south korea


TechSpot has some additional, minor, new information about the suspected Russian cyber attack during the Pyeongchang 2018 Winter Olympics opening ceremony:

Malware writers don’t exactly leave a calling card in their code so determining who caused an attack is often difficult. What we do know so far is that the attack, dubbed “Olympic Destroyer,” lasted under an hour on Friday and targeted users with an @pyeongchang2018.com email address. This caused the Pyeongchang 2018 website to go down and briefly interrupted some video streams.

The malware works by turning off the infected machine’s services, destroying the boot information and generally rendering the machine unusable. One surprising characteristic is that it does show some restraint and does not appear to cause maximum damage. Rather than deleting all of the system’s files, it only targets the boot information. A trained technician can restore the data relatively quickly.

Olympic Destroyer’s spreading and targeting techniques resemble that of NotPetya and BadRabbit, pieces of malware the CIA and others in the security community have attributed back to Russia.

Given that Russia was banned from competing at the Olympics due to the doping scandal, they are naturally the prime suspect. For their part, they have stated that “We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea.”

As the article rightly states, the general public will likely never know who was responsible for this attack.

The New York Times reports on some new details about the recent cyber attack targeting the Pyeongchang Winter Olympics 2018 opening ceremony:

The cyberattack took out internet access and telecasts, grounded broadcasters’ drones, shut down the Pyeongchang 2018 website, and prevented spectators from printing out reservations and attending the ceremony, which resulted in an unusually high number of empty seats.

Security experts said they had uncovered evidence that the attack had been in the works since late last year. It was directed at the Pyeongchang Organizing Committee and incorporated code that was specifically designed to disrupt the Games or perhaps even send a political message.

“This attacker had no intention of leaving the machine usable,” a team of researchers at Cisco’s Talos threat intelligence division wrote in an analysis Monday. “The purpose of this malware is to perform destruction of the host” and “leave the computer system offline.”

The attackers included the ability to basically destroy the endpoints but opted not to wield the capability. This is quite interesting, and really speaks to the attackers motivation. It really smells like a political message being delivered to either Pyeongchang or the International Olympic Committee, most likely the latter more than the former.

So the question is: who has the motivation to want to disrupt the Olympics, and why target the IOC? Could it be Russia in retaliation for the doping allegations over the past few years?

Security companies would not say definitively who was behind the attack, but some digital crumbs led to a familiar culprit: Fancy Bear, the Russian hacking group with ties to Russian intelligence services. Fancy Bear was determined to be the more brazen of the two Russian hacking groups behind an attack on the Democratic National Committee ahead of the 2016 presidential election.

Beginning in November, CrowdStrike’s intelligence team witnessed Fancy Bear attacks that stole credentials from an international sports organization, Mr. Meyers said. He declined to identify the victim but suggested that the credential thefts were similar to the ones that hackers would have needed before their opening ceremony attack.

On Wednesday, two days before the ceremony, the Russian Ministry of Foreign Affairs made an apparent attempt to pre-empt any accusations of Russian cyberattacks on the Games. In a statement, released in English, German and Russian, the agency accused Western governments, press and information security companies of waging an “information war” accusing Russia of “alleged cyber interference” and “planning to attack the ideals of the Olympic movement.”

Ding ding ding, we have a winner. Who, other than Russia, has the motivation and capacity for such an attack?

ZDNET reports on further PyeongChang malware discoveries by McAfee prior to the Winter Olympics opening ceremony, this time specifically related to the recently confirmed hack:

While the details are mostly unknown, McAfee Advanced Threat Research senior analyst Ryan Sherstobitoff said his teams found a new variant of the malicious documents targeting the Winter Games a few days prior to the opening ceremonies.

“The new document contained the same metadata properties as those related to Operation GoldDragon, and sought to gain persistence on systems owned by organisations involved with the Winter Games,” Sherstobitoff said in a statement.

“It is clear attacks are ongoing and are likely to continue throughout the duration of the games. What is yet to be determined is if actors are working simply to gain disruption, or if their motives are greater.”

This is additional information after McAfee Labs reported last month about unconvering a major campaign targeting the PyeongChang Winter Olympics and related organizations. There is likely more to the story, to include which group may be responsible for the operation.

Disclaimer: I work for McAfee.

Reuters is reporting the Pyeongchang Winter Olympics organizers have confirmed a cyber attack occurred during the opening ceremony but are refusing to reveal any attribution:

“We know the cause of the problem but that kind of issues occurs frequently during the Games. We decided with the IOC we are not going to reveal the source (of the attack),” he told reporters.

