False Flag Attack Against Winter Olympics in South Korea

Incident

The opening ceremony February 9 of the Winter Olympics in South Korea was hacked according to the game organisers. The hacking disrupted the Internet and broadcasting services related to Olympic Games. Many of the attendees were unable to print their tickets for the ceremony, resulting in empty seats. 

According to US sources, the attack was made by the Russian organisations as retaliation against the International Olympic Committee for banning the Russian team from the Winter Games due to doping violations.

The Russian hackers were trying to provide a false flag, i.e., trying to convince that the attack originates from North Korea. The mask-swapping included injecting fingerprints of other known attackers in malware that was used to take down several hundreds of computers just in time for the opening ceremony.

Details

The hackers attacked the Olympic organisation with different tools:

• The Olympic Destroyer malware tore down the computer networks just ahead of the opening ceremonies, paralyse display monitors, shutting Wi-Fi networks, and denying access to Olympics’ website. The malware used the password-stealing tool, Mimikatz and spread via Windows PSExec and WMI before encrypting or destroying data. It destroyed precisely the amount of data than the North Korean Lazarus hacking team. The attackers proxied their avenue of approach through North Korean IP-addresses. The code of Olympic Destroyer shared almost 20% similar to known Chinese team APT 3 and created the encryption keys similar to another Chinese team APT 10.
• The known Russian hacking team Fancy Bear had been attacking Olympics-related organisations for months before the opening, stealing documents and leaking them.
• The Russian military intelligence organisation GRU had gained access to as many as 300 Olympic-related computers early February.
• January, the GRU hackers were infiltrating in South Korean routers to capture more intelligence data. During the opening ceremony, they rerouted the traffic, thence prevented the access to web pages.

It is claimed that GRU was working through the Main Center for Special Technology, GTsST, which allegedly was behind the NotPetya attack against Ukraine last year. This is not the first time that Russian is trying to masquerade their attack vectors since they have previously used fronts like Russian CyberBerkut, ISIS Cyber Caliphate, and Romanian Guccifer 2.0.

The mask-swapping is easy in the cyber environment; use the similar open source code, use same filenames, copy some of the functions elsewhere, use typical attack vectors for others, and reroute the command and control connections elsewhere.

References

1. https://www.wired.com/story/russia-false-flag-hacks/

2. https://www.digitaltrends.com/computing/olympics-2018-hack/

3. https://www.msn.com/en-us/sports/winter-olympics/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-north-korea-did-it-us-officials-say/ar-BBJxnxv