Olympic Destroyer, the malware involved in a campaign targeting this year’s Olympic Winter Games in Pyeongchang, South Korea, has been used recently in attacks aimed at organizations in Germany, France, the Netherlands, Russia, Switzerland and Ukraine.
Olympic Destroyer is designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. The malware was used during the Olympics in an attack that disrupted IT systems, including the official event website, display monitors, and Wi-Fi connections.
Researchers noted after the attack that the hackers behind the operation planted sophisticated false flags inside Olympic Destroyer. Various clues suggested that the campaign could have been the work of North Korea, Russia or China.
Kaspersky Lab spotted new attacks involving Olympic Destroyer in May and June, and the list of targets raises even more questions about the threat actor’s goals and motives.
The latest attacks targeted financial companies in Russia and European organizations focusing on protection against chemical and biological threats, including in Germany, France, the Netherlands, Switzerland and Ukraine.
The malware was delivered using spear-phishing emails carrying malicious documents. Many of the decoy documents referenced bio-chemical threat research, and some of the text was written in perfect Russian, which suggests that a native speaker helped write it.
The attack also involved PowerShell scripts and Powershell Empire, an open-source framework that allows fileless control of the compromised machine. The malware was hosted and controlled using hacked web servers running vulnerable versions of the Joomla content management system.
The fact that financial organizations were also targeted could mean one of several things. It’s possible that the Olympic Destroyer malware is used by multiple threat groups, including one that is financially motivated. It could also be a result of cyberattack outsourcing, which researchers claim is not uncommon for nation state actors, or the financial-focused attacks could be part of another false flag operation. In any case, the new attacks involving Olympic Destroyer are significant.
“It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits,” Kaspersky researchers warned.