The cyber-attack that disrupted some networks and servers at the opening of the Winter Olympics in PyeongChang left a number of conflicting forensic clues about its source. The attack used a blend of techniques, tools, and practices that blended the fingerprints of threat groups connected to North Korea, China, and Russia.
But according to a report by Ellen Nakashima of the Washington Post, US intelligence officials have determined with some confidence that the attack was in fact a “false flag” operation staged by individuals working on behalf of a Russian intelligence agency—an attack that went as far as to route traffic through IP addresses associated with North Korea to mask the attack’s origin.
In the wake of the February 9 attack, which affected web servers and network routers connected to the Winter Games organizing committee—including the press center’s network, public Wi-Fi networks, and Web servers associated with ticket sales for the Games’ events—several security firms rapidly assessed malware connected to the attack. Initial evaluation of the malware showed some commonalities in techniques with NotPetya, the “wiper” malware attributed to Russia by UK and US intelligence. Cisco’s Talos Labs later revised its report, originally published on February 12, after discovering that the malware samples actually used credential-stealing tools to obtain logins and passwords and then wrote those credentials into the code used to spread the infection across the network.
Today, Talos researchers Paul Rascagneres and Martin Lee warned against making an attribution for the attack, as forensics of the malware suggested three different potential attackers. “The threat actor responsible for the attack has purposefully included evidence to frustrate analysts and lead researchers to false attribution flags,” the pair wrote. “This false attribution could embolden an adversary to deny an accusation, publicly citing evidence based upon false claims by unwitting third parties.”
The researchers found that, in addition to the similarities to NotPetya, the “Olympic Destroyer” malware (as Talos dubbed it) used a file-naming convention similar to the one used in the SWIFT banking malware used by a branch of the North Korean Lazarus Group. Additionally, small fragments of code within the malware bore hallmarks of the work of three different Chinese threat groups. The use of these telltales is a classic bit of “anti-forensics” work by the attackers, making attribution much more difficult based just on the malware itself.
But Talos did not make a determination of how the attackers got into the network in the first place. The Post report offers a possible explanation and possibly a better attribution: US intelligence officials told the Post that routers in South Korea had been compromised in advance of the Olympics. Those officials believe the routers were compromised by attackers in the employ of the GRU, Russia’s largest foreign intelligence agency. Compromising routers could have allowed the attackers to re-route network traffic, allowing surveillance of the traffic or “man in the middle” attacks—including the injection of malware into network traffic.
Router exploitation tools have generally been the domain of state intelligence agencies. Documents leaked by Edward Snowden showed the National Security Agency used these sorts of capabilities as part of Turbine, the automated cyber-attack system component of the NSA’s Tailored Access Operations toolkit. In the case of the Olympic attack, officials told the Post that members of the GRU’s Main Centre for Special Technology (GTsST) were the most likely culprits. GTsST is also believed to have been responsible for NotPetya, according to the CIA.
Motive also plays a major part in most attribution calls, and Russia had the most obvious motive amongst the three potential attackers: payback for the International Olympic Committee’s banning of many Russian athletes from the Games and its refusal to allow Russian athletes to participate as representatives of Russia. There’s also Russia’s previous Olympic hacking track record: attacks on the World Anti-Doping Agency (WADA) and Olympic officials at the 2016 Summer Olympic Games in Brazil have been attributed to Russian intelligence.