{ "id": "b5c84592-4277-4d41-9fea-084aae574e39", "created_at": "2026-04-06T00:09:46.94813Z", "updated_at": "2026-04-10T03:37:08.662134Z", "deleted_at": null, "sha1_hash": "74d729b136d338a1d28aed9d32bfb17315cdda1d", "title": "UK exposes series of Russian cyber attacks against Olympic and Paralympic Games", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48342, "plain_text": "UK exposes series of Russian cyber attacks against Olympic and\r\nParalympic Games\r\nBy Foreign, Commonwealth \u0026 Development Office\r\nPublished: 2020-10-19 · Archived: 2026-04-05 12:57:34 UTC\r\nRussia’s military intelligence service, the GRU, conducted cyber reconnaissance against officials and\r\norganisations at the 2020 Olympic and Paralympic Games due to take place in Tokyo this summer before they\r\nwere postponed, the UK has revealed today.\r\nThe targets included the Games’ organisers, logistics services and sponsors.\r\nThe attacks on the 2020 Summer Games are the latest in a campaign of Russian malicious cyber activity against\r\nthe Olympic and Paralympic Games.\r\nThe UK is confirming for the first time today the extent of GRU targeting of the 2018 Winter Olympic and\r\nParalympic Games in Pyeongchang, Republic of Korea.\r\nThe GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the\r\nopening ceremony of the 2018 Winter Games.\r\nIt went on to target broadcasters, a ski resort, Olympic officials and sponsors of the games in 2018.\r\nThe GRU deployed data-deletion malware against the Winter Games IT systems and targeted devices across the\r\nRepublic of Korea using VPNFilter.\r\nThe National Cyber Security Centre (NCSC) assesses that the incident was intended to sabotage the running of the\r\nWinter Olympic and Paralympic Games, as the malware was designed to wipe data from and disable computers\r\nand networks.\r\nAdministrators worked to isolate the malware and replace the affected computers, preventing potential disruption.\r\nForeign Secretary Dominic Raab said:\r\nThe GRU’s actions against the Olympic and Paralympic Games are cynical and reckless. We condemn\r\nthem in the strongest possible terms.\r\nThe UK will continue to work with our allies to call out and counter future malicious cyber attacks.\r\nThe UK has already acted against the GRU’s destructive cyber unit by working with international partners to\r\nimpose asset freezes and travel bans against its members through the EU cyber sanctions regime.\r\nToday (Monday 19 October), the US Department of Justice has announced criminal charges against Russian\r\nmilitary intelligence officers working for the GRU’s destructive cyber unit – also known by the codenames\r\nSandworm and VoodooBear – for conducting cyber attacks against the 2018 Winter Games and other cyber\r\nhttps://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games\r\nPage 1 of 4\n\nattacks, including the 2018 spear phishing attacks against the UK’s Defence Science and Technology Laboratory\r\n(DSTL).\r\nThe UK attributed the attacks against DSTL, which followed the Salisbury poisonings, to Russia in 2018.\r\nBackground\r\nThese cyber attacks were committed by the GRU’s Main Centre for Special Technologies, GTsST also known by\r\nits field post number 74455 and known in open source as:\r\nSandworm\r\nBlackEnergy Group\r\nTelebots\r\nVoodooBear\r\nIron Viking\r\nQuedagh\r\nElectrum\r\nIndustroyer\r\nG0034\r\nThe UK government is today confirming for the first time that the GRU unit known as GTsST or by its field post\r\nnumber 74455 were responsible for:\r\nGRU action\r\nUK government\r\nresponse\r\nWinter\r\nOlympics,\r\nFebruary\r\n2018\r\nGTsST actors launched a significant campaign against the Winter\r\nOlympic games, which included the use of Olympic Destroyer\r\nmalware. This malware targeted the Winter Olympic and Paralympic\r\nGames. NCSC assess that the intent behind the incident was almost\r\ncertainly sabotage as the malware was designed to wipe data from and\r\ndisable computers and networks. Disruption to the Winter Olympics\r\ncould have been greater if it had not been for administrators who\r\nworked to isolate the malware and replace affected computers. More\r\nbroadly, the GTsST actors targeted multiple entities across South Korea\r\n(and the world) which were linked with the Winter Olympics. This\r\nactivity utilised a range of capabilities known to be used by the GTsST.