Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

‘Olympic Destroyer’ Malware Spotted in New Attacks

Olympic Destroyer, the malware involved in a campaign targeting this year’s Olympic Winter Games in Pyeongchang, South Korea, has been used recently in attacks aimed at organizations in Germany, France, the Netherlands, Russia, Switzerland and Ukraine.

Olympic Destroyer, the malware involved in a campaign targeting this year’s Olympic Winter Games in Pyeongchang, South Korea, has been used recently in attacks aimed at organizations in Germany, France, the Netherlands, Russia, Switzerland and Ukraine.

Olympic Destroyer is designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. The malware was used during the Olympics in an attack that disrupted IT systems, including the official event website, display monitors, and Wi-Fi connections.

Researchers noted after the attack that the hackers behind the operation planted sophisticated false flags inside Olympic Destroyer. Various clues suggested that the campaign could have been the work of North Korea, Russia or China.

Kaspersky Lab spotted new attacks involving Olympic Destroyer in May and June, and the list of targets raises even more questions about the threat actor’s goals and motives.

The latest attacks targeted financial companies in Russia and European organizations focusing on protection against chemical and biological threats, including in Germany, France, the Netherlands, Switzerland and Ukraine.

The malware was delivered using spear-phishing emails carrying malicious documents. Many of the decoy documents referenced bio-chemical threat research, and some of the text was written in perfect Russian, which suggests that a native speaker helped write it.

The attack also involved PowerShell scripts and Powershell Empire, an open-source framework that allows fileless control of the compromised machine. The malware was hosted and controlled using hacked web servers running vulnerable versions of the Joomla content management system.

The fact that financial organizations were also targeted could mean one of several things. It’s possible that the Olympic Destroyer malware is used by multiple threat groups, including one that is financially motivated. It could also be a result of cyberattack outsourcing, which researchers claim is not uncommon for nation state actors, or the financial-focused attacks could be part of another false flag operation. In any case, the new attacks involving Olympic Destroyer are significant.

Advertisement. Scroll to continue reading.

“It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits,” Kaspersky researchers warned.

Related: Researchers Warn Against Knee-Jerk Attribution of ‘Olympic Destroyer’ Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...