{ "id": "b6dd260e-bb67-43af-a163-15922d722ea7", "created_at": "2026-04-06T01:29:58.414059Z", "updated_at": "2026-04-10T03:38:19.133176Z", "deleted_at": null, "sha1_hash": "130ef3b6a86e4f82dbbbce3a3c9458ddd84fba95", "title": "Inside Olympic Destroyer, the Most Deceptive Hack in History", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3945663, "plain_text": "Inside Olympic Destroyer, the Most Deceptive Hack in History\r\nBy Andy Greenberg, Excerpt\r\nPublished: 2019-10-17 · Archived: 2026-04-06 00:25:21 UTC\r\nAll products featured on WIRED are independently selected by our editors. However, we may receive\r\ncompensation from retailers and/or from purchases of products through these links. Learn more.\r\nJust before 8 pm on February 9, 2018, high in the northeastern mountains of South Korea, Sang-jin Oh was sitting\r\non a plastic chair a few dozen rows up from the floor of Pyeongchang's vast, pentagonal Olympic Stadium. He\r\nwore a gray and red official Olympics jacket that kept him warm despite the near-freezing weather, and his seat,\r\nbehind the press section, had a clear view of the raised, circular stage a few hundred feet in front of him. The 2018\r\nWinter Olympics opening ceremony was about to start.\r\nAs the lights darkened around the roofless structure, anticipation buzzed through the 35,000-person crowd, the\r\nglow of their phone screens floating like fireflies around the stadium. Few felt that anticipation more intensely\r\nthan Oh. For more than three years, the 47-year-old civil servant had been director of technology for the\r\nPyeongchang Olympics organizing committee. He'd overseen the setup of an IT infrastructure for the games\r\ncomprising more than 10,000 PCs, more than 20,000 mobile devices, 6,300 Wi-Fi routers, and 300 servers in two\r\nSeoul data centers.\r\nThat immense collection of machines seemed to be functioning perfectly—almost. Half an hour earlier, he'd\r\ngotten word about a nagging technical issue. The source of that problem was a contractor, an IT firm from which\r\nthe Olympics were renting another hundred servers. The contractor's glitches had been a long-term headache. Oh's\r\nresponse had been annoyance: Even now, with the entire world watching, the company was still working out its\r\nbugs?\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 1 of 19\n\nAndy Greenberg is a WIRED senior writer. This story is excerpted from his book Sandworm, to be\r\npublished on November 5, 2019.\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 2 of 19\n\nThe data centers in Seoul, however, weren't reporting any such problems, and Oh's team believed the issues with\r\nthe contractor were manageable. He didn't yet know that they were already preventing some attendees from\r\nprinting tickets that would let them enter the stadium. So he'd settled into his seat, ready to watch a highlight of his\r\ncareer unfold.\r\nTen seconds before 8 pm, numbers began to form, one by one, in projected light around the stage, as a choir of\r\nchildren's voices counted down in Korean to the start of the event:\r\n“Sip! … Gu! … Pal! … Chil!”\r\nIn the middle of the countdown, Oh's Samsung Galaxy Note8 phone abruptly lit up. He looked down to see a\r\nmessage from a subordinate on KakaoTalk, a popular Korean messaging app. The message shared perhaps the\r\nworst possible news Oh could have received at that exact moment: Something was shutting down every domain\r\ncontroller in the Seoul data centers, the servers that formed the backbone of the Olympics' IT infrastructure.\r\nAs the opening ceremony got underway, thousands of fireworks exploded around the stadium on cue, and dozens\r\nof massive puppets and Korean dancers entered the stage. Oh saw none of it. He was texting furiously with his\r\nstaff as they watched their entire IT setup go dark. He quickly realized that what the partner company had reported\r\nwasn't a mere glitch. It had been the first sign of an unfolding attack. He needed to get to his technology\r\noperations center.\r\nAs Oh made his way out of the press section toward the exit, reporters around him had already begun complaining\r\nthat the Wi-Fi seemed to have suddenly stopped working. Thousands of internet-linked TVs showing the\r\nceremony around the stadium and in 12 other Olympic facilities had gone black. Every RFID-based security gate\r\nleading into every Olympic building was down. The Olympics' official app, including its digital ticketing function,\r\nwas broken too; when it reached out for data from backend servers, they suddenly had none to offer.\r\nThe Pyeongchang organizing committee had prepared for this: Its cybersecurity advisory group had met 20 times\r\nsince 2015. They'd conducted drills as early as the summer of the previous year, simulating disasters like\r\ncyberattacks, fires, and earthquakes. But now that one of those nightmare scenarios was playing out in reality, the\r\nfeeling, for Oh, was both infuriating and surreal. “It's actually happened,” Oh thought, as if to shake himself out of\r\nthe sense that it was all a bad dream.\r\nYou’ve read your last free article.\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 3 of 19\n\nThe intersection of technology, power, and culture. Start your free trial and get access to 5 all-new premium\r\nnewsletters—cancel anytime.\r\nSTART FREE TRIAL\r\nAlready a subscriber? Sign In\r\nThe intersection of technology, power, and culture. Start your free trial and get access to 5 all-new premium\r\nnewsletters START FREE TRIAL\r\nMost Popular\r\nOnce Oh had made his way through the crowd, he ran to the stadium's exit, out into the cold night air, and across\r\nthe parking lot, now joined by two other IT staffers. They jumped into a Hyundai SUV and began the 45-minute\r\ndrive east, down through the mountains to the coastal city of Gangneung, where the Olympics' technology\r\noperations center was located.