TechSpot has some additional, minor, new information about the suspected Russian cyber attack during the Pyeongchang 2018 Winter Olympics opening ceremony:

Malware writers don’t exactly leave a calling card in their code so determining who caused an attack is often difficult. What we do know so far is that the attack, dubbed “Olympic Destroyer,” lasted under an hour on Friday and targeted users with an @pyeongchang2018.com email address. This caused the Pyeongchang 2018 website to go down and briefly interrupted some video streams.

The malware works by turning off the infected machine’s services, destroying the boot information and generally rendering the machine unusable. One surprising characteristic is that it does show some restraint and does not appear to cause maximum damage. Rather than deleting all of the system’s files, it only targets the boot information. A trained technician can restore the data relatively quickly.

Olympic Destroyer’s spreading and targeting techniques resemble that of NotPetya and BadRabbit, pieces of malware the CIA and others in the security community have attributed back to Russia.

Given that Russia was banned from competing at the Olympics due to the doping scandal, they are naturally the prime suspect. For their part, they have stated that “We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea.”

As the article rightly states, the general public will likely never know who was responsible for this attack.

The New York Times reports on some new details about the recent cyber attack targeting the Pyeongchang Winter Olympics 2018 opening ceremony:

The cyberattack took out internet access and telecasts, grounded broadcasters’ drones, shut down the Pyeongchang 2018 website, and prevented spectators from printing out reservations and attending the ceremony, which resulted in an unusually high number of empty seats.

Security experts said they had uncovered evidence that the attack had been in the works since late last year. It was directed at the Pyeongchang Organizing Committee and incorporated code that was specifically designed to disrupt the Games or perhaps even send a political message.

“This attacker had no intention of leaving the machine usable,” a team of researchers at Cisco’s Talos threat intelligence division wrote in an analysis Monday. “The purpose of this malware is to perform destruction of the host” and “leave the computer system offline.”

The attackers included the ability to basically destroy the endpoints but opted not to wield the capability. This is quite interesting, and really speaks to the attackers motivation. It really smells like a political message being delivered to either Pyeongchang or the International Olympic Committee, most likely the latter more than the former.

So the question is: who has the motivation to want to disrupt the Olympics, and why target the IOC? Could it be Russia in retaliation for the doping allegations over the past few years?

Security companies would not say definitively who was behind the attack, but some digital crumbs led to a familiar culprit: Fancy Bear, the Russian hacking group with ties to Russian intelligence services. Fancy Bear was determined to be the more brazen of the two Russian hacking groups behind an attack on the Democratic National Committee ahead of the 2016 presidential election.

Beginning in November, CrowdStrike’s intelligence team witnessed Fancy Bear attacks that stole credentials from an international sports organization, Mr. Meyers said. He declined to identify the victim but suggested that the credential thefts were similar to the ones that hackers would have needed before their opening ceremony attack.

On Wednesday, two days before the ceremony, the Russian Ministry of Foreign Affairs made an apparent attempt to pre-empt any accusations of Russian cyberattacks on the Games. In a statement, released in English, German and Russian, the agency accused Western governments, press and information security companies of waging an “information war” accusing Russia of “alleged cyber interference” and “planning to attack the ideals of the Olympic movement.”

Ding ding ding, we have a winner. Who, other than Russia, has the motivation and capacity for such an attack?

ZDNET reports on further PyeongChang malware discoveries by McAfee prior to the Winter Olympics opening ceremony, this time specifically related to the recently confirmed hack:

While the details are mostly unknown, McAfee Advanced Threat Research senior analyst Ryan Sherstobitoff said his teams found a new variant of the malicious documents targeting the Winter Games a few days prior to the opening ceremonies.

“The new document contained the same metadata properties as those related to Operation GoldDragon, and sought to gain persistence on systems owned by organisations involved with the Winter Games,” Sherstobitoff said in a statement.

“It is clear attacks are ongoing and are likely to continue throughout the duration of the games. What is yet to be determined is if actors are working simply to gain disruption, or if their motives are greater.”

This is additional information after McAfee Labs reported last month about unconvering a major campaign targeting the PyeongChang Winter Olympics and related organizations. There is likely more to the story, to include which group may be responsible for the operation.

Disclaimer: I work for McAfee.

