000 excited spectators filled the huge pentagonal stadium, and hundreds of cameras streamed the event to viewers in more than 200 countries all over the world. As the enthusiastic crowd was chanting the time-honored countdown towards the start of the ceremony, a worm was waking up somewhere inside the olympic network. 

The malware scanned the computer it had infected, and scoured it for user and browser credentials. It then used the credentials it found to log on to other computers on the network. When the malware discovered new credentials in a newly infected computer, it compiled a new version of itself with the augmented set of credentials and used the new binary to infect the next computer in line. All in all, it was an incredibly efficient method of propagation in a confined environment such as the Olympic Games network. 

Once an infected machine was fully compromised and its credentials exfiltrated, the malware sprung its malicious payload: it wiped the computer’s Boot Configuration Data and all backups, thus crashing the computer and making it unbootable. 

From Wired magazine, quote: 

“As the opening ceremony got underway, thousands of fireworks exploded around the stadium on cue, and dozens of massive puppets and Korean dancers entered the stage. [Sang-jin] Oh [director of technology for the Pyeongchang Olympics organizing committee] saw none of it. He was texting furiously with his staff as they watched their entire IT setup go dark. […]

As Oh made his way out of the press section toward the exit, reporters around him had already begun complaining that the Wi-Fi seemed to have suddenly stopped working. Thousands of internet-linked TVs showing the ceremony around the stadium and in 12 other Olympic facilities had gone black. Every RFID-based security gate leading into every Olympic building was down. The Olympics’ official app, including its digital ticketing function, was broken too; when it reached out for data from backend servers, they suddenly had none to offer.”

The attack concentrated on a class of computers called ‘Domain Controllers’: the machines who controlled authentication and authorization for many digital services – from Wifi to the Official Olympic app. Ski gates and Ski lifts were disabled. Hundreds of computers went dark. It was the nightmare everyone in the organizing committee was dreading. 

But the South Koreans were not caught off guard. South Korea has suffered many cyber attacks from its totalitarian neighbor and nemesis, North Korea – and so the threat of a cyber attack during the Olympic Games was always present during the planning. 

Within minutes, the staffers at the games’ Technology Operation Center sprang into action. Using a temporary workaround, they bypassed the dead Domain Controllers and brought many critical services, such as WiFi and internet-linked TVs, back online just minutes before the opening ceremony concluded and tens of thousands of athletes and visitors streamed out of the stadium. 

Later that night, the engineers waged battle with the malware that crippled their network: every time a server was brought back online – it quickly became infected again, and crashed. A local anti-virus vendor quickly crafted an identifying signature for the malware, but It took a drastic measure – cutting the entire Olympic network from the internet – for the tide to turn in their favor. 

Finally, by 8am the following morning, the battle was won: the malware was cleared from the network, and all digital services resumed – just in time for the first skating and ski jumping events. In fact, most of the participants weren’t even aware of what had happened during the night, and the games went on with almost no interruptions. Ultimately, the 2018 Winter Olympics was globally praised for being impeccably organized and executed. 

Olympic Destoryer

The first to analyze the malware were researchers from Cisco’s Talos security division, and they were also the ones to give it its name: Olympic Destroyer.

During the investigation, they learned that samples of the malware were uploaded to VirusTotal, the malware repository, even as early as two months prior to the attack itself. These samples, it seems, were uploaded to the repository by an anonymous member of the security team of one of the two IT subcontractors who worked in service of the South Korean Olympic Committee. These early samples revealed the attackers spear phishing efforts, and proved that the attack was a classic supply chain attack. 

Olympic Destroyer, it was found, infiltrated the victim network via the two ski resorts which served many of the visitors, and – perhaps most crucially – the desktop computer of the architect who actually designed the games’ network. 

The obvious question in everyone’s minds was – who was responsible for the attack? Who was vile enough to launch such a potentially destructive attack against an event which, more than anything, symbolizes peace and global cooperation? Who wished to humiliate South Korea in front of the whole world? 

Well, the obvious suspect was North Korea, the ultimate ‘bad boy’ of global geopolitics. Given the long running animosity between the two Koreas, it was easy to imagine Kim Jong-un ordering a cyber strike on the Winter Olympics, just to embarrass the ‘evil capitalist enemy’. 

And indeed it didn’t take long for Crowdstrike, a cybersecurity vendor, to discover striking similarities between Olympic Destroyer’s file deletion routines, and code found in malware created by North Korea’s notorious Lazarus cybercrime group. 