\r\nFrom the car, Oh called staffers at the stadium and told them to start distributing Wi-Fi hot spots to reporters and\r\nto tell security to check badges manually, because all RFID systems were down. But that was the least of their\r\nworries. Oh knew that in just over two hours the opening ceremony would end, and tens of thousands of athletes,\r\nvisiting dignitaries, and spectators would find that they had no Wi-Fi connections and no access to the Olympics\r\napp, full of schedules, hotel information, and maps. The result would be a humiliating confusion. If they couldn't\r\nrecover the servers by the next morning, the entire IT backend of the organizing committee—responsible for\r\neverything from meals to hotel reservations to event ticketing—would remain offline as the actual games got\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 4 of 19\n\nunderway. And a kind of technological fiasco that had never before struck the Olympics would unfold in one of\r\nthe world's most wired countries.\r\nOh arrived at the technology operations center in Gangneung by 9 pm, halfway into the opening ceremony.\r\nThe center consisted of a large open room with desks and computers for 150 staffers; one wall was covered with\r\nscreens. When he walked in, many of those staffers were standing, clumped together, anxiously discussing how to\r\nrespond to the attack—a problem compounded by the fact that they'd been locked out of many of their own basic\r\nservices, like email and messaging.\r\nAll nine of the Olympic staff's domain controllers, the powerful machines that governed which employee could\r\naccess which computers in the network, had somehow been paralyzed, crippling the entire system. The staff\r\ndecided on a temporary workaround: They set all the surviving servers that powered some basic services, such as\r\nWi-Fi and the internet-linked TVs, to bypass the dead gatekeeper machines. By doing so, they managed to bring\r\nthose bare-minimum systems back online just minutes before the end of the ceremony.\r\nOver the next two hours, as they attempted to rebuild the domain controllers to re-create a more long-term, secure\r\nnetwork, the engineers would find again and again that the servers had been crippled. Some malicious presence in\r\ntheir systems remained, disrupting the machines faster than they could be rebuilt.\r\nMost Popular\r\nA few minutes before midnight, Oh and his administrators reluctantly decided on a desperate measure: They\r\nwould cut off their entire network from the internet in an attempt to isolate it from the saboteurs who they figured\r\nmust still have maintained a presence inside. That meant taking down every service—even the Olympics' public\r\nwebsite—while they worked to root out whatever malware infection was tearing apart their machines from within.\r\nFor the rest of the night, Oh and his staff worked frantically to rebuild the Olympics' digital nervous system. By 5\r\nam, a Korean security contractor, AhnLab, had managed to create an antivirus signature that could help Oh's staff\r\nvaccinate the network's thousands of PCs and servers against the mysterious malware that had infected them, a\r\nmalicious file that Oh says was named simply winlogon.exe.\r\nAt 6:30 am, the Olympics' administrators reset staffers' passwords in hopes of locking out whatever means of\r\naccess the hackers might have stolen. Just before 8 that morning, almost exactly 12 hours after the cyberattack on\r\nthe Olympics had begun, Oh and his sleepless staffers finished reconstructing their servers from backups and\r\nbegan restarting every service.\r\nAmazingly, it worked. The day's skating and ski jumping events went off with little more than a few Wi-Fi\r\nhiccups. R2-D2-style robots puttered around Olympic venues, vacuuming floors, delivering water bottles, and\r\nprojecting weather reports. A Boston Globe reporter later called the games “impeccably organized.” One USA\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 5 of 19\n\nToday columnist wrote that “it's possible no Olympic Games have ever had so many moving pieces all run on\r\ntime.” Thousands of athletes and millions of spectators remained blissfully unaware that the Olympics' staff had\r\nspent its first night fighting off an invisible enemy that threatened to throw the entire event into chaos.\r\nIllustration: Joan Wong\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 6 of 19\n\nWithin hours of the attack, rumors began to trickle out into the cybersecurity community about the glitches that\r\nhad marred the Olympics' website, Wi-Fi, and apps during the opening ceremony. Two days after the ceremony,\r\nthe Pyeongchang organizing committee confirmed that it had indeed been the target of a cyberattack. But it\r\nrefused to comment on who might have been behind it. Oh, who led the committee's response, has declined to\r\ndiscuss any possible source of the attack with WIRED.\r\nMost Popular\r\nThe incident immediately became an international whodunit: Who would dare to hack the Olympics? The\r\nPyeongchang cyberattack would turn out to be perhaps the most deceptive hacking operation in history, using the\r\nmost sophisticated means ever seen to confound the forensic analysts searching for its culprit.\r\nThe difficulty of proving the source of an attack—the so-called attribution problem—has plagued cybersecurity\r\nsince practically the dawn of the internet. Sophisticated hackers can route their connections through circuitous\r\nproxies and blind alleys, making it almost impossible to follow their tracks. Forensic analysts have nonetheless\r\nlearned how to determine hackers' identities by other means, tying together clues in code, infrastructure\r\nconnections, and political motivations.\r\nIn the past few years, however, state-sponsored cyberspies and saboteurs have increasingly experimented with\r\nanother trick: planting false flags. Those evolving acts of deception, designed to throw off both security analysts\r\nand the public, have given rise to fraudulent narratives about hackers' identities that are difficult to dispel, even\r\nafter governments announce the official findings of their intelligence agencies. It doesn't help that those official\r\nfindings often arrive weeks or months later, with the most convincing evidence redacted to preserve secret\r\ninvestigative techniques and sources.\r\nWhen North Korean hackers breached Sony Pictures in 2014 to prevent the release of the Kim Jong-un\r\nassassination comedy The Interview, for instance, they invented a hacktivist group called Guardians of Peace and\r\ntried to throw off investigators with a vague demand for “monetary compensation.” Even after the FBI officially\r\nnamed North Korea as the culprit and the White House imposed new sanctions against the Kim regime as\r\npunishment, several security firms continued to argue that the attack must have been an inside job, a story picked\r\nup by numerous news outlets—including WIRED.