Wired discusses why the Pyeongchang Winter Olympics 2018 are an especially difficult task for the International Olympic Committee, primarily because of the location of South Korea and the regional geopolitical climate:

The increased connectivity and use of technology has opened the games up to more vulnerabilities and potential cyberattacks. Not only are the Olympic Games available to view worldwide through a variety of broadcasting platforms, but smart technologies are now also increasingly used in the performance and judging of the sports themselves.

While most of the previous attacks have focused on ticket scams, availability of IT services and personal data, there are now more substantial cyber threats to stadium operations, infrastructure, broadcasting and participants and visitors to the games. There might also be cyberattacks that compromise devices to spread propaganda or misinformation.

More recent Olympic Games have experienced attacks on broadcast operations and power systems seeking to limit viewer access to live broadcasts. For example, the 2012 London Olympics were hit by Distributed Denial of Service (DDoS) attacks from both alleged nation state hackers and hacktivists. While these attacks have had limited success, it is possible that large scale disruptions to broadcasting could have severe consequences to events that rely on a large global audience and sponsorship.

Cybersecurity experts have already expressed concern over a number of cyber threats to Pyeongchang, particularly in relation to nation state activity. South Korea has previously accused North Korea of cyberattacks on the country, including one in 2013 that wiped numerous hard drives at South Korean banks and broadcasters. Last month, a cybersecurity firm also uncovered a sophisticated and targeted cyberattack aimed to steal data from South Korean organisations associated with the games.

Tokyo 2020 is expected to be the first Internet-of-Things (IoT) games. Imagine the size, scale, and magnitude of such an attack surface, and how difficult it will be to defend against the extremely sophisticated nation state attacker. South Korea really only has North Korea as its primary, so-called enemy in the region. However, consider Japan’s history and how that affects the geopolitics for Tokyo 2020.

I am concerned about how serious the nation is considering the threat. Without a strong threat intelligence foundation, I truly wonder what form of situational awareness the country has and how well they understand what they will be facing.

It is February 2018, and I am increasingly concerned about the preparedness. Maybe I am being overly cautious, but I really expected to see the country knee-deep in vulnerability assessments, situational awareness, and strong, well rounded threat intelligence. At this point I see nothing to make me feel comfortable, but hope I am just not privy to whatever special access programs are being executed to address these concerns.

Reuters is reporting the Pyeongchang Winter Olympics organizers have confirmed a cyber attack occurred during the opening ceremony but are refusing to reveal any attribution:

“We know the cause of the problem but that kind of issues occurs frequently during the Games. We decided with the IOC we are not going to reveal the source (of the attack),” he told reporters.

Russia, which has been banned from the Games for doping, said days before the opening ceremony that any allegations linking Russian hackers to attacks on the infrastructure connected to the Pyeongchang Olympic Games were unfounded.

“We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea,” Russia’s foreign ministry said.

“Of course, no evidence will be presented to the world.”

It makes sense not to publicly announce attribution for this attack until after the games have been completed. There is nothing to gain from discussing it in the open at this juncture. Once the games are finished, a lessons learned and complete after action report on the cyber attacks will be a treasure trove of information extremely useful to Japan for Tokyo 2020.

The Independent is reporting there was a successful cyber attack targeting the Pyeongchang Winter Olympics during the opening ceremony:

A cyber attack was launched on Pyeongchang’s servers during the opening ceremony of the Winter Olympics, the organisers said.

It reportedly caused a malfunction of the international protocol televisions located at the press centre.

The Pyeongchang Organising Committee was apparently forced to shut down its servers to avoid any further damage. That in turn lead to the official Pyeongchang 2018 website going down.

Users were unable to access the site for 12 hours and could not print off their tickets for events, South Korean news agency Yonhap reported.

It is unclear who was behind the attack but cyber security experts have warned that the Winter Olympics provide a “security challenge” as hackers could target athletes and staff.

A cyber attack should come as no surprise, however a successful interruption of service is unacceptable. Pyeongchang should have been well prepared for these types of attacks, not only with the proper defense detection, prevention, and correction capabilities, but also situational awareness and threat intelligence.

That Pyeongchang did not see this coming, and it in turn caused an outage, is not a good indicator of what may be to come throughout the next two weeks.

