James Steidl - Fotolia
The malware used to target the Winter Olympic Games in Pyeongchang, South Korea, has reportedly identified a potential breach at Atos, the worldwide IT partner of the International Olympic Committee (IOC).
Although neither the opening ceremony nor critical operations were affected by the cyber attack, some internet and TV services were affected and the IOC shut down servers and the official games website to prevent further damage.
The IOC said the issues had been resolved quickly, but declined to comment on the details, saying only that the IOC was making sure its systems were secure.
It has subsequently emerged that the malware, commonly referred to as Olympic Destroyer and initially identified by Talos researchers, was used in the attack.
According to the Talos researchers, the malware required the login credentials of Olympics staff to propagate quickly and spread a destructive payload, which deletes files.
Samples of the malware were uploaded to the VirusTotal malware analysis site, revealing that the code contained Atos employee credentials, and suggesting that those behind the attack had penetrated an Atos nework in December 2017, pointing to how the attackers were able to access the required credentials, according to CyberScoop.
Some of the malware samples were uploaded from France, where the report notes that Atos is headquartered, and Romania, where some members of the Atos security team are based. If the intrusion and the link to the Olympic Destroyer malware are confirmed, the cyber attack on the Winter Games will be yet another example of the importance of supply chain security.
Atos told the news site that it is investigating a potential breach with the help of McAfee’s Advanced Threat Research team and law enforcement, but added: “Credentials embedded in the malware do not indicate the origin of the attack.”
Russia, China and North Korea have all been blamed for the cyber attack on the Olympics, but most security experts admit that attribution is extremely difficult, while others argue that attribution is irrelevant, and that the focus should be on the economic impact of attacks and reducing that impact.
According to research by security firm Recorded Future, analysis surrounding malware code similarities of Olympic Destroyer have yielded many leads, but “no conclusive attribution”.
However, the researchers said Olympic Destroyer should be treated with a high level of concern, because of the destructive nature of the malware and its potent mechanisms to spread laterally.
They also noted that the co-occurrence of disparate code overlaps in the malware may indicate a false flag operation, attempting to dilute evidence and confuse researchers.
Priscilla Moriuchi, director of strategic threat development at Recorded Future, said attribution continues to be important because it shapes the victim, public and government responses.
“However, accurate attribution is both more crucial and more difficult to determine than ever because adversaries are constantly evolving new techniques and the expertise required to identify a sophisticated actor keeps increasing,” she said.
Juan Andres Guerrero-Saade, principal security researcher in the Insikt Group at Recorded Future, said complex malware operations give cause to re-evaluate research methods to ensure the research community is not being misled by its own eagerness to attribute attacks.
“The Olympic Destroyer campaign comes at a precarious time of geopolitical tensions with several possible perpetrators, but conclusive proof in any one particular direction has not yet been shared,” he said.