The Pyeongchang Winter Olympics organizing committee confirmed on Sunday that a malware attack was responsible for disruptions to the Olympics’ network before and during opening ceremonies on Friday. Just before the opening ceremony, the official website for the Winter Games went down, leaving attendees unable to print tickets for events or get venue information. The site wasn’t restored until 8am Saturday morning. Multiple networks went down, including the Wi-Fi network in the stadium and the network in the Olympic press center.
The cause was an apparent “wiper” malware attack that had spread throughout the Pyeongchang Games’ official network using stolen credentials. The network was not fully restored until 8am local time on Saturday, a full 12 hours after the attack began, The Guardian reported.
In a blog post today, Cisco Talos Intelligence researchers Warren Mercer and Paul Rascagneres revealed that Talos had identified (“with medium confidence”) some of the malware used in the attack. It has not been determined how the malware was introduced into the network, but the binaries examined by Talos showed the attacker had intimate knowledge of the Pyeongchang network’s systems.
“The malware author knew a lot of technical details of the Olympic Game infrastructure such as username, domain name, server name, and obviously password,” wrote Mercer and Rascagneres. “We identified 44 individual accounts in the binary.” Some of these were fairly generic usernames, but others were for specific users or software agents.
The malware “dropper” used those credentials and installed Web browser and operating system credential stealing malware to harvest other users’ logins and passwords to assist in spreading itself across the network. The Talos researchers noted that elements of the malware used to collect credentials from targeted systems utilized the same inter-process communications channel as the Bad Rabbit cryptoransomware and NotPetya wiper attacks last year (the channel is used to pass user names and passwords back to the dropper code).
The dropper scanned for other systems to target by running a Windows Management Instrumentation (WMI) request to list all the systems within the same Active Directory tree and by checking Windows’ TCP/IP Address Resolution Protocol (ARP) table with a Windows API request.
Once the dropper had found targets and successfully connected to them, the malware used the PsExec tool—a legitimate Windows administration tool that the dropper installed—to remotely execute a Visual Basic Script (VBScript) on the targeted systems that copied itself to them and launched the process again.
The wiper malware spread by the dropper hid its malicious activity by executing all of it through Windows’ command interpreter, cmd.exe—deleting all “shadow” copies of files and Windows backup catalogs, turning off recovery mode in Windows’ Boot Configuration Data store, and then shutting off all services and marking them as disabled. The malware then clears security and system logs to cover its tracks.
The attack appears to have been designed specifically to embarrass the Olympic organizers by disrupting the opening of the Games, as there was no evidence of data being stolen from the network in the process. The nature of the malware suggests good advance intelligence collection, including potentially inside knowledge of the Pyeongchang organizing committee’s systems, and a professional team providing development using well-established techniques and tools. Who exactly would fit that profile—and who would want to disrupt the Winter Olympics—is left as a thought exercise for the reader.
https://arstechnica.com/?p=1258585