Previously: A Japanese government official told Kyodo News on Wednesday that login IDs and passwords for the Tokyo Olympic ticket portal had been posted to a leak website following a breach. The official said the leak was “not large” but admitted that the IDs and passwords would give someone access to a person’s name, address, bank account …
By: Mackenzie Blaisdell
While millions of viewers tuned in to watch the Winter Olympics opening ceremony in Pyeongchang, something ominous was occurring behind the scenes. Similar to the extensive planning that the Olympians put into preparing for the Olympics, threat actors had conducted in-depth research and organized to put the games under attack. The attack wiped out internet access, shut down the official Pyeongchang 2018 website, grounded newscasters’ drones, and prevented attendees from printing out their tickets to attend the ceremony, resulting in a curiously high number of vacant seats.
Security experts and Olympic officials soon thereafter confirmed that the network issues that occurred during the ceremony were indeed caused by a cyberattack. Though the systems were stabilized by Sunday, this incident raised significant concerns for officials, athletes, and viewers worldwide – wondering what the next breach could potentially look like and how much damage would result.
Investigations revealed that the cybercriminals involved had been planning this attack for quite some time. Time stamps suggest that the cyberattack had been in the works since late last year, as the destructive payload that hit the event was found to be created on December 27, 2017.
The attack used hardcoded credentials embedded in a malware named Olympic Destroyer. Experts with Cisco’s Talos team claimed they found wiper malware possibly linked to the disruption.
Those who were responsible for the Olympic Destroyer most likely conducted a sweeping cyber-espionage operation against the Games prior to initiating the attacks. The malware required authentic login credentials to verified accounts of Olympics staff to rapidly disperse a destructive payload, which deletes files like shadow backups, boot configuration data (BCD), and event logs on infected machines.
Olympic Destroyer is unusual in the sense that creators engineered it to mirror and act like a computer worm, automatically probing for and stealing user credentials before moving to other systems for login attempts. It was specifically designed to spread rapidly within an enclosed, already compromised environment to plant a malicious payload with the ability to destroy data.
Experts still don’t know how hackers managed to acquire so much information from Olympic employees, though penetrating a key supply chain IT vendor could have possibly provided them with an opportunity to conduct valuable reconnaissance. Targeting a supply chain vendor that’s connected to a well-secured organization to penetrate the latter is a common strategy used by sophisticated cybercriminals.
The attackers had passwords, user accounts, and server names for the Olympic Games infrastructure. Cisco’s Talos team shared that they identified 44 individual accounts in the code. Samples of the “Olympic Destroyer” reveal the perpetrators did not attempt to steal valuable information but merely sought to perform “destructive” functions.
Although the malware used was designed to destroy data and cause mass computer failures, the Winter Olympic cyber attackers stopped short of doing so. Talos researchers noted that these hackers undoubtedly demonstrated an ability to bring the attack past the finish line, so why did they hold back? Some security experts suspect the hackers intentionally preserved systems to foreshadow their unfinished business and stir up trepidation.
Although officials have yet to point the finger at any potential actors, many speculate that Russian hackers were behind the disruptions. As many of us recall, Russia was banned from the Games this year as the result of a doping scandal. Some Russian athletes were banned from the games entirely, while a few are still allowed to compete as individuals under the Olympic flag.
The Russian Ministry of Foreign Affairs made an effort to pre-empt any allegations of Russian hacks on the Winter Olympic Games two days prior to the opening ceremony. The agency went on to accuse the press, Western governments, and InfoSec organizations of instigating an “information war” accusing Russians of cyber interference and sabotage.
Officials have long suspected that this year’s Games would present unique cybersecurity challenges. The opening ceremony attack may be the first of many the world will witness during this year’s Olympic Games. The unfortunate reality to this is that despite all of the innovation being applied to the Olympics, there was a lack of innovation being applied to cybersecurity defenses. Detection gaps in security infrastructure and inadequate controls for early threat detection left the Olympics exposed. Credential-based theft can be difficult to detect and when compounded by weak supplier controls, create the perfect opportunity for an attacker to penetrate and move quietly throughout the network in order to build their attack. The need to close this detection gap is a fundamental reason why ball clubs, auditoriums, and other entertainment facilities have adopted deception technology. Setting deception decoys and lures for an attacker is a tried and proven approach for early detection and deceiving an attacker into revealing themselves. This early detection removes the dwell time required to establish a foothold and escalate an attack.
Life has no absolutes, but I believe this attack could have been prevented if stronger detection controls had been in place. We have seen deception-based detection work reliably time and again with our customers at their major events. It may be too late for a change in security infrastructure this year and hopefully the internet connectivity issues and malfunctioning televisions are the worst we will see. That said, organizers should view this as a shot across the bow and the Olympics security team should start actively seeking out detection technology in order to amplify their cybersecurity defenses before the next round of attacks are attempted on the Games.