\r\nThis includes targeting of: officials, sponsors, a ski resort, official\r\nservice providers, and broadcasters\r\nThe UK\r\ngovernment is\r\npublicly exposing\r\nthis attack as the\r\nwork of the GRU\r\nfor the first time\r\ntoday\r\nThe UK government has previously publicly exposed that this unit of the GRU was responsible for:\r\nhttps://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games\r\nPage 2 of 4\n\nGRU action UK government response\r\nBlackEnergy,\r\nDecember 2015\r\nShut off part of Ukraine’s electricity grid, with 230,000\r\npeople losing power for between 1 – 6 hours\r\nUK government publicly\r\nexposed this attack as the\r\nwork of the GRU in February\r\n2020\r\nIndustroyer,\r\nDecember 2016\r\nShut off part of Ukraine’s electricity grid, also known\r\nas CrashOverride. It resulted in a fifth of Kyiv losing\r\npower for an hour. It is the first known malware\r\ndesigned specifically to disrupt electricity grids\r\nUK government publicly\r\nexposed this attack as the\r\nwork of the GRU in February\r\n2020\r\nNotPetya, June\r\n2017\r\nDestructive cyber attack targeting the Ukrainian\r\nfinancial, energy and government sectors and affecting\r\nother European and Russian businesses\r\nUK government publicly\r\nexposed this attack as the\r\nwork of the GRU in February\r\n2018. EU sanctioned the GRU\r\nunit for this attack in July\r\n2020\r\nBadRabbit,\r\nOctober 2017\r\nRansomware encrypted hard drives and rendered IT\r\ninoperable. This caused disruption including to the\r\nKyiv metro, Odessa airport, Russia’s central bank and\r\ntwo Russian media outlets\r\nUK government publicly\r\nexposed this attack as the\r\nwork of the GRU in October\r\n2018\r\nVPNfilter,\r\nOctober 2017\r\nVPNFILTER malware infected thousands of home and\r\nsmall business routers and network devices worldwide.\r\nThe infection potentially allowed attackers to control\r\ninfected devices, render them inoperable and intercept\r\nor block network traffic\r\nIn April 2018, the NCSC, FBI\r\nand Department for Homeland\r\nSecurity issued a joint\r\nTechnical Alert exposing that\r\nthe GRU was responsible\r\nDSTL, April\r\n2018\r\nThe GRU attempted to use its cyber capabilities to gain\r\naccess to the UK’s Defence and Science Technology\r\nLaboratory (DSTL) computer systems\r\nUK government publicly\r\nexposed this attack as the\r\nwork of the GRU in October\r\n2018\r\nFCO, March\r\n2018\r\nThe GRU attempted to compromise the UK Foreign\r\nand Commonwealth Office (FCO) computer systems\r\nvia a spearphishing attack\r\nUK government publicly\r\nexposed this attack as the\r\nwork of the GRU in October\r\n2018\r\nGeorgia, 28\r\nOctober 2019\r\nThe GRU carried out large scale disruptive cyber-attacks against Georgian web hosting providers that\r\nresulted in widespread defacement of websites,\r\nincluding sites belonging to the Georgian Government,\r\nUK government publicly\r\nexposed this attack as the\r\nwork of the GRU in February\r\n2020\r\nhttps://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games\r\nPage 3 of 4\n\nGRU action UK government response\r\ncourts, NGOs, media and businesses, and also\r\ninterrupted the service of several national broadcasters\r\nThe National Cyber Security Centre has assessed with high confidence that all of these attacks were almost\r\ncertainly (95%+) carried out by the unit known as the Main Centre for Special Technologies (GTsST) also known\r\nas Unit 74455 of the GRU.\r\nSee further details on the framework used by the UK government for all source intelligence assessments,\r\nincluding the probability yardstick.\r\nSource: https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games\r\nhttps://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" ], "report_names": [ "uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" ], "threat_actors": [ { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434186, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/74d729b136d338a1d28aed9d32bfb17315cdda1d.pdf", "text": "https://archive.orkl.eu/74d729b136d338a1d28aed9d32bfb17315cdda1d.txt", "img": "https://archive.orkl.eu/74d729b136d338a1d28aed9d32bfb17315cdda1d.jpg" } }