{
	"id": "40e1d6f8-a1cc-4e51-a44f-70283d4d5eeb",
	"created_at": "2026-04-06T00:07:15.426353Z",
	"updated_at": "2026-04-10T03:21:12.394569Z",
	"deleted_at": null,
	"sha1_hash": "cb74695657339a576ee68d1152f6d3337880d560",
	"title": "Olympic Destroyer Takes Aim At Winter Olympics",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 555073,
	"plain_text": "Olympic Destroyer Takes Aim At Winter Olympics\r\nBy Warren Mercer\r\nPublished: 2018-02-12 · Archived: 2026-04-05 16:40:05 UTC\r\nMonday, February 12, 2018 08:16\r\nThis blog post is authored by Warren Mercer and Paul Rascagneres. Ben Baker and Matthew Molyett contributed\r\nto this post.\r\nUpdate 2/13 08:30 We have updated the information regarding the use of stolen credentials\r\nUpdate 2/12 12:00: We have updated the destructor section with action taken against mapped file shares\r\nSummary\r\nThe Winter Olympics this year is being held in Pyeongchang, South Korea. The Guardian, a UK Newspaper\r\nreported an article that suggested the Olympic computer systems suffered technical issues during the opening\r\nceremony. Officials at the games confirmed some technical issues to non-critical systems and they completed\r\nrecovery within around 12 hours. Sunday 11th February the Olympic games officials confirmed a cyber attack\r\noccurred but did not comment or speculate further.\r\nTalos have identified the samples, with moderate confidence, used in this attack. The infection vector is currently\r\nunknown as we continue to investigate. The samples identified, however, are not from adversaries looking for\r\ninformation from the games but instead they are aimed to disrupt the games. The samples analysed appear to\r\nperform only destructive functionality. There does not appear to be any exfiltration of data. Analysis shows that\r\nactors are again favouring legitimate pieces of software as PsExec functionality is identified within the sample.\r\nThe destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs\r\nand trying to use PsExec \u0026 WMI to further move through the environment. This is something we have witnessed\r\npreviously with BadRabbit and Nyetya.\r\nOlympic Destroyer Workflow\r\nInitial stage\r\nThe initial edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 sample is a binary that,\r\nwhen executed, drops multiple files on to the victim host. These files are embedded as resources (obfuscated).\r\nThese files are named using randomly generated file names, however, the hashes of the file when written to disk is\r\nthe same during our analysis on multiple instances. Currently we are not aware of the initial infection vector used.\r\nThis could have been delivered in a multitude of ways as it is simply a binary file.\r\nhttp://blog.talosintelligence.com/2018/02/olympic-destroyer.html\r\nPage 1 of 8\n\nTwo of the dropped files (the stealing modules) are executed with 2 arguments: 123 and a named pipe. The named\r\npipe is used as a communication channel between the initial stage and the dropped executable.The technique was\r\nused during BadRabbit \u0026 Nyetya.\r\nThe initial stage is responsible for propagation. The network discovery is performed using two techniques:\r\nBy checking the ARP table with the Windows API GetIPNetTable;\r\nBy WMI (using WQL) with the following request: \"SELECT ds_cn FROM ds_computer\". This request\r\nattempts to list all the systems within the current environment/directory. The network propagation is\r\nperformed using PsExec and WMI (via the Win32_Process class). Here is the code executed remotely:\r\nThe purpose is to copy the initial stage to the remote system in %ProgramData%\\%COMPUTERNAME%.exe\r\nand to execute it via a VBScript.\r\nTo perform the lateral movement, the malware needs credentials, it uses 2 stealers described in the next section:\r\nhttp://blog.talosintelligence.com/2018/02/olympic-destroyer.html\r\nPage 2 of 8\n\nThe credentials have not been hardcoded into the binary by the attackers themselves. The malware dynamically\r\nupdates this list after using the password stealers. A new version of the binary is generated with the newly\r\ndiscovered credentials. This new binary will be used on the new infected systems via the propagation. This feature\r\nexplains why we discovered several samples with different sets of credentials that were collected from previously\r\ninfected systems.\r\nAs you can see, the domain attempted to be used is related to Pyeongchang 2018. We identified 44 individual\r\naccounts in the binary.