Hackers targeted the upcoming 2018 Winter Olympics in a campaign that had all the hallmarks of a nation-state hacking campaign, according to the cybersecurity firm McAfee.
A slate of organizations involved with the Pyeongchang-based games received spearphishing emails beginning Dec. 22, 2017 and continuing until the end of the month. The attackers pretended to be with the South Korean National Counter-Terrorism Center.
The goal was to have targets open a malicious Microsoft Word document that would establish a backdoor on targeted machines so hackers could then take additional steps to steal data or completely take over a computer.
The Olympics are a major target for hackers because billions of dollars as well as global geopolitical undertones always run through the event. The South Korean organizing committee is spending 1.3 billion won ($1.2 million) on cybersecurity for the games.
“Overall, this is an example of something that happens fairly regularly with major events and the Olympics generally,” Betsy Cooper, head of the UC Berkeley Center for Long-Term Cybersecurity, told CyberScoop
In 2017, Cooper authored a report on the cybersecurity of Olympics that examined how the range of threats faced by the event is rapidly expanding.
South Korean officials have a particular eye toward threats from North Korea. Due to a tumultuous year on the Korean peninsula, cyber threats have increased significantly.
The targets of the December 2017 campaign included planning, direction and operational organizations behind the upcoming Pyeongchang Olympics.
“The hackers are interested in gaining a deeper insight than would be necessarily public knowledge,” Ryan Sherstobitoff, a senior analyst with McAfee Advanced Threat Research, told CyberScoop.
Sherstobitoff noted that the attackers used the tool Invoke-PSImage, released on Dec. 20, to hide code in pixels of a hidden image file that would then decode the image and reveal the malicious implant. The fact that attackers adapted, tested and deployed Invoke-PSImage so rapidly is an important bullet point.
“That suggests the attacker is not a sole person but an organization that is interested in getting into these targets,” Sherstobitoff said. “Second of all, they’re leveraging the increased usage of fileless attacks which have been heavily used in the last year.”
At this point, there’s no telling which nation might have been behind the campaign. There are dozens of countries that regularly carry out this kind of action.
In August 2016, the World Anti-Doping Agency (WADA) was successfully hacked and had data publicly leaked in a campaign widely credited to Russian hackers. That campaign came just amid the 2016 Summer Olympics after it was revealed that Russian athletes engaged in a widespread, systemic and government-backed doping system.
The country was formally banned from the 2018 Winter Games.
With about one month left until the Olympics begin, experts are expecting more of the same.
“Similar attacks like this are possible in coming month leading up to the Olympics,” Sherstobitoff said, “that might even be more full-scale operations with a lot more pieces moving to it.”