\r\nWhen state-sponsored Russian hackers stole and leaked emails from the Democratic National Committee and\r\nHillary Clinton's campaign in 2016, we now know that the Kremlin likewise created diversions and cover stories.\r\nIt invented a lone Romanian hacker named Guccifer 2.0 to take credit for the hacks; it also spread the rumors that\r\na murdered DNC staffer named Seth Rich had leaked the emails from inside the organization—and it distributed\r\nmany of the stolen documents through a fake whistle-blowing site called DCLeaks. Those deceptions became\r\nconspiracy theories, fanned by right-wing commentators and then-presidential candidate Donald Trump.\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 7 of 19\n\nThe deceptions generated a self-perpetuating ouroboros of mistrust: Skeptics dismissed even glaring clues of the\r\nKremlin's guilt, like Russian-language formatting errors in the leaked documents, seeing those giveaways as\r\nplanted evidence. Even a joint statement from US intelligence agencies four months later naming Russia as the\r\nperpetrator couldn't shake the conviction of disbelievers. They persist even today: In an Economist/YouGov poll\r\nearlier this year, only about half of Americans said they believed Russia interfered in the election.\r\nWith the malware that hit the Pyeongchang Olympics, the state of the art in digital deception took several\r\nevolutionary leaps forward. Investigators would find in its code not merely a single false flag but layers of false\r\nclues pointing at multiple potential culprits. And some of those clues were hidden deeper than any cybersecurity\r\nanalyst had ever seen before.\r\nMost Popular\r\nFrom the start, the geopolitical motivations behind the Olympics sabotage were far from clear. The usual suspect\r\nfor any cyberattack in South Korea is, of course, North Korea. The hermit kingdom has tormented its capitalist\r\nneighbors with military provocations and low-grade cyberwar for years. In the run-up to the Olympics, analysts at\r\nthe cybersecurity firm McAfee had warned that Korean-speaking hackers had targeted the Pyeongchang Olympic\r\norganizers with phishing emails and what appeared to be espionage malware. At the time, McAfee analysts hinted\r\nin a phone call with me that North Korea was likely behind the spying scheme.\r\nBut there were contradictory signals on the public stage. As the Olympics began, the North seemed to be\r\nexperimenting with a friendlier approach to geopolitics. The North Korean dictator, Kim Jong-un, had sent his\r\nsister as a diplomatic emissary to the games and had invited South Korea's president, Moon Jae-in, to visit the\r\nNorth Korean capital of Pyongyang. The two countries had even taken the surprising step of combining their\r\nOlympic women's hockey teams in a show of friendship. Why would North Korea launch a disruptive cyberattack\r\nin the midst of that charm offensive?\r\nThen there was Russia. The Kremlin had its own motive for an attack on Pyeongchang. Investigations into doping\r\nby Russian athletes had led to a humiliating result in advance of the 2018 Olympics: Russia was banned. Its\r\nathletes would be allowed to compete but not to wear Russian flags or accept medals on behalf of their country.\r\nFor years in the lead-up to that verdict, a state-sponsored Russian hacker team known as Fancy Bear had been\r\nretaliating, stealing and leaking data from Olympics-related targets. Russia's exile from the games was exactly the\r\nsort of slight that might inspire the Kremlin to unleash a piece of disruptive malware against the opening\r\nceremony. If the Russian government couldn't enjoy the Olympics, then no one would.\r\nIf Russia had been trying to send a message with an attack on the Olympics' servers, however, it was hardly a\r\ndirect one. Days before the opening ceremony, it had preemptively denied any Olympics-targeted hacking. “We\r\nknow that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 8 of 19\n\nattacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea,”\r\nRussia's Foreign Ministry had told Reuters. “Of course, no evidence will be presented to the world.”\r\nIn fact, there would be plenty of evidence vaguely hinting at Russia's responsibility. The problem, it would soon\r\nbecome clear, was that there seemed to be just as much evidence pointing in a tangle of other directions too.\r\nThree days after the opening ceremony, Cisco's Talos security division revealed that it had obtained a copy of\r\nOlympics-targeted malware and dissected it. Someone from the Olympics organizing committee or perhaps the\r\nKorean security firm AhnLab had uploaded the code to VirusTotal, a common database of malware samples used\r\nby cybersecurity analysts, where Cisco's reverse-engineers found it. The company published its findings in a blog\r\npost that would give that malware a name: Olympic Destroyer.\r\nMost Popular\r\nIn broad outline, Cisco's description of Olympic Destroyer's anatomy called to mind two previous Russian\r\ncyberattacks, NotPetya and Bad Rabbit. As with those earlier attacks, Olympic Destroyer used a password-stealing\r\ntool, then combined those stolen passwords with remote access features in Windows that allowed it to spread\r\namong computers on a network. Finally, it used a data-destroying component to delete the boot configuration from\r\ninfected machines before disabling all Windows services and shutting the computer down so that it couldn't be\r\nrebooted. Analysts at the security firm CrowdStrike would find other apparent Russian calling cards, elements that\r\nresembled a piece of Russian ransomware known as XData.\r\nYet there seemed to be no clear code matches between Olympic Destroyer and the previous NotPetya or Bad\r\nRabbit worms. Although it contained similar features, they had apparently been re-created from scratch or copied\r\nfrom elsewhere.\r\nThe deeper analysts dug, the stranger the clues became. The data-wiping portion of Olympic Destroyer shared\r\ncharacteristics with a sample of data-deleting code that had been used not by Russia but by the North Korean\r\nhacker group known as Lazarus. When Cisco researchers put the logical structures of the data-wiping components\r\nside by side, they seemed to roughly match. And both destroyed files with the same distinctive trick of deleting\r\njust their first 4,096 bytes. Was North Korea behind the attack after all?\r\nThere were still more signposts that led in completely different directions. The security firm Intezer noted that a\r\nchunk of the password-stealing code in Olympic Destroyer matched exactly with tools used by a hacker group\r\nknown as APT3—a group that multiple cybersecurity firms have linked to the Chinese government. The company\r\nalso traced a component that Olympic Destroyer used to generate encryption keys back to a third group, APT10,\r\nalso reportedly linked to China. Intezer pointed out that the encryption component had never been used before by\r\nany other hacking teams, as far as the company's analysts could tell. Russia? North Korea? China? The more that\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 9 of 19\n\nforensic analysts reverse-engineered Olympic Destroyer's code, the further they seemed to get from arriving at a\r\nresolution.\r\nIn fact, all those contradictory clues seemed designed not to lead analysts toward any single false answer but to a\r\ncollection of them, undermining any particular conclusion. The mystery became an epistemological crisis that left\r\nresearchers doubting themselves. “It was psychological warfare on reverse-engineers,” says Silas Cutler, a\r\nsecurity researcher who worked for CrowdStrike at the time. “It hooked into all those things you do as a backup\r\ncheck, that make you think ‘I know what this is.’ And it poisoned them.”\r\nThat self-doubt, just as much as the sabotage effects on the Olympics, seemed to have been the malware's true\r\naim, says Craig Williams, a researcher at Cisco. “Even as it accomplished its mission, it also sent a message to the\r\nsecurity community,” Williams says. “You can be misled.”\r\nThe Olympics organizing committee, it turned out, wasn't Olympic Destroyer's only victim. According to the\r\nRussian security firm Kaspersky, the cyberattack also hit other targets with connections to the Olympics, including\r\nAtos, an IT services provider in France that had supported the event, and two ski resorts in Pyeongchang. One of\r\nthose resorts had been infected seriously enough that its automated ski gates and ski lifts were temporarily\r\nparalyzed.\r\nMost Popular\r\nIn the days after the opening ceremony attack, Kaspersky's Global Research and Analysis Team obtained a copy of\r\nthe Olympic Destroyer malware from one of the ski resorts and began dusting it for fingerprints. But rather than\r\nfocusing on the malware's code, as Cisco and Intezer had done, they looked at its “header,” a part of the file's\r\nmetadata that includes clues about what sorts of programming tools were used to write it. Comparing that header\r\nwith others in Kaspersky's vast database of malware samples, they found it perfectly matched the header of the\r\nNorth Korean Lazarus hackers' data-wiping malware—the same one Cisco had already pointed to as sharing traits\r\nwith Olympic Destroyer. The North Korean theory seemed to be confirmed.\r\nBut one senior Kaspersky researcher named Igor Soumenkov decided to go a step further. Soumenkov, a hacker\r\nprodigy who'd been recruited to Kaspersky's research team as a teenager years earlier, had a uniquely deep\r\nknowledge of file headers, and he decided to double-check his colleagues' findings.\r\nA tall, soft-spoken engineer, Soumenkov had a habit of arriving at work late in the morning and staying at\r\nKaspersky's headquarters well after dark—a partially nocturnal schedule that he kept to avoid Moscow traffic.\r\nOne night, as his coworkers headed home, he pored over the code at a cubicle overlooking the city's jammed\r\nLeningradskoye Highway. By the end of that night, the traffic had thinned, he was virtually alone in the office, and\r\nhe had determined that the header metadata didn't actually match other clues in the Olympic Destroyer code itself;\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 10 of 19\n\nthe malware hadn't been written with the programming tools that the header implied. The metadata had been\r\nforged.\r\nThis was something different from all the other signs of misdirection that researchers had fixated on. The other red\r\nherrings in Olympic Destroyer had been so vexing in part because there was no way to tell which clues were real\r\nand which were deceptions. But now, deep in the folds of false flags wrapped around the Olympic malware,\r\nSoumenkov had found one flag that was provably false. It was now clear that someone had tried to make the\r\nmalware look North Korean and failed due to a slipup. It was only through Kaspersky's fastidious triple-checking\r\nthat it came to light.\r\nMost Popular\r\nA few months later, I sat down with Soumenkov in a Kaspersky conference room in Moscow. Over an hour-long\r\nbriefing, he explained in perfect English and with the clarity of a computer science professor how he'd defeated\r\nthe attempted deception deep in Olympic Destroyer's metadata. I summarized what he seemed to have laid out for\r\nme: The Olympics attack clearly wasn't the work of North Korea. “It didn't look like them at all,” Soumenkov\r\nagreed.\r\nAnd it certainly wasn't Chinese, I suggested, despite the more transparent false code hidden in Olympic Destroyer\r\nthat fooled some researchers early on. “Chinese code is very recognizable, and this looks different,” Soumenkov\r\nagreed again.\r\nFinally, I asked the glaring question: If not China, and not North Korea, then who? It seemed that the conclusion\r\nof that process of elimination was practically sitting there in the conference room with us and yet couldn't be\r\nspoken aloud.\r\n“Ah, for that question, I brought a nice game,” Soumenkov said, affecting a kind of chipper tone. He pulled out a\r\nsmall black cloth bag and took out of it a set of dice. On each side of the small black cubes were written words\r\nlike Anonymous, Cybercriminals, Hacktivists, USA, China, Russia, Ukraine, Cyberterrorists, Iran.\r\nKaspersky, like many other security firms, has a strict policy of only pinning attacks on hackers using the firm's\r\nown system of nicknames, never naming the country or government behind a hacking incident or hacker group—\r\nthe safest way to avoid the murky and often political pitfalls of attribution. But the so-called attribution dice that\r\nSoumenkov held in his hand, which I'd seen before at hacker conferences, represented the most cynical\r\nexaggeration of the attribution problem: That no cyberattack can ever truly be traced to its source, and anyone\r\nwho tries is simply guessing.\r\nSoumenkov tossed the dice on the table. “Attribution is a tricky game,” he said. “Who is behind this? It's not our\r\nstory, and it will never be.”\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 11 of 19\n\nMichael Matonis was working from his home, a 400-square-foot basement apartment in the Washington, DC,\r\nneighborhood of Capitol Hill, when he first began to pull at the threads that would unravel Olympic Destroyer's\r\nmystery. The 28-year-old, a former anarchist punk turned security researcher with a controlled mass of curly black\r\nhair, had only recently moved to the city from upstate New York, and he still didn't have a desk at the Reston,\r\nVirginia, office of FireEye, the security and private intelligence firm that employed him. So on the day in February\r\nwhen he started to examine the malware that had struck Pyeongchang, Matonis was sitting at his makeshift\r\nworkspace: a folding metal chair with his laptop propped up on a plastic table.\r\nOn a whim, Matonis decided to try a different approach from much of the rest of the perplexed security industry.\r\nHe didn't search for clues in the malware's code. Instead, in the days after the attack, Matonis looked at a far more\r\nmundane element of the operation: a fake, malware-laced Word document that had served as the first step in the\r\nnearly disastrous opening ceremony sabotage campaign.\r\nMost Popular\r\nThe document, which appeared to contain a list of VIP delegates to the games, had likely been emailed to\r\nOlympics staff as an attachment. If anyone opened that attachment, it would run a malicious macro script that\r\nplanted a backdoor on their PC, offering the Olympics hackers their first foothold on the target network. When\r\nMatonis pulled the infected document from VirusTotal, the malware repository where it had been uploaded by\r\nincident responders, he saw that the bait had likely been sent to Olympics staff in late November 2017, more than\r\ntwo months before the games began. The hackers had laid in wait for months before triggering their logic bomb.\r\nMatonis began combing VirusTotal and FireEye's historical collection of malware, looking for matches to that\r\ncode sample. On a first scan, he found none. But Matonis did notice that a few dozen malware-infected documents\r\nfrom the archives corresponded to his file's rough characteristics: They similarly carried embedded Word macros\r\nand, like the Olympics-targeted file, had been built to launch a certain common set of hacking tools called\r\nPowerShell Empire. The malicious Word macro traps, however, looked very different from one another, with their\r\nown unique layers of obfuscation.\r\nOver the next two days, Matonis searched for patterns in that obfuscation that might serve as a clue. When he\r\nwasn't at his laptop, he'd turn the puzzle over in his mind, in the shower or lying on the floor of his apartment,\r\nstaring up at the ceiling. Finally, he found a telling pattern in the malware specimens' encoding. Matonis declined\r\nto share with me the details of this discovery for fear of tipping off the hackers to their tell. But he could see that,\r\nlike teenage punks who all pin just the right obscure band's buttons to their jackets and style their hair in the same\r\nshapes, the attempt to make the encoded files look unique had instead made one set of them a distinctly\r\nrecognizable group. He soon deduced that the source of that signal in the noise was a common tool used to create\r\neach one of the booby-trapped documents. It was an open source program, easily found online, called Malicious\r\nMacro Generator.\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 12 of 19\n\nMatonis speculated that the hackers had chosen the program in order to blend in with a crowd of other malware\r\nauthors, but it had ultimately had the opposite effect, setting them apart as a distinct set. Beyond their shared tools,\r\nthe malware group was also tied together by the author names Matonis pulled from the files' metadata: Almost all\r\nhad been written by someone named either “AV,” “BD,” or “john.” When he looked at the command and control\r\nservers that the malware connected back to—the strings that would control the puppetry of any successful\r\ninfections—all but a few of the IP addresses of those machines overlapped too. The fingerprints were hardly exact.\r\nBut over the next days, he assembled a loose mesh of clues that added up to a solid net, tying the fake Word\r\ndocuments together.\r\nOnly after he had established those hidden connections did Matonis go back to the Word documents that had\r\nserved as the vehicles for each malware sample and begin to Google-translate their contents, some written in\r\nCyrillic. Among the files he'd tied to the Olympic Destroyer bait, Matonis found two other bait documents from\r\nthe collection that dated back to 2017 and seemed to target Ukrainian LGBT activist groups, using infected files\r\nthat pretended to be a gay rights organization's strategy document and a map of a Kiev Pride parade. Others\r\ntargeted Ukrainian companies and government agencies with a tainted copy of draft legislation.\r\nMost Popular\r\nThis, for Matonis, was ominously familiar territory: For more than two years, he and the rest of the security\r\nindustry had watched Russia launch a series of destructive hacking operations against Ukraine, a relentless\r\ncyberwar that accompanied Russia's invasion of the country after its pro-Western 2014 revolution.\r\nEven as that physical war had killed 13,000 people in Ukraine and displaced millions more, a Russian hacker\r\ngroup known as Sandworm had waged a full-blown cyberwar against Ukraine as well: It had barraged Ukrainian\r\ncompanies, government agencies, railways, and airports with wave after wave of data-destroying intrusions,\r\nincluding two unprecedented breaches of Ukrainian power utilities in 2015 and 2016 that had caused blackouts for\r\nhundreds of thousands of people. Those attacks culminated in NotPetya, a worm that had spread rapidly beyond\r\nUkraine's borders and ultimately inflicted $10 billion in damage on global networks, the most costly cyberattack\r\nin history.