Olympic Destroyer malware that plagued the Winter Olympics has returned

The advanced threat actor behind attempts to sabotage the 2018 Winter Olympics has resurfaced, researchers have warned, with its eyes set on a host of new targets.

Relying on advanced forms of deception, Olympic Destroyer was a cyber sabotage attack rooted in the spread of a destructive network worm, preceded by extensive research into its targets to establish the best launchpad for its self-replicating and self-modifying malware.

The attack was a "masterful operation in deception", according to researchers at Kaspersky Lab, who have spotted spear-phishing documents with a payload resembling that of Olympic Destroyer's - this time targeting Russian financial institutions, and biological and chemical threat prevention labs across Europe.

Although Kaspersky spotted decoy documents loaded with hidden malware similar to those Olympic Destroyer deployed on unsuspecting users, there are no signs of a worm as yet, indicating any new attack is in its initial "reconnaissance stage".

Analysis of the email subject lines of the phishing messages, the malware-ridden documents they contain and the filenames of these attachments, reveal the attackers seem to be targeting biological and chemical threat prevention labs in Germany, France, Switzerland, the Netherlands, and Ukraine, as well as Russian financial institutions. However, the malware's "excessive use of various false flags" mean indicators citing the Russian financial sector may be yet another deception.

One of the attachments highlighted by Kaspersky, named 'Investigation_file.doc', heavily references the nerve agent used in the Salisbury poisoning of Sergey Skripal and his daughter in March this year, while another refers to 'Spiez Convergence', a biochemical threat research conference organised by Spiez Laboratory, a party involved in the investigation.

"Despite initial expectations for it to stay low or even disappear, Olympic Destroyer has resurfaced with new attacks in Europe, Russia and Ukraine," said Kaspersky's team.

"In late 2017, a similar reconnaissance stage preceded a larger cyber-sabotage stage meant to destroy and paralyse infrastructure of the Winter Olympic Games as well as related supply chains, partners and even venues at the event location.

"It's possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives."

The researchers have advised all biochemical threat prevention and research companies across Europe to strengthen their security measures, and begin running unscheduled audits to bolster protection to fend off any attacks.

Targets in the financial sector may be the result of cyber attack outsourcing, Kaspersky added, which is "not uncommon among nation state actors", and may be indicative of several groups using the same strain of malware for their own aims; for instance, one group seeking financial gain, and another seeking espionage targets.

Kaspersky, however, also noted that the variety of targets "might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers' attention".

Principal security researcher David Emm told IT Pro Kaspersky hadn't come closer to establishing the identity of those behind Olympic Destroyer, and that the lack of correlation between targets raised further questions.

Explaining why one would target organisations such as Spiez Laboratory he said: "There's reference for example, in one of the documents, to the Salisbury event. You could imagine that there could be several reasons why somebody would want to get information on that, because they could make a lot of mischief apart from anything else.

"If it's a state-backed thing, then obviously that's one thing - that's linked to geopolitics. But even if it isn't, if you are able to uncover information about analysis that was done in that case, you could actually stir things up at the very least.

"So it could be anything from geopolitical right through to people wanting to Dox, or publish compromising information. On top of that, because we've got this mixture of that as a target as well as the Russian financial institution, there's no clarity at the moment on what their motives are."

Outlining how targeted organisations can protect themselves, Emm continued: "The key with a targeted attack, of course, is that there may not be obvious signs of attack in the way there would be for example in a ransomware attack or there might be with a general purpose banking Trojan or cryptomining software, or any of those other kinds of attacks.

"So the key with this is that companies should be thinking in terms of a proactive monitoring. This means looking at not just traditional endpoint, but looking also at being able to pick up activities within the network that look anomalous, looking for things that don't seem quite right, and then, on the basis of that, look at what that activity might relate to, and what you could do about it.

"There are other things you can do, which is looking at the whole issue of Whitelisting - put that in place so you are only allowing the execution of legitimate applications, and so you're pinning right down what can run in that environment, to restrict anything that could possibly be malicious."

The advanced Olympic Destroyer cyber attack crippled the Winter Olympics' infrastructure almost immediately before the opening ceremony on 9 February, knocking out display monitors, Wi-Fi networks and taking the official website offline.

It was almost immediately pinned on North Korea, in light of similarities found with malware components deployed by the Lazarus Group - a hacking collective with ties to the regime - but further investigation into the code revealed the set of features "was simply forged to perfectly match the fingerprint used by Lazarus" in order to frame the group.

Documents containing malware, such as those featured in the Olympic Destroyer attack, are tailored to be relevant to the victim and are inherently not suspicious, Kaspersky added, meaning its advice to be more mindful about opening documents will not work. The researchers intend to continue tracking Olympic Destroyer, and observe its next actions.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.