Another team of researchers, this time from Kaspersky, found an even more convincing piece of evidence. It was a data structure called ‘Rich Header’, that appears in some of the files used by the malware. This Rich Header metadata consists of pairs of 4 byte integers, and encodes information about the various source files used by the compilation tool who produced the binary. Olympic Destroyer’s Rich Header, they found, was identical to a header that was previously discovered in North Korean malware. This was THE smoking gun everyone was looking for. Case closed. 

Except…it didn’t quite make sense. During the preparations for the Olympic Games, the relationship between the two Koreas actually seemed to become more friendly. Kim Jong-un invited South Korea’s president to visit Pyongyang, and sent his sister as a diplomatic emissary to the games. The two countries even agreed to combine their Olympic women’s hockey teams in a rare act of goodwill. Sure, the North Koreans can seem…unpredictable at times – but reaching out in a friendly handshake with one hand, while executing a crippling cyberattack with the other?…it was odd and illogical, even by North Korean standards. 

And so the investigation continued – and the more it continued, the more bizarre things seemed to get. Intezer, an Israeli cyber security vendor, discovered code snippets in Olympic Destroyer that looked as if they were crafted by APT3 and APT10 – two Chinese hacking groups. And so at this point, everyone was scratching their heads, trying to make sense of the contradictory data. Some analysts pointed at North Korea, others at China. A few even suspected the Russians had a hand in the attack – but no strong evidence for this was uncovered. 

We all know that attribution in cyber is a hard problem – but this?… This was a real mess. 

Rich Headers

There’s something important you need to know about Rich Headers: not a lot of people know about them. There’s no official documentation about Rich Headers, which makes it hard for researchers to learn about the information they contain – plus, they’re rarely useful in malware analysis, so for the most part only automated tools use these headers when classifying newly discovered malware. 

But here and there, there are people who like to dig deeper into the inner workings of such obscure data structures – and Igor Soumenkov is one of them. Soumenkov is a researcher at Kaspersky, and in an interview to Kaspersky’s “Tomorrow Unlocked” YouTube channel, he recalled hearing his colleagues discussing the perfect match between Olympic Destroyer’s Rich Header, and headers found in North Korean malware. 

“I remember just sitting in the office, analyzing some malware, and my colleague was talking to someone else and saying: “Hey, well, there’s something going on and you know, we found a match. I think we can relate it to another attack.” And he’s saying: “Well, there’s a rich header. It completely matched.” And I’m thinking – “well, that’s not really possible. You’re not getting a complete match on the rich header.” So I’m thinking – well, no, that can’t be real. Give me the samples.”

Why was Soumenkov suspicious of the perfect match between the header found in Olympic Destroyer and a header found in a North Korean malware? 

Well, recall that Rich Headers encodes information about the source files present during the malware’s compilation process. This encoding is very sensitive to change, meaning that if we add or remove even a single source file – the resulting header will change as well. It is the same ‘butterfly effect’ that makes hashes so effective in detecting file changes: changing even a single bit of information in a file will bring about a relatively major change in the calculated hash. And although Rich Headers are somewhat less sensitive to changes, Soumenkov knew that it’s highly implausible that any two malwares will produce exactly the header. 

And indeed, when Soumenkov analyzed Olympic Destroyer’s header, it didn’t take him long to realize that something was seriously wrong: the header contents made it seem as if the malware was compiled using Microsoft’s Visual Studio 6 – yet referenced a file, ‘‘mscoree.dll’, which did not exist in this version of Visual Studio.   A more in-depth analysis of the header revealed to Soumenkov that Olympic Destroyer was actually compiled using Visual Studio 2010. 

This could only mean one thing: the original header was a fake, a ruse. The malware authors lifted a header from an existing malware and copied it into theirs in order to convince the researchers that Olympic Destroyer was created by the North Korean Lazarus group. And it almost worked, too! had Igor Soumenkov gone to grab a cup of coffee or go to the toilet instead of overhearing his colleague speaking about their find in Olympic Destroyer, this feint might have been a success. 

“To our knowledge, the evidence we were able to find was not previously used for attribution.”wrote Vitaly Kamluk, Head of the APAC Research team, in a statement released by Kaspersky“Yet the attackers decided to use it, predicting that someone would find it. They counted on the fact that forgery of this artifact is very hard to prove. It’s as if a criminal had stolen someone else’ DNA and left it at a crime scene instead of their own. We discovered and proved that the DNA found on the crime scene was dropped there on purpose. All this demonstrates how much effort attackers are ready to spend in order to stay unidentified for as long as possible. We’ve always said that attribution in cyberspace is very hard as lots of things can be faked, and Olympic Destroyer is a pretty precise illustration of this.”

Equipped with this new knowledge, Kaspersky’s researchers re-examined some of the samples of the malware discovered in one of the games’ IT subcontractors. 

