Pyeongchang Olympic Games Targeted Cyber Attack

The Attack

On February 9, 2018, during the opening ceremony of the Pyeongchang Winter Olympics, the official Olympics website went down, Wi-Fi networks failed, and the ticketing system became unavailable. What initially appeared to be technical difficulties was later confirmed to be a deliberate cyber attack.

Olympic Destroyer Malware

Initial Access

The attack was initiated through spear-phishing emails targeting: - Olympics partner organizations - IT infrastructure providers - South Korean government agencies

Payload Analysis

Olympic Destroyer was designed as a destructive wiper:

1. Credential theft: Used Mimikatz-derived code to harvest credentials
2. Lateral movement: Spread via PsExec and WMI using stolen credentials
3. Destruction:
4. Deleted shadow copies: vssadmin delete shadows /all /quiet
5. Disabled recovery: bcdedit /set {default} recoveryenabled No
6. Deleted backup catalog: wbadmin delete catalog -quiet
7. Overwrote the boot sector

Wiper Functionality

The destructive payload systematically: - Enumerated and stopped Windows services - Deleted event logs to cover tracks - Modified system files to prevent boot - Destroyed backup and recovery mechanisms

False Flag Operations

Olympic Destroyer stands out for its sophisticated false flag techniques:

Attribution Confusion

The malware contained deliberate misdirection:

1. North Korean indicators: Code fragments similar to Lazarus Group tools
2. Chinese indicators: Strings and techniques associated with APT3/APT10
3. Russian indicators: Infrastructure overlaps with Fancy Bear operations

The Rich Header Trick

Most notably, the PE rich header of Olympic Destroyer samples was modified to match those of known Lazarus Group malware. This was a deliberate attempt to mislead researchers using rich header analysis for attribution.

Actual Attribution

Despite the false flags, security researchers and intelligence agencies eventually attributed the attack to: - GRU Unit 74455 (Sandworm Team) — the same group behind NotPetya - Confirmed by multiple intelligence agencies in 2020 - Motivation likely related to the doping ban of Russian athletes from the Olympics

Technical Indicators

Execution Chain

Spear-phishing email
  → Macro-enabled document
    → Drops primary payload
      → Credential harvesting (Mimikatz)
        → Lateral movement (PsExec/WMI)
          → Wiper execution on all reached hosts

Persistence and Stealth

• No persistence mechanism (designed for one-time destruction)
• Anti-forensics: Event log deletion, timestomping
• Encrypted strings to evade static analysis
• Multi-stage payload to avoid sandbox detection

Impact

• Official Olympics website offline for 12+ hours
• Wi-Fi networks unavailable during opening ceremony
• Ticketing system disrupted
• Press center operations affected
• Olympic app features disabled
• Ceremonies were not significantly disrupted thanks to rapid incident response

Lessons Learned

For Major Events

1. Expect targeted attacks: High-profile events attract state-sponsored threat actors
2. Prepare incident response plans: The Olympics team's rapid response limited the damage
3. Segment critical systems: Ensure ceremony systems are isolated from general IT

For Attribution

1. False flags are real: State actors actively plant misleading indicators
2. Don't rely on single indicators: Rich headers, strings, and TTPs can all be faked
3. Multi-source intelligence: Combine technical, geopolitical, and human intelligence
4. Take time for accurate attribution: Rushed attribution plays into false flag strategies

For Defense

1. Email security: Advanced anti-phishing protection is critical
2. Credential protection: Limit credential exposure and implement PAM
3. Network segmentation: Contain lateral movement
4. Backup and recovery: Maintain offline backups for rapid restoration
5. Monitoring and detection: Deploy comprehensive EDR and SIEM

Conclusion

Olympic Destroyer demonstrated the growing sophistication of state-sponsored cyber operations, particularly in the realm of false flag operations. The attack was notable not just for its destructive impact but for the lengths to which the attackers went to mislead attribution efforts.