During the 2018 Winter Olympics in South Korea, a new threat actor emerged that created headaches for InfoSec professionals. Dubbed “Olympic Destroyer,” the attackers in question targeted affiliates of the Winter Games (such as organizers, suppliers, and partners) via a worm virus and various misdirection attacks to shake the trail of the authorities. The research that Olympic Destroyer did before the widespread cyberattacks indicated that this individual (or group of individuals) was a serious player and skilled in their craft. While Olympic Destroyer went dark following the games, many wondered when they might re-emerge.
It turns out that, according to research from Kaspersky Lab, Olympic Destroyer is back and causing even more damage than before. The research findings were published in a post on SecureList and indicate that the hacker is moving on to bigger targets. Specifically, Olympic Destroyer is going after various financial organizations based in Russia and, more disturbingly, is also targeting laboratories in Ukraine that specialize in prevention of biological and chemical weapon attacks.
The financial targets in Russia are being attacked via spear-phishing documents that utilize “perfect Russian language.” One such document relates to the hot-button issue of the poisoning of Russian double-agent Sergei Skripal and his daughter in Salisbury, UK, namely in that it pretends to be a news update about the case. The Ukrainian targets in the “biological and epizootic threat prevention field” are also targeted via infected document macros, except this document appears to be an actual official statement copied word-for-word from the Ukrainian Ministry of Health.
Naturally, once the documents are downloaded, the host machine becomes infected with malicious software. It is elements of the infection method that led Kaspersky Lab to ascertain that these spear-phishing attacks were the work of Olympic Destroyer. As they explain in the report:
The infection procedure is a bit more complex and relies on multiple different technologies, mixing VBA code, PowerShell, MS HTA, with JScript inside and more PowerShell… The embedded macro is heavily obfuscated. It has a randomly-generated variable and function… This VBA code was obfuscated with the same technique used in the original Olympic Destroyer spear-phishing campaign… The obfuscator is using array-based rearranging to mutate original code and protects all commands and strings, such as the command and control (C2) server address. There is one known obfuscation tool used to produce such an effect: Invoke-Obfuscation.
The end result of the payload execution (which is a PowerShell Empire agent) results in deep access into the infected machines. While it is impossible to know what the data is being collected for, it is clear that a whole swath of it is being taken from major players in critical industries. Researchers still do not know who the Olympic Destroyer is, nor their motives. The type of information obtained in these recent spear-phishing campaigns can be leveraged in countless ways, so jumping to conclusions is simply not helpful at this point.
Kaspersky researchers recommend “cooperation between the private sector and governments across national borders” and beefing up security measures at locations that especially deal with chemical and biological threat prevention. The first recommendation is going to be difficult because of the talking heads in this world intent on dividing us, but hopefully, InfoSec professionals can circumnavigate this animosity and protect civilians as we are sworn to do.
Featured image: Flickr / Christiaan Colen