FacebookTwitterLinkedIn

Cyber Mischief at the Winter Olympics

While both the Olympics and Winter Olympics were intended to celebrate the human spirit it appears some may have never gotten the memo. During the Cold War, the Olympics was used as another event to prove whether Soviet communism or American capitalism was the superior ideology. While times change the Olympics in its multiple forms still appears to be an event needing to be co-opted for far more reasons than the organizers originally intended.

The 2018 Winter Olympics in Pyeongchang, South Korea appears to be no different in this regard. Even before the games had started Olympic organization bodies and other organizations closely linked with the event have been targeted by hackers. As early as December 2017 researchers were detecting attacks against such organizations. The latest incident occurred during the opening ceremony when a mysterious internet shutdown occurred.

Cyber Shutdown during Opening Ceremony

During the opening ceremony at approximately 10:15 GMT internal internet and Wi-Fi systems crashed. It was reported that normal service had not been returned even by the following day. A special task team of security researchers, experts from South Korea's defense ministry, and experts from four other ministries confirmed that although the outage occurred the high tech opening ceremony remained unaffected.

cyber mischief winter olympics 2018

More details of the outage are likely to surface in the coming days. These details will prove whether it was a DDoS attack or simply an outage caused by human or system error. Given some of the events that preceded these Olympics, such as the banning of Russian athletes associated with a statewide doping program, researchers and experts have been quick to warn of sustained malware attacks and campaigns from known advanced persistent threat (APT) groups. Given the events running up to these Olympics, the warnings appear to be more than that.

Operation PowerShell Olympics

In early January of this year researchers at MacAfee had been tracking and analyzing a fileless malware campaign targeting organizations involved in the then-upcoming 2018 Winter Olympics. This attack relied upon PowerShell to execute an in-memory attack that creates a backdoor. This reliance on PowerShell is not new by any means and neither is the attack arriving via email in malicious Word documents. What was of particular interest to researchers is that this particular malware has not been seen before and researcher Ryan Sherstobitoff concluded that it is a custom made malware. This implies the people behind the campaign are experts and probably well-funded.

The malicious emails appeared to be sent from South Korea's National Counter-Terrorism Center (NCTC), while in actual fact the emails were sent from a server located in Singapore. The message conveyed in the email appeared to be a warning from the NCTC, which coincided with actual security testing by the organization. As mentioned above the attack was distributed by email. When the malicious email was opened it would prompt users to enable content that will allow their version of Microsoft Word to read the attached document.

If the user then clicked the button to enable the content the malware then launches a Visual Basic macro, which in turn executes a PowerShell script. This method has been seen previously in other fileless malware campaigns. However, this is where the authors begin to show their skill. The PowerShell script downloads an image file, the file itself contains another embedded PowerShell script that was put there using an open source tool called Invoke-PSImage. Impressively this open source tool was only released December 20, 2017, meaning the authors incorporated the tool in record time just two days after the tools release. Invoke-PSImage is a steganography tool, this is basically a tool that allows a user to embed hidden data inside a carrier file that can be an image or video file, and the user can then later extract the data. For the purposes of this attack, the script is further obfuscated using string-format operators so that it's nearly impossible to detect once it has extracted into the command line and used to set up a secure connection to a command and control server.

McAfee stated that the attack started on December 22 and ended 28, 2017. This does not mean organizations and businesses with links to the Olympics are safe. It can easily be used in another campaign during the Olympics given the complex nature of the malware. It is worrying for another factor; the very tool that makes it unique. It has shown how a new tool can be used as a weapon in future fileless attacks. The only real defense from such attacks is not to open an attachment, no matter what the format, from anyone they don't recognize. Even if they do recognize the person, it's appropriate to approach attachments with caution.

It’s not just Businesses that are Targets

While state actors, APTs, and those with political agendas such as spying are hard at work it is also important to remember that are not the only hackers busy at this time. The Olympics presents a massive business opportunity to cybercriminals. Given the number of people going to Pyeongchang and South Korea as fans and tourists, cybercriminals can potentially make a killing for those looking to steal identities and then hack into victim’s bank accounts. Such attacks are often perpetrated as scams on social media offering free tickets or tickets to fake competitions designed to install malware.

Another factor for those visiting the area to consider is the availability of free Wi-Fi in the country. South Korea is a well-connected country with some of the fastest internet speeds in the world given cybercriminals more opportunity to hack your Wi-Fi enabled devices. It is strongly recommended that you ensure your antivirus software is up to date. It is further recommended that users set up a VPN for an additional layer of security while traveling abroad.

While the athletes are struggling to outdo each other during the events, it would seem that there is an entire universe of cyber events with malware authors looking to make a quick buck, steal important data, or just show off how skillful they are.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal