The untold story of the cyber attack on the 2018 Olympics

(To Carlo Mauceli)

On January 1863, XNUMX, Pierre De Coubertin was born, the man to whom we must say thank you for having reintroduced the Olympics. Its noble intentions and values ​​are the essence of sport but unfortunately they have often been and are still continuously betrayed today.

Why, after so many years, are we still so fascinated by the Olympics?

In addition to giving visibility to all sports and symbolizing the union between peoples in difficult times, the Olympics represent continuity with our origins. The five circles, in fact, are perceived as a common thread that starts from ancient Greece and that goes up to the XNUMXst century. A point of contact between us and our roots. Nations change, coins, customs and customs change, but man always remains the protagonist.

With the world of sport increasingly oriented towards economic interests at the expense of passion, it is no wonder a story that emerged in recent times and that tells how in our day nothing can be considered safe and everything can represent a goal for those who, increasingly often, hired and financed by various states, they create turbulence to bring about social, political and economic changes that can favor them.

Taken from Andy Greenberg's book Sandworm, this article traces the history of the cyber attack that took place on the eve of the 2018 Winter Olympic Games; a story passed over in silence and of which very little has been known but which represents one of the most striking examples of cyberwar of history.

Just before 20:00 on February 9, 2018, in the north-eastern mountains of South Korea, Sang-jin Oh was quietly sitting in a chair a few dozen rows from the floor of the vast pentagonal Olympic stadium in Pyeongchang. He wore an official Olympics jacket, gray and red, which kept him warm despite the almost freezing weather, and his place, behind the press section, was perfect for having a clear and complete view of the raised and circular stage a few hundred meters in front of him. The opening ceremony of the 2018 Winter Olympic Games was about to begin.

As the lights wound around the uncovered structure of the stadium, the wait was breathed through the buzz of over 35.000 people and the show was fantastic. It was evident that few people lived the wait more intensely than he did. For more than three years, the 47-year-old civil servant had been responsible for the technological infrastructure of the organizing committee of the Pyeongchang Olympics. He oversaw the setup of an IT infrastructure for games that included more than 10.000 PCs, 20.000 mobile devices, 6.300 Wi-Fi routers and 300 servers in two data centers located in Seoul.

This infrastructure worked perfectly or, at least, it seemed so far. In fact, half an hour earlier, he had heard of an annoying technical problem. The source of this problem was an IT company from which, for the Olympics, another hundred servers had been rented. And it was clear that half an hour after the inauguration, this news was something unbearable, especially considering that he had the eyes of the whole world on him.
The Seoul data centers, however, did not report any type of malfunction and the Oh team believed that the problems were manageable. He still didn't know that stadium tickets could not be printed. So, he had settled in his place, ready to enjoy that event which was certainly the most important moment of his career.

Ten seconds before 20, the countdown numbers began to appear, one by one, while a chorus of children's voices marked the countdown in Korean:
"Sip! ... Gu! ... friend! ... Chil!

In the middle of the countdown, Oh's phone suddenly brightened. He looked down and saw a message on KakaoTalk, a popular Korean messaging app. The message represented the worst possible news that Oh could have received at that time: “There was something or someone who was turning off all domain controller present in the Seoul data centers, ie the servers that formed the backbone of the IT infrastructure of the Olympics ".

As soon as the opening ceremony began, thousands of fireworks exploded around the stadium and dozens of Korean puppets and dancers entered the stage. Oh, though, he wasn't seeing any of this. In fact, he was messaging furiously with his staff members as they helplessly watched their entire IT infrastructure shut down relentlessly. He soon realized that what the partner company had reported was not a simple technical problem. It had been the first sign of an ongoing attack. It was now clear that he had to reach his technological operations center.

As Oh reached the stadium exit from the press section, the reporters around him had already started complaining about the malfunction of the Wi-Fi. Thousands of Internet-connected televisions showing the ceremony around the stadium and in 12 other Olympic venues had gone black. All RFID-based security entrances that allowed access to each Olympic building were inactive. The official Olympics app, including the digital ticketing function, was also out of order.

The organizing committee of Pyeongchang had, however, prepared for similar situations. His cyber security team had met 20 times since 2015. They had conducted exercises as early as the summer of the previous year, simulating disasters such as cyber attacks, fires and earthquakes. But now that one of those nightmare scenarios had unfolded, the feeling, for Oh, was both maddening and surreal. "It actually happened," thought Oh, as if to shake off the feeling that it was just a bad dream.

Once Oh made his way through the crowd, he ran to the stadium exit and out into the cold night air, he was joined by two other IT employees. They jumped into a Hyundai SUV and began the longest 45 minute drive of their life to reach the coastal city of Gangneung, where the Olympics technology operations center was located.

From the car, Oh called the employees present at the stadium telling them to start distributing Wi-Fi hotspots to reporters and to tell security to check the badges manually, because all RFID systems were out of order. But this was the least of their concerns. Oh he knew that in about two hours the opening ceremony would end and tens of thousands of athletes, visitors and spectators would discover that they had no Wi-Fi connections and no access to the Olympics app, full of schedules, information on hotels and maps. The result would have been humiliating. If they couldn't get the servers up and running by the next morning, the entire IT backend of the organizing committee, in charge of everything from meals to hotel reservations to event ticketing, would have stayed offline while the games would have been full swing. The largest technological fiasco in history in one of the most technologically advanced countries in the world was on the horizon.

Oh arrived at Gangneung Technology Operations Center at 21pm, halfway through the opening ceremony. The center consisted of a large open space with desks and computers for 150 employees; an entire wall was covered with screens. When he entered, many of the staff were standing, grouped together, and were anxiously discussing how to respond to the attack. The problem was also compounded by the fact that basic services such as email and messaging were offline.

All nine Domain Controllers that governed authentication had somehow been disabled, making any resources inaccessible. The staff had decided on a temporary solution, namely to bypass the so-called dead gatekeeper machines by setting up direct access to all the surviving servers that powered some basic services, such as Wi-Fi and Internet-connected televisions. In this way, they managed to bring those services back online a few minutes before the end of the ceremony.

In the next two hours, while trying to rebuild the Domain Controllers to recreate a better and safer network, the technicians would discover that, as in the mole game, the services were stopped much faster than they were able to restore them. Obvious sign of someone's presence on the net.

A few minutes before midnight Oh and his system administrators reluctantly decided a desperate measure: they would disconnect the entire network from the Internet in an attempt to isolate it from the attackers because it was clear that they could move inside thanks to the command and control channels that they had realized. Of course, that meant breaking down every service, even the public Olympics website. On the other hand, it would have been the only way to eradicate any infection.

For the rest of the night Oh and his staff worked frantically to rebuild the "digital nervous system" of the Olympics. At 5am, a Korean security partner, AhnLab, had managed to create an antivirus signature that could have helped Oh's staff stop malware on the thousands of PCs and servers on the network that had been infected.

At 6:30 in the morning, the system administrators reset the staff passwords in hopes of blocking any access to hackers. Just before 8am that morning, almost exactly 12 hours after the cyberattack on the Olympics began, Oh and his collaborators, sleepless, finished rebuilding their servers from backups and began restarting the services.

Surprisingly, everything worked and, overall, the disservice was minimal. A journalist from the Boston Globehe later called the games "flawlessly organized". Thousands of athletes and millions of spectators remained unaware of the fact that the staff of the Olympics had spent the night fighting against an invisible enemy who threatened to throw the whole event into chaos.
A few hours after the attack, the first rumors, however, began to circulate in the cybersecurity communities about the problems that had brought down the Olympics website, Wi-Fi infrastructure and various applications during the opening ceremony. Two days after the ceremony, the organizing committee of Pyeongchang confirmed that it had been the target of a cyberattack but refused to comment on who might have been behind that attack.

The accident immediately became an international case. Who would have dared to carry out a cyber attack on the digital infrastructure of the Olympics?

The Pyeongchang cyber attack would prove to be the most deceptive hacking operation in history during which the most sophisticated means ever seen were used to confuse forensic analysts in the search for the culprits.

The difficulty of proving the source of an attack, the so-called attribution problem, has plagued cyber security since the dawn of the Internet. The most sophisticated hackers can make their connections by taking advantage of winding routes and inserting dead ends within the routes themselves, making it almost impossible to follow their tracks. Forensic analysts, however, have learned to determine the identity of hackers by other means, looking for clues in the code, infrastructure connections and political motivations.

In recent years, however, state-sponsored cyberspies and saboteurs have increasingly experimented with another trick: planting so-called "false flags". These acts, designed to deceive both security analysts and technicians, have given rise to imaginative narratives about the identities of hackers that are difficult to erase, even after governments have announced the official results obtained by their intelligence agencies. Of course, it doesn't help that these official results come often, weeks or even months, after the attack happened, but that's it.
For example, when North Korean hackers violated the Sony Pictures in 2014 to prevent the release of "The Interview", they invented a "hacktivist" group called "Guardians of Peace" and tried to mislead investigators through a vague ransom note. Even after the FBI declared North Korea accountable and the White House imposed new sanctions against the Kim regime as punishment, several security companies continued to argue that the attack must have been generated from within.

When state-sponsored Russian hackers stole and publicized emails from the Democratic National Committee and Hillary Clinton's campaign in 2016, we now know that the Kremlin, likewise, made up stories to cover up and divert to others. responsibility for that attack. He invented a lone Romanian hacker named Guccifer 2.0 to attribute the attack to, and also spread rumors that a later murdered Democratic staff member named Seth Rich was responsible for publishing the emails and distributing documents. stolen using a fake site called DCLeaks. These false news or deceptions, if you prefer, became conspiracy theories, used and exploited by right-wing supporters and presidential candidate Donald Trump.

Thus, an atmosphere of mistrust had been created in the institutions and a credit to those who supported the false theses and the skeptics also rejected evident indications that led to the responsibility of the Kremlin so much so that even a joint statement by the US intelligence agencies , which occurred four months later, which attributed to Russia the responsibility for the attack could no longer change what ordinary people thought about the incident. And even today, an Economist poll shows that about half of Americans said they believed Russia was interfering in the election.

With the malware hitting the Pyeongchang Olympics, the art of digital deception has made huge strides. Investigators would have found not a single one in the malicious code false flag but several other false clues pointing to several potential culprits. And some of these clues have been hidden so deeply that it has been said that such a thing has never happened before.

From the outset, the geopolitical motivations behind the Olympic sabotages were far from clear. It is known that any cyberattack in South Korea is, of course, charged to North Korea. The so-called "hermit kingdom" has plagued capitalist neighbors with low-level military and cyberwar provocations for years. On the eve of the Olympics, the analysts of the computer security company McAfee they warned that Korean-speaking hackers had targeted the Olympic organizers of Pyeongchang with phishing emails and that North Korea was responsible for creating ad hoc malware to target the Olympics' digital infrastructure.

There were, however, contradictory signs on the public stage. At the start of the Olympics, North Korea seemed to be experimenting with a friendlier approach. The North Korean dictator, Kim Jong-un, had sent his sister as a diplomatic emissary to the games and had invited South Korean president Moon Jae-in to visit the North Korean capital of Pyongyang. The two countries had even launched the idea of ​​participating in the Games with a single women's hockey team. So why should North Korea launch a disruptive cyberattack in the middle of the Games?

Then there was Russia. The Kremlin had its motive for an attack on Pyeongchang. Doping investigations by Russian athletes had led to a humiliating result before the 2018 Olympics: his athletes would be allowed to compete, but not to wear Russian colors or accept medals on behalf of their country. For years prior to that verdict, a state-sponsored Russian hacker team known as Fancy Bear had been fighting back, stealing and leaking data about doping practices. Russia's exile from the games was exactly the kind of leverage that could inspire the Kremlin to unleash a disruptive attack at the opening ceremony. If the Russian government couldn't enjoy the Olympics, then nobody would.

Here too, however, things were not so clear. A few days before the opening ceremony, Russia had denied any hacking activity involving the Olympics. "We know that the western media are planning pseudo-investigations on the subject of" Russian fingerprints "in hacking attacks on IT resources related to hosting the Olympic Winter Games in the Republic of Korea," the Russian Foreign Ministry said Reuters agency. "Of course, there is no evidence to prove it."
In fact, there would have been a lot of evidence that could have led to considering Russia's responsibility. The real problem is that there were many others that indicated the opposite according to a classic game of deception.

Three days after the opening ceremony, Cisco's Talos security division revealed that it had obtained a copy of the malware created for the Olympics and had dissected and analyzed it. Someone from the organizing committee of the Olympics or, perhaps, the Korean security company AhnLab had, in fact, uploaded the malicious code to VirusTotal. The company would later publish the analysis results in a blog post and give the malware the name Olympic Destroyer.

In principle, Olympic Destroyer's anatomy resembled two previous Russian cyberattacks: NotPetya and Bad Rabbit. As in the case of those previous attacks, Olympic Destroyer also used a "credential theft" tool, combined with the Windows remote access features which, thanks to vulnerabilities exposed due to the lack of updates, allowed it to spread among the various machines on the network . Finally, it used a data destruction component in order to clear the boot configuration from the infected machines before disabling all Windows services and shutting down the computers so they could not be restarted. Analysts from security firm CrowdStrike would have found other code that referred to Russia; elements that resembled a piece of Russian ransomware known as XData.

Despite this, there was no clarity because there seemed to be no clear correspondence, in terms of code, between Olympic Destroyer and previous NotPetya or Bad Rabbit worms even though they contained similar characteristics. Apparently, most likely, they had been recreated from scratch or copied from other sources.

From an even deeper analysis, it emerged that the data wipe part of Olympic Destroyer had the same characteristics as the data wipe code that was used not by Russia, but by the North Korean hacker group known as Lazarus. When the Cisco researchers put the logical structures of the data erasing components side by side, they actually seemed to match, albeit loosely. They both destroyed files in the same way: only delete the first 4.096 bytes.

One could say that North Korea was behind the attack, then?

There were, however, also other tracks leading in completely different directions. Security firm Intezer noted that a piece of code to steal credentials and passwords was paired with exactly the same tools used by a hacker group known as APT3, a group that multiple cybersecurity firms have linked to the Chinese government. The company was also able to identify a component that Olympic Destroyer had used to generate encryption keys and associated it with another group, APT10, also linked to China. Intezer pointed out that the encryption component had never been used by other hacking teams before. Russia? North Korea? China? The more we proceeded with the analysis of the malware, the more actors appeared on the horizon and everything seemed, also, extremely contradictory.

In fact, all those clues, as mentioned, very often contradictory, seemed designed not to lead analysts towards a single answer, but to create confusion and make the solution to the puzzle extremely difficult. The mystery put investigators to the test by creating a huge amount of doubts. "It was a real psychological warfare aimed at analysts," said Silas Cutler, a security researcher who at the time worked for CrowdStrike.

This doubt, just like the effects of sabotage at the Olympics, seemed to have been the real target of malware, said Craig Williams, a Cisco researcher. "Even when such an attack completes its mission, the real message being sent to the security community is evident," Williams said. "In an analysis of a cyber attack it is very difficult to attribute responsibility because you can always be misled." And this is, indeed, a profound truth.

The Olympics organizing committee, it turned out, wasn't the only victim of Olympic Destroyer. According to Russian security firm Kaspersky, the cyber attack also affected other targets related to the Olympics, including Atos, an IT service provider in France who supported the event, and two ski resorts in Pyeongchang. One of these locations had been infected seriously enough that the lifts had been temporarily blocked.

In the days after the attack during the opening ceremony of the Games, Kaspersky's Global Research and Analysis Team had managed to obtain a copy of the Olympic Destroyer malware from one of the ski resorts and had begun to analyze it differently than done by Cisco and Intezer. He had analyzed his "header", a part of the file's metadata that includes clues to what types of programming tools were used to write it. By comparing that header with other malware samples, they found a perfect match with the method of deleting data used by North Korean hackers Lazarus, the same one that Cisco had already indicated. North Korean theory seemed confirmed.
But a senior Kaspersky researcher named Igor Soumenkov decided to do something different. Soumenkov was known to be an ethical hacking prodigy and had been recruited into Kaspersky's research team from a very young age as he had an extraordinarily deep knowledge of file headers. So he decided to double check his colleagues' findings.

Soumenkov examined the code and determined that the header metadata had no relation to the malware code; the malware was not written with the programming tools which are usually associated with the header. Ultimately, the metadata represented a fake.
This was something different than all the other signs of sidetracking that researchers had found so far. In fact, until then, no one had been able to say for sure which clues were real and which were not. But now, entering the real folds of the code and metadata, Soumenkov had found one false flag, the so-called true deception. It was now clear that someone had tried to make sure that the malware could be attributed to North Korea and that it was almost successful but thanks to Kaspersky's meticulous triple check, the deception had come to light.

On the other hand, it was also evident that the code was not attributable to China because, as a rule, the Chinese code is very recognizable and this was profoundly different.

So? If not China, if not North Korea, then who?

A few months later, in a Kaspersky conference room, faced with this question, Soumenkov pulled a set of dice from a small black cloth bag. On each side of the little black cubes were written words like Anonymous, Cybercriminals, Hacktivists, United States, China, Russia, Ukraine, Cyberterrorists, Iran. These were the famous attribution dice.

