The recent attack on the Winter Olympic Games has served as a reminder of an information security fundamental: attribution is hard. Especially when that attribution results in different companies pointing fingers at different foreign groups, potentially leading to geopolitical repercussions.
Case in point: Hackers reportedly acting on behalf of the Russian government were recently posited as the group behind a unique computer virus that disrupted the opening ceremony of the 2018 Winter Olympics, according to The Washington Post.
Prior to the Olympics, cybersecurity firms McAfee and ThreatConnect found some evidence that a mysterious collage of hackers were targeting the Olympics by breaching related, third-party organizations that were connected to the event. CyberScoop also reported that the Olympic’s primary IT provider, Atos, was likely hacked months before the opening ceremony disruption.
Dubbed “Olympic Destroyer” by security researchers, the malware was littered with code fragments tied to past, known breaches caused by at least four different hacking groups. This bewildering combination of techniques and tools within Olympic Destroyer’s framework caused various cybersecurity companies to point the finger at either Russia, North Korea, Iran or China. Most of these early attributions, which were largely based on each company’s analysis of a few malware samples uploaded to the VirusTotal platform, have since been widely criticized for lacking sufficient evidence.
“Olympic Destroyer is an amazing example of false flags and attribution nightmare,” explained Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab.
Details uncovered by The Washington Post, based on information provided to the paper by two unnamed U.S. intelligence officials, suggests that Russia’s GRU, or Main Intelligence Directorate, was responsible for Olympic Destroyer. Additionally, the Post story says Russia tried to make it look like North Korea was responsible for the attack.
While Russia was expected to attempt to interfere with the games, the news that Russian spies had specially tailored their destructive attack to instead appear as if it had come from North Korea is novel.
The cyberattack occurred during a crucial time period when world leaders were hoping to rebuild relations with their North Korean counterparts after years of heightened tension.
“We don’t know how or why the various artifacts which we have identified became to be associated with the malware,” said Martin Lee, a security research manager with Talos, Cisco’s cybersecurity unit. “The laying of false pistes to confuse analysts is a distinct possibility. However, we don’t know who was behind the attack, nor do we know their motivations. Keeping an open mind, and looking at the whole body of evidence before jumping to conclusions is a vital part of any analysis. In any investigation it is important to separate evidence from conjecture.”
Actively attempting to obfuscate an attack is far from revolutionary. But the effort falls in line with the long-running belief that some of the more advanced attack teams will purposefully leave fake clues to confuse investigators.
“Like the best whodunit mysteries we have a variety of evidence which points to a variety of different threat actors. However, the evidence is contradictory and just doesn’t allow us to unmask the villain,” Lee told CyberScoop. “Organizations need to be aware that there are a variety of threat actors active in the threat environment, all of whom may have the capability to conduct such an attack.”
In a new blog post published by Talos, researchers outlined how the attackers responsible for Olympic Destroyer could have taken steps to frame “Lazarus Group,” a hacking group often linked to North Korea. The technical explanation helps outline how the GRU may have taken measures to create a false flag operation.
Lazarus Group is widely understood to have breached a bank located in Bangladesh two years ago. They reportedly stole $81 million from the financial institution by comprising the SWIFT banking infrastructure that supports transactions between different banks. Some of the filenames attached to the malware used against the Bangladesh bank, first documented by BAE Systems, also appear in Olympic Destroyer. These filenames became public in 2016 when BAE Systems shared some of their findings at a security conference and then via a company blog post; making it possible for anyone to pick up on.
Another aspect of Olympic Destroyer which some researchers originally thought to be developed by North Korea is a “wiper” component in the malware, which forces infected computers to autonomously delete data. These types of attacks are often described as destructive since they destroy event and security logs as well as other files. With the Olympics, the malware used a wiper that contained some coding similarities to another that was previously used by a subunit of Lazarus Group, known as “Bluenoroff.”
“We believe this to be an intentionally misleading act,” Talos security researcher Craig Williams told CyberScoop in reference to the shared wiper code.
The Post story also mentions how the GRU leveraged North Korean IP addresses to further obfuscate their attacks, but security researchers told CyberScoop they were unfamiliar with this evidence.
While the injection of tactics and tools typically associated with North Korea into Olympic Destroyer is interesting, it was far from conclusive, said Juan Andrés Guerrero-Saade, a security researcher with Recorded Future. It’s unclear if these code-based false flags were sufficient to confuse any intelligence agency.
“This is nowhere near proof, but it is a clue, albeit weak,” Talos noted. “Now that we are potentially seeing malware authors placing multiple false flags, attribution based off malware samples alone has become even more difficult … The attack which we believe Olympic Destroyer to have been associated with was clearly an audacious attack, almost certainly conducted by a threat actor with a certain level of sophistication who did not believe that they would be easily identified and held accountable.”