\r\nIn Matonis' mind, all other suspects for the Olympics attack fell away. Matonis couldn't yet connect the attack to\r\nany particular hacker group, but only one country would have been targeting Ukraine, nearly a year before the\r\nPyeongchang attack, using the same infrastructure it would later use to hack the Olympics organizing committee\r\n—and it wasn't China or North Korea.\r\nStrangely, other infected documents in the collection Matonis had unearthed seemed to target victims in the\r\nRussian business and real estate world. Had a team of Russian hackers been tasked with spying on some Russian\r\noligarch on behalf of their intelligence taskmasters? Were they engaged in profit-focused cybercrime as a side gig?\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 13 of 19\n\nRegardless, Matonis felt that he was on his way to finally, definitively cutting through the Olympics cyberattack's\r\nfalse flags to reveal its true origin: the Kremlin.\r\nIllustration: Joan Wong\r\nAfter Matonis had made those first, thrilling connections between Olympic Destroyer and a very familiar set of\r\nRussian hacking victims, he sensed he had explored beyond the part of Olympic Destroyer that its creators had\r\nintended for researchers to see—that he was now peering behind its curtain of false flags. He wanted to find out\r\nhow much further he could go toward uncovering those hackers' full identities. So he told his boss that he wouldn't\r\nbe coming into the FireEye office for the foreseeable future. For the next three weeks, he barely left his bunker\r\napartment. He worked on his laptop from the same folding chair, with his back to the only window in his home\r\nthat allowed in sunlight, poring over every data point that might reveal the next cluster of the hackers' targets.\r\nMost Popular\r\nA pre-internet-era detective might start a rudimentary search for a person by consulting phone books. Matonis\r\nstarted digging into the online equivalent, the directory of the web's global network known as the Domain Name\r\nSystem. DNS servers translate human-readable domains like facebook.com into the machine-readable IP\r\naddresses that describe the location of a networked computer that runs that site or service, like 69.63.176.13.\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 14 of 19\n\nMatonis began painstakingly checking every IP address his hackers had used as a command and control server in\r\ntheir campaign of malicious Word document phishing; he wanted to see what domains those IP addresses had\r\nhosted. Since those domain names can move from machine to machine, he also used a reverse-lookup tool to flip\r\nthe search—checking every name to see what other IP addresses had hosted it. He created a set of treelike maps\r\nconnecting dozens of IP addresses and domain names linked to the Olympics attack. And far down the branch of\r\none tree, a string of characters lit up like neon in Matonis' mind: account-loginserv.com.\r\nA photographic memory can come in handy for an intelligence analyst. As soon as Matonis saw the account-loginserv.com domain, he instantly knew he had seen it nearly a year earlier in an FBI “flash”—a short alert sent\r\nout to US cybersecurity practitioners and potential victims. This one had offered a new detail about the hackers\r\nwho, in 2016, had reportedly breached the Arizona and Illinois state boards of elections. These had been some of\r\nthe most aggressive elements of Russia's meddling in US elections: Election officials had warned in 2016 that,\r\nbeyond stealing and leaking emails from Democratic Party targets, Russian hackers had broken into the two states'\r\nvoter rolls, accessing computers that held thousands of Americans' personal data with unknown intentions.\r\nAccording to the FBI flash alert Matonis had seen, the same intruders had also spoofed emails from a voting\r\ntechnology company, later reported to be the Tallahassee, Florida-based firm VR Systems, in an attempt to trick\r\nmore election-related victims into giving up their passwords.\r\nMost Popular\r\nMatonis drew up a jumbled map of the connections on a piece of paper that he slapped onto his refrigerator with\r\nan Elvis magnet, and marveled at what he'd found. Based on the FBI alert—and Matonis told me he confirmed the\r\nconnection with another human source he declined to reveal—the fake VR Systems emails were part of a phishing\r\ncampaign that seemed to have also used a spoofed login page at the account-loginserv.com domain he'd found in\r\nhis Olympic Destroyer map. At the end of his long chain of internet-address connections, Matonis had found a\r\nfingerprint that linked the Olympics attackers back to a hacking operation that directly targeted the 2016 US\r\nelection. Not only had he solved the whodunit of Olympic Destroyer's origin, he'd gone further, showing that the\r\nculprit had been implicated in the most notorious hacking campaign ever to hit the American political system.\r\nMatonis had, since he was a teenager, been a motorcycle fan. When he was just barely old enough to ride one\r\nlegally, he had scraped together enough money to buy a 1975 Honda CB750. Then one day a friend let him try\r\nriding his 2001 Harley-Davidson with an 1100 EVO engine. In three seconds, he was flying along a country road\r\nin upstate New York at 65 miles an hour, simultaneously fearing for his life and laughing uncontrollably.\r\nWhen Matonis had finally outsmarted the most deceptive malware in history, he says he felt that same feeling, a\r\nrush that he could only compare to taking off on that Harley-Davidson in first gear. He sat alone in his DC\r\napartment, staring at his screen and laughing.\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 15 of 19\n\nBy the time Matonis had drawn those connections, the US government had already drawn its own. The NSA and\r\nCIA, after all, have access to human spies and hacking abilities that no private-sector cybersecurity firm can rival.