Japan needs to be paying very close attention to the Pyeongchang Olympics. Since both countries are in the same volatile region, Tokyo should expect very similar attacks if not more, primarily because of the geopolitical nature of Japan’s history.

I really want to see Japan successfully thwart even the most dangerous of cyber attacks through a multi-pronged approach. The combination of technology, situational awareness, and both human and signals intelligence will go a long way in helping Japan achieve that goal. It can be done, but the strategy needs to be developed now, with participating agencies collaborating and already preparing for the inevitable.

The Hill reporting on cyber attacks targeting the rapidly approaching Winter Olympics in Pyeongchang, South Korea:

Experts are observing an uptick in phishing attacks orchestrated by run-of-the-mill cyber criminals that use the games as a hook to draw attendees and other would-be victims into scams.

The Department of Homeland Security issued an alert Thursday warning travelers to the Olympics that cyber criminals could attempt to steal personally identifiable information or users’ credentials to profit financially.

“There is also the possibility that mobile or other communications will be monitored,” the alert said.

Additionally, there has been an increase in attempted attacks around the 2018 games themselves, some targeting participating organizations and sponsors and others within the infrastructure of the games.

Targeting major sporting events, such as the Olympics or the Super Bowl, are always going to lure in unsuspecting people into clicking dangerous links or opening malicious email attachments. It is easy to say everyone should be vigilant every single day, but for the average user that is impractical.

Awareness of the threat is key. But as with anything, there will always be those select few who are more susceptible to being tricked. It is this group the attackers are banking on being able to leverage for access or criminal activities.

The Japanese government is having a tough time finding the right types of cyber warriors with the right skillset before the 2020 Olympics:

The government set up a working team on cybersecurity last October to prepare for the 2020 Games. Based on the basic law on cybersecurity, which was enacted the following month, the government in January created a cybersecurity strategy team, headed by Chief Cabinet Secretary Yoshihide Suga, and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC).

The headquarters drafted a new strategy paper emphasizing measures for the period up to 2020. The draft calls for the establishment of a Computer Security Incident Response Team (CSIRT) for the 2020 Olympics and Paralympics. It would be staffed with dozens of experts from both the public and private sectors whose job would be to minimize damage from cyberattacks.

Most cyberattacks against government agencies are blocked, mainly by firewalls. But personnel at the Japan Pension Service inadvertently opened email messages containing a computer virus attachment.

CSIRT will be responsible for the quick recovery of affected computer systems, on the premise that “there is no such thing as perfection when it comes to cybersecurity,” one top government official said.

In an effort to give the team much-needed experience, the headquarters is aiming for a 2018 launch ahead of the 2019 Rugby World Cup and just a year before the Tokyo Games.

For the Olympics, “we are concerned most about disruption caused by cyberattacks against key infrastructure such as transportation networks and energy facilities,” a government official said.

The NISC has conducted competition-style training for the cyberattack response capabilities of 12 government ministries and agencies, as well as an exercise for operators of key infrastructure. It hopes to promote information-sharing through public-private collaboration.

The Japanese Government is set to spend approximately 20 billion yen to form and train a cyber security staff dedicated to tackling the 2020 Olympics:

According to local newspaper Nikkei, Japan’s Ministry of Internal Affairs and Communications has put forward a set of cyber-security proposals in relations to the Games, and intends to request around 20 billion yen (£103 million) in government funding over the four years, starting from fiscal 2016.

This funding will go towards training for local authorities, schools, SMEs and enterprises, with the ministry also overseeing drills to prepare for attacks linked to the Games, such as websites being hacked and ticket sale scams. There are also reportedly plans for red teaming exercises.

The ministry, which did not respond to our request for comment, aims to create industry-wide forums so companies can share best practices and other knowledge in the realm of cyber-security in the run-up to the Olympics.

One security expert, who played a key and senior role in securing the 2012 London Olympics, toldSCMagazineUK.com that the games is probably being used ‘as a vehicle’ to reduce the much-publicised information security skills gap.

The Nikkei report cites one study which claims that 160,000 of the 265,000 infosec personnel in the country lack the skills need for the job.

“My reading of this is that it must be broader than just the Olympics,” said the expert, speaking anonymously and citing ambitions to reduce the skills-gap in particular.

The Japanese government needs to spend money to train people as the country is absolutely sorely lacking in the cyber security skills arena.