Russia, which has been banned from the Games for doping, said days before the opening ceremony that any allegations linking Russian hackers to attacks on the infrastructure connected to the Pyeongchang Olympic Games were unfounded.

“We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea,” Russia’s foreign ministry said.

“Of course, no evidence will be presented to the world.”

It makes sense not to publicly announce attribution for this attack until after the games have been completed. There is nothing to gain from discussing it in the open at this juncture. Once the games are finished, a lessons learned and complete after action report on the cyber attacks will be a treasure trove of information extremely useful to Japan for Tokyo 2020.

The Independent is reporting there was a successful cyber attack targeting the Pyeongchang Winter Olympics during the opening ceremony:

A cyber attack was launched on Pyeongchang’s servers during the opening ceremony of the Winter Olympics, the organisers said.

It reportedly caused a malfunction of the international protocol televisions located at the press centre.

The Pyeongchang Organising Committee was apparently forced to shut down its servers to avoid any further damage. That in turn lead to the official Pyeongchang 2018 website going down.

Users were unable to access the site for 12 hours and could not print off their tickets for events, South Korean news agency Yonhap reported.

It is unclear who was behind the attack but cyber security experts have warned that the Winter Olympics provide a “security challenge” as hackers could target athletes and staff.

A cyber attack should come as no surprise, however a successful interruption of service is unacceptable. Pyeongchang should have been well prepared for these types of attacks, not only with the proper defense detection, prevention, and correction capabilities, but also situational awareness and threat intelligence.

That Pyeongchang did not see this coming, and it in turn caused an outage, is not a good indicator of what may be to come throughout the next two weeks.

Japan needs to be paying very close attention to the Pyeongchang Olympics. Since both countries are in the same volatile region, Tokyo should expect very similar attacks if not more, primarily because of the geopolitical nature of Japan’s history.

I really want to see Japan successfully thwart even the most dangerous of cyber attacks through a multi-pronged approach. The combination of technology, situational awareness, and both human and signals intelligence will go a long way in helping Japan achieve that goal. It can be done, but the strategy needs to be developed now, with participating agencies collaborating and already preparing for the inevitable.

The Hill reporting on cyber attacks targeting the rapidly approaching Winter Olympics in Pyeongchang, South Korea:

Experts are observing an uptick in phishing attacks orchestrated by run-of-the-mill cyber criminals that use the games as a hook to draw attendees and other would-be victims into scams.

The Department of Homeland Security issued an alert Thursday warning travelers to the Olympics that cyber criminals could attempt to steal personally identifiable information or users’ credentials to profit financially.

“There is also the possibility that mobile or other communications will be monitored,” the alert said.

Additionally, there has been an increase in attempted attacks around the 2018 games themselves, some targeting participating organizations and sponsors and others within the infrastructure of the games.

Targeting major sporting events, such as the Olympics or the Super Bowl, are always going to lure in unsuspecting people into clicking dangerous links or opening malicious email attachments. It is easy to say everyone should be vigilant every single day, but for the average user that is impractical.

Awareness of the threat is key. But as with anything, there will always be those select few who are more susceptible to being tricked. It is this group the attackers are banking on being able to leverage for access or criminal activities.

Dark Reading discusses a critical zero-day in Adobe Flash – surprise surprise – currently being leveraged in a campaign targeting South Korean victims:

Adobe today confirmed a report yesterday by South Korea’s Computer Emergency Response Team (KrCERT/CC) of the discovery of the zero-day vulnerability in Flash Player ActiveX and earlier versions. The bug (CVE-2018-4878) abused in the attacks is a use-after-free vulnerability that allows remote code execution, according to Adobe’s advisory.

Johannes Ullrich, head of the SANS Internet Storm Center, says the fact that this was a targeted, zero-day attack makes it more likely to be the handiwork of a nation-state actor.

The attack was rather limited, and targeted at individuals in South Korea who are involved in research about North Korea. I think this makes for a pretty strong case that this was a nation-state sponsored attack. Other actors would have little motivation to use a zero-day exploit in an attack against a group like this,” Ullrich says. “On the other hand, it doesn’t have to be North Korea,” given the difficulty of attribution.

It should come as no surprise that although North Korea is attempting to publicly play nice with South Korea, in the background they continue their cyber attack campaigns targeting their neighbor.