\r\nIn late February, while Matonis was still holed up in his basement apartment, two unnamed intelligence officials\r\ntold The Washington Post that the Olympics cyberattack had been carried out by Russia and that it had sought to\r\nframe North Korea. The anonymous officials went further, blaming the attack specifically on Russia's military\r\nintelligence agency, the GRU—the same agency that had masterminded the interference in the 2016 US election\r\nand the blackout attacks in Ukraine, and had unleashed NotPetya's devastation.\r\nBut as with most public pronouncements from inside the black box of the US intelligence apparatus, there was no\r\nway to check the government's work. Neither Matonis nor anyone else in media or cybersecurity research was\r\nprivy to the trail the agencies had followed.\r\nA set of US government findings that were far more useful and interesting to Matonis came months after his\r\nbasement detective work. On July 13, 2018, special counsel Robert Mueller unsealed an indictment against 12\r\nGRU hackers for engaging in election interference, laying out the evidence that they'd hacked the DNC and the\r\nClinton campaign; the indictment even included details like the servers they'd used and the terms they'd typed into\r\na search engine.\r\nDeep in the 29-page indictment, Matonis read a description of the alleged activities of one GRU hacker named\r\nAnatoliy Sergeyevich Kovalev. Along with two other agents, Kovalev was named as a member of GRU Unit\r\n74455, based in the northern Moscow suburb of Khimki in a 20-story building known as “the Tower.”\r\nThe indictment stated that Unit 74455 had provided backend servers for the GRU's intrusions into the DNC and\r\nthe Clinton campaign. But more surprisingly, the indictment added that the group had “assisted in” the operation\r\nto leak the emails stolen in those operations. Unit 74455, the charges stated, had helped to set up DCLeaks.com\r\nand even Guccifer 2.0, the fake Romanian hacker persona that had claimed credit for the intrusions and given the\r\nDemocrats' stolen emails to WikiLeaks.\r\nMost Popular\r\nKovalev, listed as 26 years old, was also accused of breaching one state's board of elections and stealing the\r\npersonal information of some 500,000 voters. Later, he allegedly breached a voting systems company and then\r\nimpersonated its emails in an attempt to hack voting officials in Florida with spoofed messages laced with\r\nmalware. An FBI wanted poster for Kovalev showed a picture of a blue-eyed man with a slight smile and close-cropped, blond hair.\r\nThough the indictment didn't say it explicitly, Kovalev's charges described exactly the activities outlined in the\r\nFBI flash alert that Matonis had linked to the Olympic Destroyer attack. Despite all of the malware's\r\nunprecedented deceptions and misdirections, Matonis could now tie Olympic Destroyer to a specific GRU unit,\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 16 of 19\n\nworking at 22 Kirova Street in Khimki, Moscow, a tower of steel and mirrored glass on the western bank of the\r\nMoscow Canal.\r\nA few months after Matonis shared those connections with me, in late November of 2018, I stood on a snow-covered path that wound along that frozen waterway on the outskirts of Moscow, staring up at the Tower.\r\nI had, by then, been following the hackers known as Sandworm for two full years, and I was in the final stages of\r\nwriting a book that investigated the remarkable arc of their attacks. I had traveled to Ukraine to interview the\r\nutility engineers who'd twice watched their power grids' circuit breakers be flipped open by unseen hands. I'd\r\nflown to Copenhagen to speak with sources at the shipping firm Maersk who whispered to me about the chaos that\r\nhad unfolded when NotPetya paralyzed 17 of their terminals at ports around the globe, instantly shutting down the\r\nworld's largest shipping conglomerate. And I'd sat with analysts from the Slovakian cybersecurity firm ESET in\r\ntheir office in Bratislava as they broke down their evidence that tied all of those attacks to a single group of\r\nhackers.\r\nBeyond the connections in Matonis' branching chart and in the Mueller report that pinned the Olympics attack on\r\nthe GRU, Matonis had shared with me other details that loosely tied those hackers directly to Sandworm's earlier\r\nattacks. In some cases, they had placed command and control servers in data centers run by two of the same\r\ncompanies, Fortunix Networks and Global Layer, that had hosted servers used to trigger Ukraine's 2015 blackout\r\nand later the 2017 NotPetya worm. Matonis argued that those thin clues, on top of the vastly stronger case that all\r\nof those attacks were carried out by the GRU, suggested that Sandworm was, in fact, GRU Unit 74455. Which\r\nwould put them in the building looming over me that snowy day in Moscow.\r\nStanding there in the shadow of that opaque, reflective tower, I didn't know exactly what I hoped to accomplish.\r\nThere was no guarantee that Sandworm's hackers were inside—they may have just as easily been split between\r\nthat Khimki building and another GRU address named in the Mueller indictment, at 20 Komsomolskiy Prospekt, a\r\nbuilding in central Moscow that I'd walked by that morning on my way to the train.\r\nThe Tower, of course, wasn't marked as a GRU facility. It was surrounded by an iron fence and surveillance\r\ncameras, with a sign at its gate that read GLAVNOYE UPRAVLENIYE OBUSTROYSTVA VOYSK—roughly,\r\n“General Directorate for the Arrangement of Troops.” I guessed that if I dared ask the guard at that gate if I could\r\nspeak with someone from GRU Unit 74455, I was likely to end up detained in a room where I would be asked\r\nhard questions by Russian government officials, rather than the other way around.\r\nMost Popular\r\nThis, I realized, might be the closest I had ever stood to Sandworm's hackers, and yet I could get no closer. A\r\nsecurity guard appeared on the edge of the parking lot above me, looking out from within the Tower's fence—\r\nwhether watching me or taking a smoke break, I couldn't tell. It was time for me to leave.\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 17 of 19\n\nI walked north along the Moscow Canal, away from the Tower, and through the hush of the neighborhood's snow-padded parks and pathways to the nearby train station. On the train back to the city center, I glimpsed the glass\r\nbuilding one last time, from the other side of the frozen water, before it was swallowed up in the Moscow skyline.