Russia’s Notorious History of Hacking the Olympic Games
As the world eagerly anticipates the upcoming Olympic Games in Paris, it’s crucial to address a persistent and increasingly sophisticated threat: cyberattacks. Russia, in particular, has a notorious history of targeting the Olympics with various forms of cyber aggression. In this article, we will look at Russia’s frankly very checkered past when it comes to hacking the games and provide tips on how to protect your organization during the 2024 Olympics.
Olympic Destroyer
One attack that’s gone down in hacker history concerns the 2018 Winter Olympics in Pyeongchang in South Korea, known as Olympic Destroyer.
Three months ahead of the games starting, hundreds of members of the organizing committee and others involved in the preparation for the games got an email with the subject “List of Delegates” and an attached zip file, with a Word document inside of it. When opened, there was just garbled text but there was a helpful button at the top of the document – Enable Content. Clicking it executed a PowerShell script that downloaded and executed a malware program, which installed a backdoor, and also presumably fixed the garbled text. Amongst the recipients were mailboxes at two IT firms that supplied servers and networking for the games.
Then, on February the 9th, 2018, the opening ceremony started, and at about the same time, the worms planted on computers inside the Olympic network woke up. Scanning the systems they had been planted on, they found browser and network credentials and used these to log on to other systems and then repeated the same process on that system, quickly spreading throughout the confined network. And once the credentials were exfiltrated, it wiped the Boot Configuration Data, specifically targeting Active Directory Domain Controllers (DCs), crashing them and making them unbootable.
The IT staff at the Technology Operation Center for the games were fortunately prepared, and within a short amount of time they’d worked around the missing DCs, bringing up Wi-Fi access and internet connected TVs just before the opening ceremony concluded. They then spent the rest of the night fighting against the malware, severing the connection between the Olympic network and the internet and by the next morning they’d eradicated the malware from the network, allowing the games to proceed.
Once the dust had settled, the question of who was behind the attack started being investigated. The obvious culprit was of course North Korea, and the initial forensics work on the malware found many similarities to previous malware from them, but this didn’t quite make sense. North Korea had actually reached out before the games, Kim Jong-un sent his sister as a diplomatic emissary to the games, and the two countries even combined their women’s hockey teams for the games.
The main clues as to the true source of the malware came from the Rich Headers in the malware, which gives information about the source files present in the compilation of the program, and these matched exactly between this new malware and earlier samples of North Korean malware. A researcher at Kaspersky Labs, Igor Soumenkov, dug deeper into this match and it didn’t make sense to him, as even a minor change in any of the source files will result in a very different header, so the chance that an identical match is found should be slim. Analyzing Rich Headers isn’t normally part of forensics attribution for malware but proved crucial in this case. Further research showed that this was indeed the case, the malware authors had swapped the Rich Headers on purpose to point the finger at North Korea.
The real culprits were discovered by noting the IP address and URL that the initial stages (remember that zipped Word document?) of the malware communicated with (C2), which turned out to be identical to the URL used in an attack on the election systems in Illinois and Arizona in the run up to the 2016 US election (200,000 voter’s data was stolen). And there it was, we knew who was behind the attacks on the US elections in 2016 and so Russia was behind this attack as well and had tried to point the finger at the North Koreans. They just forgot the golden rule of operational security – don’t reuse infrastructure between operations – it’ll eventually lead to accurate attribution.
The Original Hack
The “hack” that started it all was the doping scandal, where RUSADA, the Russian Anti-Doping agency was facilitating the cheating, rather than stopping it. Starting after the 2010 Winter Olympics (Russia didn’t win “enough” medals), Vitaly Stepanov, who was working at RUSADA and had realized the magnitude of the cheating tried getting the World Anti-Doping Agency (WADA), to take notice, but without much luck.
He and his wife eventually found a German journalist who took their story seriously, and they broke it in a 2014 TV documentary. Finally, WADA looked at the allegations, investigated and found mass doping, which was then followed by a ban by the International Olympics Committee for Russia to participate in the 2018 Winter Olympics, a ban which still stands today.
Paris 2024 Olympics – Russia’s next target
In addition to 2018, Russia targeted anti-doping officials and organizations for the 2016 games in Rio, and Tokyo in 2020.
Several prominent cyber security firms ascertain that cyber-attacks and disinformation campaigns are ramping up ahead of the games next month. Read Microsoft’s take here, and here, along with Mandiant’s report here.
Hornetsecurity’s Security Lab ascertains that there are two main risks for the Paris games, one is destructive attacks against IT infrastructure for the games (including athletes, the International Olympic Committee, payment and ticketing systems and physical infrastructure), and the other one is disinformation campaigns. The most brazen example of disinformation is a fake documentary named Olympics has Fallen (a play on the 2013 movie) which uses Tom Cruise’s likeness to discredit the International Olympic Committee and advance Russian disinformation.
Given the ongoing war in Ukraine, expect tie-ins to the games from Russia to also be designed to weaken the resolve of the support across Europe for Ukraine.
How to Protect Your Organization During the 2024 Paris Olympics
Employees can be your company’s weakest link in cybersecurity, or its best line of defense. During the 2024 Paris Olympics, the risk of phishing emails and other cyber scams will be higher than ever. Training your team to recognize these threats is crucial in managing cyber risks. Our Security Awareness Service offers automated, customized training solutions to ensure your employees are always prepared. Learn more about how it can help keep your organization safe here.
Our next-gen email hygiene solutions will be vigilant to stop phishing attempts using the games as lures – a favorite, not only with Russia’s intelligence agencies (as we saw in 2018), but also with common criminals. Any popular event or societal occasion is used to increase the likelihood of compromised victims. Phishing themes will be along the lines of “free tickets to see this game here” (catering to greed) or “your tickets have been cancelled due to a clerical error” (anger) and “terrorist attack at game stadium likely” (fear), along with many other “creative” varieties.
If you’re a business involved in or supporting the Paris Olympics – it’s very important that you raise your threat awareness in light of the expected activity from Russia (and others). We might also see DDOS attacks against various entities involved in supporting the games.
To properly protect your healthcare environment, use Hornetsecurity Security Awareness Service to educate your employees on how to secure your critical data.
To keep up with the latest articles and practices, visit our Hornetsecurity blog now.
Conclusion
Are you prepared for the games? For sports enthusiasts this question brings up long watching marathons, cheering on your favorite country and celebrating exceptional athletic prowess. For cyber defenders, that question has a totally different meaning – so, are you ready?
FAQ
The “Olympic Destroyer” attack targeted the 2018 Winter Olympics in Pyeongchang. Hackers sent emails with malware-infected attachments to organizers. The malware spread through the network, causing disruptions, particularly during the opening ceremony. The attack was later attributed to Russian hackers, who initially tried to blame North Korea.
Russia’s doping scandal involved RUSADA, the country’s anti-doping agency, which facilitated widespread cheating. Vitaly Stepanov, a whistleblower, exposed this with his wife through a German journalist. This led to investigations by WADA and a ban on Russia from participating in the 2018 Winter Olympics, a ban that remains today.
The 2024 Paris Olympics face potential threats from Russian cyber-attacks. Risks include destructive attacks on IT infrastructure, phishing emails targeting attendees and participants, and disinformation campaigns. Businesses involved in the Olympics are advised to enhance their cybersecurity measures and train employees to recognize and respond to these threats.