Kaspersky, like many other security companies, uses a rigorous policy that only affects the ability to stop hacker attacks without ever mentioning the country or government behind which the attack itself may be. But the so-called attribution dice that Soumenkov held in his hand obviously represented an exasperation of the attribution problem, namely that "no cyber attack can ever truly be traced back to its source, and anyone who tries is simply one who tries to to guess".

Michael Matonis was working from his home when he started pulling the threads that would unravel the mystery of Olympic Destroyer. The 28-year-old ex-anarchist punk turned security investigator still didn't have a desk in FireEye's office. So when Matonis began to examine the malware that had affected Pyeongchang, he was sitting in his improvised workspace: a folding metal chair with his laptop resting on a plastic table.

On a whim, Matonis decided to try a completely different approach than those who had analyzed it until then. He looked for no clues in the malware code but began to examine a much more banal element of the operation: a fake, malicious Word document, which had served as the first step in the almost disastrous sabotage campaign of the opening ceremony.

The document, which appeared to contain a list of VIP delegates to the games, had probably been emailed to the Olympics staff as an attachment. If someone had opened that attachment, a malicious script would have been run that would have installed a backdoor on their PC, offering hackers their first foothold on the target network. When Matonis pulled the document out of VirusTotal, he saw that the bait had probably been sent to the Olympics staff in late November 2017, more than two months before the games started. The hackers had entered the Olympic network, therefore, a few months earlier in order to trigger their attack.

Matonis tried to find correspondences with that sample of code by analyzing the documents present in VirusTotal and in the FireEye databases. During a first scan, he found nothing but Matonis noticed, however, that a few dozen documents infected with malware and present in the archives, corresponded approximately to the characteristics of his file: Word macros built to launch Powershell commands. Continuing the analysis, in the end, Matonis found that the attempt to make the encoded files unique had, instead, made these files a decidedly recognizable group. He soon discovered that behind the generation of these malicious files, there was an easily available online tool called the "Malicious Macro Generator".

Matonis speculated that the hackers had chosen the program to confuse themselves with other malware authors, but in the end they had achieved the opposite effect. In addition, he noticed that the group of malicious macros was united by the names of the authors who were extracted from the metadata. Most of them had been written by someone named "AV", "BD" or "John".

Among the files analyzed, Matonis found two other bait documents dating back to 2017 that appeared to target Ukrainian LGBT activist groups, using infected files from fake organizations fighting for gay rights. Others, however, targeted Ukrainian companies and government agencies.

This, for Matonis, was a familiar territory: for more than two years, he had seen Russia launch a series of destructive hacking operations against Ukraine, a relentless cyber war that accompanied the invasion of Russia after its revolution western 2014.

Even though that physical war had killed 13.000 people in Ukraine and displaced millions of people, a Russian hacker group known as Sandworm had waged a veritable cyberwarfare against Ukraine: it had blocked Ukrainian companies, government agencies, railways. , and airports with waves of intrusions that destroyed a huge amount of data, including two unprecedented breaches of Ukrainian electricity utilities in 2015 and 2016 that caused blackouts for hundreds of thousands of people. These attacks culminated in NotPetya, a malware that spread rapidly beyond Ukraine's borders and ultimately inflicted $ 10 billion in damage to global networks - the most expensive cyber attack in history.

At that point, in Matonis' head, all the other suspects for the Olympic attack fell. Matonis could not yet link the attack to a particular group of hackers, but only one country would target Ukraine almost a year before the Pyeongchang attack, using the same infrastructure that it would later use to hack the organizing committee. of the Olympics, and it wasn't China or North Korea.

Oddly enough, other infected documents in Matonis' hands seemed to have the Russian real estate and commercial world as victims. Was a Russian hacker team tasked with spying on some Russian oligarchs on behalf of their intelligence masters?

Regardless, Matonis had finally crossed the finish line by finding who was behind the cyber attack of the 2018 Olympics: the Kremlin.

"The Olympic Destroyer case was the first time anyone has used it false flags in a significant and relevant attack on national security and represented a taste of how the conflicts of the future could be. "

There would still be a lot to say but I think the best thing is to spend time reading Andy Greenberg's "Sandworm" which, as mentioned at the beginning, was the source to write this story and understand, increasingly, that it is It is necessary to widen the gaze of each of us and analyze security incidents to the fullest to understand what is really behind what apparently seem to be attacks disconnected from each other.

Our security always passes through our desire to study and understand the events in depth and, to take up a sentence by Bernard Baruch: Millions have seen the apple fall, but Newton was the one who wondered why.

Other sources: The Untold Story of NotPetya, the Most Devastating Cyberattack in History