They came across a version of Olympic Destroyer that was compiled on the very day of the opening ceremony, at about 11am. This version had one of the malware’s features removed: a 60 minutes delay between the initial infection and the final shutdown of the machine. It seems that two hours prior, an earlier version of the worm was unleashed in one of the ski resorts, and following this ‘test run’ its authors realized that the delay feature was a bad idea, for some reason. They hurriedly compiled a new version of the worm without that delay – but in their rush, forgot to paste the fake header. And indeed, in this version of the worm, the Rich Header was very different from the ‘fake’ one, proving that Igor Soumenkov was right. 

Although it was possible that this was a North Korean ‘double bluff’ – planting fake evidence against itself to make it seem as if it was being framed – most researchers didn’t believe this to be the case, and saw Soumenkov’s discovery as a convincing argument for North Korea’s innocence. But if the Lazarus group wasn’t to blame for the attack on the Winter Olympics – then who was?…

The Smoking Gun

Michal Matonis, a researcher from FireEye, took a different approach to investigating Olympic Destroyer. While most researchers focused on the malware itself, Matonis decided to zoom in on the Microsoft Word files that were attached to the phishing emails sent to the various Olympic Committee members and partners back in November and December of 2017, during the reconnaissance phase of the attack. 

One file he examined contained a Macro script that planted a backdoor in the victim’s computer – but this malicious script was generated using an open-source tool, so this avenue of investigation led him nowhere. But digging deeper into the metadata of the document, Matonis found an IP address: an address, he learned, that was identical to the IP address that Olympic Destroyer itself was using to communicate with its command and control servers. 

Matonis combed through FireEye’s databases, and found two more malicious Word files who had the same exact IP address embedded in their metadata. These files were from 2017 – a full year before the Winter Olympics cyberattack – and crucially, they were part of a campaign against Ukrainian civil rights groups and similar organizations. 

Matonis immediately realized the significance of this find: having the same IP address in all the malicious documents meant   that the attackers were using the same infrastructure in both attacks – and the only country that had a reason to attack both Ukraine and the Olympic games was Russia. 

Digging even deeper into the case, Mantis uncovered a domain name that was linked to one of the IP addresses he found in the documents: account-loginserv.com. This domain rang a familiar bell for Mantis.

A year or so earlier, in August 2016, the FBI released an Amber Flash alert – an emergency notice the Bureau sends to private organizations who are targeted by cyber criminals – titled ‘Targeting Activity Against State Board of Election Systems.’ The alert detailed attacks against the voter systems of two unnamed states, probably in an attempt to influence that year’s election race between Hillary Clinton and Donald Trump. The two states were later identified as Illinois and Arizona: The Illinois attack was successful, and the hackers managed to download the personal data of some 200,000 voters. 

As part of the phishing campaign that preceded the breach, the hackers used spoofed emails pretending to come from VR Systems, a voting tech company, to trick elections officials – and the links in these emails led to fake login page hosted on – you guessed it – account-loginserv.com. 

This finding was the smoking gun that Matonis was looking for: Russia was infamous for its attempts at meddling with the US elections, and so this was more than enough evidence to confidently attribute the Olympic Games cyberattack to Russia. 

“A Bigger Mechanism”

It’s 2010 – eight years prior to the Pyeongchang Winter Games. 

Vitaly Stepanov was working for RUSADA, The Russian Anti-Doping Agency. RUSADA’s official mission statement was to combat the use of drugs in sports – but it didn’t take long for Vitaly, who served in several roles in the organization, including as an advisor to the agency’s director, to realize that RUSADA was not only turning a blind eye to cheating Russian athletes, it was actually enabling such cheating. In an interview for the Evening Standard, he recalled that – 

“[…] I thought I was part of a team to fix this. I then understood I was part of this bigger mechanism that has no belief in clean sport. They need medals and as many medal winners in as many possible sports, especially Olympic sports.”

This ‘bigger mechanism’ was an organized, systematic effort by the Russian government, Sports officials and coaches to help their athletes cheat in international competitions. 

It began following the 2010 Winter Olympics, in which the Russian team failed to win ‘enough’ medals. Russian athletes were given a special concoction of drugs, nicknamed ‘The Dutchess’ after a popular Russian drink, which they then swished in their mouths, rather than drinking or injecting it. The chemicals were quickly absorbed by the thin, inner lining of the cheeks, and were just as quick to disappear from the bloodstream. If a drug test came out positive after all, the result was reported to the Russian Deputy Minister of Sport, who decided on the proper action: if the athlete in question was talented and promising – the incriminating evidence would be removed from RUSADA’s computer records. 