By: Mackenzie Blaisdell The Olympics have always set the stage for much more than just athletic competition. Millions of people worldwide tune in to The Games to be spectators of diplomacy, culture, drama, and sometimes even propaganda. What is relatively new to the show’s program, however, is the rise of criminal and state-sponsored hacking.
The Olympics are a major target for hackers, as billions of dollars run through this event biennially. South Korea has even allocated $1.3 million for cybersecurity protection for the Olympics, mobilizing tens of thousands of security personnel, including cybersecurity analysts and 50,000 soldiers, in what has been described as one of the most militarized security forces in Olympic history to foil hacking attempts.
If the Games’ cybersecurity infrastructure proves to be inadequate, a lot is at risk. Successful cyberattacks could potentially facilitate terrorism, ransomware or kidnappings. They open up the possibility to change scoring systems or alter the photo and video replay equipment. A successful hack could mean tampering with athlete care, food dispensing systems, or the infiltration of monitoring equipment; it would open up the possibility to tamper with entry systems or even interfere with transportation. All of this could significantly alter betting odds, and competitors’ personal data could be leveraged for fraud.
The Games hosts hundreds of thousands of smartphones, cameras, computers, tablets, routers and vehicles all needing to connect to a small number of easily-identifiable networks. This prompts a large volume of web address lookups or DNS queries in a short period of time, creating countless opportunities for malware and viruses to infiltrate.
Although the phenomenon of state-sponsored hacking leading up to the Olympics is relatively new, we have seen this before. In August of 2016, the World Anti-Doping Agency was successfully hacked, and their data was publicly leaked in a campaign widely attributed to Russian hackers. That campaign took the stage amid the 2016 Summer Olympics after it became known that Russian competitors participated in a widespread, systemic and government-backed doping scheme. As a result, the country was banned from the 2018 Winter Games.
Hackers, from elementary ticket scammers to professional cyber-spies have been preparing for the 2018 Winter Games that commence on February 9 and run through until the 25th in Pyeongchang. More than 300 Olympics-related computer systems have already been hit, with many of them compromised. Some cyber-criminals have already begun to disrupt the Olympics in the name of cyber jihad or the Korean amalgamation. Others are merely looking to tamper with TV programs, hijack email accounts, or scalp phony tickets for profit.
Earlier this year, an influx of phishing attacks aimed at stealing passwords and financial information raised alerts worldwide; McAfee detected a sweeping campaign that began in late December against Olympic-linked groups.
All of these groups were targeted through malicious emails containing what appeared to be a Microsoft Word attachment. The emails were made to appear legitimate through the use of fake government aliases. The emails were crafted to look like they came from South Korea’s National Counter-Terrorism Centre, which was undergoing anti-terror drills in preparation for the Games.
The implants included in these phishing emails established an encrypted channel to the attacker’s server, most likely providing the attackers with the ability to execute commands on the victims’ machines and to install additional malware.
This was certainly not their last line of attack. McAfee announced on February 2nd that they have found malware that serves as the second stage payload in the phishing campaign, targeting involved organizations.
Additionally, the Russian hacking group Fancy Bear, or APT28, recently took ownership over leaked emails and documents belonging to the International Luge Federation, claiming they demonstrate violations of anti-doping rules. The group is also known to be responsible for targeting the European Ice Hockey Federation, the International Ski Federation, the International Biathlon Union, and the International Bobsleigh and Skeleton Federation. It is believed that the group may be looking to be gearing up for other Olympic- related attacks. 
Clearly, cybersecurity is shaping up to be a serious force to be reckoned with when it comes to the Olympics. Whatever the cause of these attacks may be, it is evident that authorities are and should be concerned for both the welfare of businesses and welfare individuals. To prepare for the onslaught the Department of Homeland Security issued a notice on February 1st alerting travelers to the Olympics that hackers could attempt to steal credentials.  Businesses should also take precautions to ensure that their employees are educated on phishing campaigns and also take cautions to keep their system’s software patched and use caution with the handling of their credentials.
Despite all precautions, attackers can and will find ways to breach a network and it becomes a matter of detecting and stopping them before damages can be done. Organizations must be prepared and be confident in their early detection of these threats to preserve not only the experience but also the safety of the Olympics athletes and supporting organizations, and attendees.
One thing we can be sure of: We cannot trust these actors to do the right thing in this environment, as they have demonstrated time and time again that they will not hesitate to create chaos or cause harm to personal safety.