Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

‘Olympic Destroyer’ Malware Spotted in New Attacks

Olympic Destroyer, the malware involved in a campaign targeting this year’s Olympic Winter Games in Pyeongchang, South Korea, has been used recently in attacks aimed at organizations in Germany, France, the Netherlands, Russia, Switzerland and Ukraine.

Olympic Destroyer, the malware involved in a campaign targeting this year’s Olympic Winter Games in Pyeongchang, South Korea, has been used recently in attacks aimed at organizations in Germany, France, the Netherlands, Russia, Switzerland and Ukraine.

Olympic Destroyer is designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. The malware was used during the Olympics in an attack that disrupted IT systems, including the official event website, display monitors, and Wi-Fi connections.

Researchers noted after the attack that the hackers behind the operation planted sophisticated false flags inside Olympic Destroyer. Various clues suggested that the campaign could have been the work of North Korea, Russia or China.

Kaspersky Lab spotted new attacks involving Olympic Destroyer in May and June, and the list of targets raises even more questions about the threat actor’s goals and motives.

The latest attacks targeted financial companies in Russia and European organizations focusing on protection against chemical and biological threats, including in Germany, France, the Netherlands, Switzerland and Ukraine.

The malware was delivered using spear-phishing emails carrying malicious documents. Many of the decoy documents referenced bio-chemical threat research, and some of the text was written in perfect Russian, which suggests that a native speaker helped write it.

The attack also involved PowerShell scripts and Powershell Empire, an open-source framework that allows fileless control of the compromised machine. The malware was hosted and controlled using hacked web servers running vulnerable versions of the Joomla content management system.

The fact that financial organizations were also targeted could mean one of several things. It’s possible that the Olympic Destroyer malware is used by multiple threat groups, including one that is financially motivated. It could also be a result of cyberattack outsourcing, which researchers claim is not uncommon for nation state actors, or the financial-focused attacks could be part of another false flag operation. In any case, the new attacks involving Olympic Destroyer are significant.

“It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits,” Kaspersky researchers warned.

Related: Researchers Warn Against Knee-Jerk Attribution of ‘Olympic Destroyer’ Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.