\r\nIn early April of this year, I received an email via my Korean translator from Sang-jin Oh, the Korean official\r\nwho led the response to Olympic Destroyer on the ground in Pyeongchang. He repeated what he'd said all along—\r\nthat he would never discuss who might be responsible for the Olympics attack. He also noted that he and I\r\nwouldn't speak again: He'd moved on to a position in South Korea's Blue House, the office of the president, and\r\nwasn't authorized to take interviews. But in our final phone conversation months earlier, Oh's voice had still\r\nsmoldered with anger when he recalled the opening ceremony and the 12 hours he'd spent desperately working to\r\navert disaster.\r\n“It still makes me furious that, without any clear purpose, someone hacked this event,” he'd said. “It would have\r\nbeen a huge black mark on these games of peace. I can only hope that the international community can figure out\r\na way that this will never happen again.”\r\nEven now, Russia's attack on the Olympics still haunts cyberwar wonks. (Russia's foreign ministry didn't respond\r\nto multiple requests for comment from WIRED.) Yes, the US government and the cybersecurity industry\r\neventually solved the puzzle, after some initial false starts and confusion. But the attack set a new bar for\r\ndeception, one that might still prove to have disastrous consequences when its tricks are repeated or evolve\r\nfurther, says Jason Healey, a cyberconflict-focused researcher at the Columbia School for International and Public\r\nAffairs\r\n“Olympic Destroyer was the first time someone used false flags of that kind of sophistication in a significant,\r\nnational-security-relevant attack,” Healey says. “It's a harbinger of what the conflicts of the future might look\r\nlike.”\r\nMost Popular\r\nHealey, who worked in the George W. Bush White House as director for cyber infrastructure protection, says he\r\nhas no doubt that US intelligence agencies can see through deceptive clues that muddy attribution. He's more\r\nworried about other countries where a misattributed cyberattack could have lasting consequences. “For the folks\r\nthat can't afford CrowdStrike and FireEye, for the vast bulk of nations, attribution is still an issue,” Healey says.\r\n“If you can't imagine this with US and Russia, imagine it with India and Pakistan, or China and Taiwan, where a\r\nfalse flag provokes a much stronger response than even its authors intended, in a way that leaves the world\r\nlooking very different afterwards.”\r\nBut false flags work here in the US, too, argues John Hultquist, the director of intelligence analysis at FireEye and\r\nMatonis' former boss before Matonis left the firm in July. Look no further, Hultquist says, than the half of\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 18 of 19\n\nAmericans—or 73 percent of registered Republicans—who refuse to accept that Russia hacked the DNC or the\r\nClinton campaign.\r\nAs the 2020 election approaches, Olympic Destroyer shows that Russia has only advanced its deception\r\ntechniques—graduating from flimsy cover stories to the most sophisticated planted digital fingerprints ever seen.\r\nAnd if they can fool even a few researchers or reporters, they can sow even more of the public confusion that\r\nmisled the American electorate in 2016. “The question is one of audience,” Hultquist says. “The problem is that\r\nthe US government may never say a thing, and within 24 hours, the damage is done. The public was the audience\r\nin the first place.”\r\nThe GRU hackers known as Sandworm, meanwhile, are still out there. And Olympic Destroyer suggests they've\r\nbeen escalating not only their wanton acts of disruption but also their deception techniques. After years of crossing\r\none red line after another, their next move is impossible to predict. But when those hackers do strike again, they\r\nmay appear in a form we don't even recognize.\r\nSource photos: Getty Images; Maxim Shemetov/Reuters (building)\r\nFrom the book SANDWORM, by Andy Greenberg, to be published on November 5, 2019, by Doubleday, an\r\nimprint of the Knopf Doubleday Group, a division of Penguin Random House LLC. Copyright © 2019 by Andy\r\nGreenberg. Greenberg is a senior writer for WIRED.\r\nThis article appears in the November issue. Subscribe now.\r\nLet us know what you think about this article. Submit a letter to the editor at mail@wired.com.\r\nWhen you buy something using the retail links in our stories, we may earn a small affiliate commission. Read\r\nmore about how this works.\r\nMore Great WIRED Stories\r\nWIRED25: Stories of people who are racing to save us\r\nMassive, AI-powered robots are 3D-printing entire rockets\r\nRipper—the inside story of the egregiously bad videogame\r\nUSB-C has finally come into its own\r\nPlanting tiny spy chips in hardware can cost as little as $200\r\n👁 Prepare for the deepfake era of video; plus, check out the latest news on AI\r\n🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers,\r\nrunning gear (including shoes and socks), and best headphones.\r\nSource: https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nhttps://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/" ], "report_names": [ "untold-story-2018-olympics-destroyer-cyberattack" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "ed4c7e37-461f-40f1-ad43-6ad7e21b32bc", "created_at": "2022-10-25T16:07:24.303712Z", "updated_at": "2026-04-10T02:00:04.929134Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [], "source_name": "ETDA:TaskMasters", "tools": [ "404-Input-shell web shell", "ASPXSpy", "ASPXTool", "AtNow", "DbxDump Utility", "HTran", "HUC Packet Transmit Tool", "Mimikatz", "NBTscan", "PortScan", "ProcDump", "PsExec", "PsList", "RemShell", "RemShell Downloader", "gsecdump", "jsp File browser", "nbtscan", "pwdump", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "4ae78ca3-8bc8-4d67-9df1-a85df250a8a0", "created_at": "2024-10-08T02:00:04.469211Z", "updated_at": "2026-04-10T02:00:03.726781Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [ "BlueTraveller" ], "source_name": "MISPGALAXY:TaskMasters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438998, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/130ef3b6a86e4f82dbbbce3a3c9458ddd84fba95.pdf", "text": "https://archive.orkl.eu/130ef3b6a86e4f82dbbbce3a3c9458ddd84fba95.txt", "img": "https://archive.orkl.eu/130ef3b6a86e4f82dbbbce3a3c9458ddd84fba95.jpg" } }