Olympic Destroyer malware was aimed at disrupting games, claims Cisco Talos

Attackers wanted to embarrass the Winter Olympics' organisers, suggest security researchers

Cyber security researchers have warned that the malware attack targeting the Winter Olympics in Pyeongchang, South Korea is more dangerous than initially thought.

It comes after the opening ceremony was plagued with serious technical glitches, which were believed to be tied to a possible cyber attack.

That eventually turned out to be the case, but the security specialists at Cisco Talos have reason to believe that the attacks are far more significant than anyone could have imagined.

After identifying technical problems with its non-critical systems, officials opened an investigation and found that hackers had targeted the games.

Talos has since uncovered the samples of the attack, providing a glimpse into the possible motives of the attackers. The researchers are confident that the hackers launched the attack with "destructive" aims in mind.

When the attack took place, many experts feared that the attackers wanted to get access to data. But Talos believes that they simply wanted to disrupt the games instead.

"The samples analysed appear to perform only destructive functionality. There does not appear to be any exfiltration of data," it explained.

It continued: "Analysis shows that actors are again favouring legitimate pieces of software as PsExec functionality is identified within the sample."

The attackers tried to make the computers obsolete by removing event logs and shadow copies. They also tried to use PsExec and WMI.

They used a complex process to do these things. "The initial sample is a binary that, when executed, drops multiple files on to the victim host," it said.

"These files are embedded as resources (obfuscated). These files are named using randomly generated file names, however, the hashes of the file when written to disk is the same during our analysis on multiple instances.

The attackers also appear to have had a significant understanding of the Olympic Game's technical systems before launching the attack. They were already aware of user names, server names, domain information and passwords, claims Cisco Talos.

"Olympic Destroyer drops a browser credential stealer. The final payload is embedded in an obfuscated resource," said Talos.

"In addition to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. The stealer attempts to obtain credentials from LSASS with a technique similar to that used by Mimikatz. Here is the output format parsed by the initial stage

Based on these findings, Talos said the "actors behind this were after embarrassment of the Olympic committee during the opening ceremony".

It said: "Disruption of services included the Olympic website being offline, meaning individuals could not print their tickets. The opening ceremony reporting was degraded due to WiFi failing for reporters on site."