Following his conscience, Vitaly contacted WADA – the World Anti-Doping Agency, set up by the International Olympic Committee – and sent literally hundreds of emails and letters detailing his government’s wrongdoings. But after three years of failing to get WADA to take his claims seriously, Vitaly reached out to a German Journalist who agreed to investigate the matter. 

Vitaly had a close ally in his fight against organized doping: Yulia Stepanova, his wife. Yulia was a runner, specializing in the 800 meter track event. Starting in 2007, her coach persuaded her to take banned steroids, telling her that everyone was doing the same and that doping was the only way to succeed. And indeed, Yulia’s results improved dramatically, earning her a bronze medal in the 2011 European Athletics Indoor Championships in Paris. But two years later, after she failed a drug test, Yulia was banned from all international competitions for two years, and stripped of her medal. Angry and disillusioned, Yulia joined her husband’s efforts and began to secretly record Russian officials, doctors and athletes talking about the state-sponsored scheme to subvert WADA’s anti-doping efforts. 

The couple’s personal testimony, along with Yulia’s clandestine recordings, were aired in 2014, in a German TV documentary. The public’s outcry was loud enough to force WADA to launch a thorough investigation whose results stunned everyone (except the Russians, obviously): It turns out that number of “suspicious” blood and urine samples from Russian athletes exceeded those of all other countries by a notable margin, to put it mildly. Vitaly and Yulia fled Russia a short time prior to the airing of the documentary, of course. 

The rolling snowball, set in motion by the brave couple, ended with a decision by the International Olympics Committee to ban Russia from participating in the 2018 Winter Olympics. Russian officials, as well as athletes accused of cheating, were not permitted to take part in the games: those who were allowed to compete, did so under the neutral Olympic flag. When a Russian athlete made it to the podium, it was the Olympic anthem that was played during the ceremony, rather than the Russian one. 

Unit 74455

Unsurprisingly, many Russians were furious with the Olympics Committee’s decision, seeing it as a humiliating act against the Russian people. Among them were six officers of the GRU, the Russian military intelligence agency: they were Sergey Detistov, the group’s captain, and his five subordinates – Yuriy Andrienko, Pavel Frolov, Anatoly Kovalev, Artem Ochichenko and Petr Pliskin. 

These six men were no ordinary military officers, though. They were part of a notorious hacking group known to the world by many names: some call them Iron Viking, others know them as Telebots, Voodoo Bear or Sandworm. Internally, in the Russian military, they are known as Unit 74455. 

Although our podcast’s 200+ episodes might give the opposite impression, the history of Cyberwar is rather short. Nevertheless, Unit 74455 is responsible for many of the more well known attacks of the past 15 years or so. For example, its hackers were the ones who, in a world first, attacked the Ukrainian power grid in 2015 and 2016, and were also responsible for NotPetya – one of the most damaging and costliest malware ever created. We covered both stories in previous episodes of Malicious Life. 

In November 2017, Sergey and his colleagues turned their sights on the Olympics. Call it ‘Revenge’, or call it the actions of ‘a petulant child with the resources of a nation state’, as the US Department of Justice Assistant Attorney General John Demers put it – the six men were determined to ruin the Olympics for everyone. 

Epilouge

If by launching such a brazen and potentially destructive attack, Russia was hoping to ‘persuade’ the International Olympic Committee to stop inquiring too deeply into doping allegations – it seems that the message didn’t have the effect the Russians were hoping for: in 2018, the World Anti-Doping Agency once again banned Russia from participating in the Olympic Games for four more years, when it was revealed that the Russians were cheating even during the 2014 Sochi Winter Olympics itself, by swapping positive drug samples with clean ones through a tiny hole in the sporting event’s anti-doping laboratory… This ban was later shortened to two years, but the Russians were still excluded from the 2022 Tokyo Olympic Games and 2022 Beijing Winter Games. . 

The US, in turn, also sent Russia a message of its own. In July 2018, special counsel Robert Mueller unsealed an indictment against the six men of Unit 74455. Sergey, Yuriy and their pals now have a $10 million prize on their heads. 

Looking back, the joint efforts of Kaspersky, Talos, Fireeye and Intezer might help explain a puzzling statement released by the Russian Foreign Ministry, two days before the attack on the 2018 Winter Games. 

“It is known to us that Western mass media are planning to throw in a pseudo-investigation on the theme of ‘the Russian trace’ in hacker attacks on information resources connected with conducting the Winter Olympics in South Korea.”, said the Russian statement, “As before, no kind of evidence will be presented to the world.”

Weird, isn’t it? Why would the Russian government deny involvement in an attack – that was yet to occur?…