\r\nDropped Files\r\nBrowser Credential Stealer\r\nOlympic Destroyer drops a browser credential stealer. The final payload is embedded in an obfuscated resource.\r\nTo be executed, the sample must have 2 arguments as mentioned previously. The stealer supports: Internet\r\nExplorer, Firefox and Chrome. The malware parses the registry and it queries the sqlite file in order to retrieve\r\nstored credentials. SQLite is embedded in the sample:\r\nhttp://blog.talosintelligence.com/2018/02/olympic-destroyer.html\r\nPage 3 of 8\n\nSystem Credential Stealer\r\nIn additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. The stealer\r\nattempts to obtain credentials from LSASS with a technique similar to that used by Mimikatz. Here is the output\r\nformat parsed by the initial stage:\r\nDestructor\r\nThe destructive portion of this malware starts during initial execution on the victim machine. The initial malware\r\nexecution results in multiple files written to disk, as discussed. Following this, the malware then continues on it's\r\npath by beginning the malicious destruction element. By leveraging cmd.exe from the host the malware first\r\ndeletes all possible shadow copies on the system using vssadmin:\r\nC:\\Windows\\system32\\cmd.exe /c c:\\Windows\\system32\\vssadmin.exe delete shadows /all /quiet\r\nNext, again leveraging cmd.exe execution on the host we can see the author using wbadmin.exe, for those not\r\nfamiliar with wbadmin, this is the replacement for ntbackup on modern operating systems.\r\nC:\\Windows\\system32\\cmd.exe /c wbadmin.exe delete catalog -quiet\r\nhttp://blog.talosintelligence.com/2018/02/olympic-destroyer.html\r\nPage 4 of 8\n\nThis step is executed to ensure that file recovery is not trivial - WBAdmin can be used to recover individual files,\r\nfolders and also whole drives so this would be a very convenient tool for a sysadmin to use in order to aid\r\nrecovery.\r\nThe next step the attacker takes in this destructive path is to, again leverage cmd.exe, but this time use bcdedit, a\r\ntool used for boot config data information, to ensure that the Windows recovery console does not attempt to repair\r\nanything on the host.\r\nC:\\Windows\\system32\\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures \u0026 bcdedit /set {de\r\nThe attacker has now attempted to ensure that recovery is extremely difficult for any impacted hosts and to further\r\ncover their tracks the deletion of the System \u0026 Security windows event log is performed, this will be used to try\r\nand make any analysis more difficult.\r\nC:\\Windows\\system32\\cmd.exe /c wevtutil.exe cl System\r\nC:\\Windows\\system32\\cmd.exe /c wevtutil.exe cl Security\r\nWiping all available methods of recovery shows this attacker had no intention of leaving the machine useable. The\r\npurpose of this malware is to perform destruction of the host, leave the computer system offline, and wipe remote\r\ndata.\r\nAdditionally, the destroyer disables all the services on the system:\r\nhttp://blog.talosintelligence.com/2018/02/olympic-destroyer.html\r\nPage 5 of 8\n\nThe malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled:\r\nSpecifies that the service should not be started.\"\r\nAdditionally, the malware lists mapped file shares and for each share, it will wipe the writable files (using either\r\nuninitialized data or 0x00 depending of the file size). Finally after modifying all the system configuration, the\r\ndestroyer shutdowns the compromised system.\r\nLegitimate File\r\nAdditionally, the Olympic Destroyer drops the legitimate, digitally signed, PsExec file in order to perform lateral\r\nmovement by using this legitimate tool from Microsoft. This is another example of an attacker leveraging\r\nlegitimate tools within their arsenal. Using legitimate tools like PsExec will save the adversary time from writing\r\ntheir own tooling. A free alternative they can wrap up within their own malware is a much easier option in this\r\ninstance.\r\nConclusion\r\nDuring destructive attacks like this there often has to be a thought given to the nature of the attack. Disruption is\r\nthe clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after\r\nhttp://blog.talosintelligence.com/2018/02/olympic-destroyer.html\r\nPage 6 of 8\n\nembarrassment of the Olympic committee during the opening ceremony.\r\nDisruption of services included the Olympic website being offline, meaning individuals could not print their\r\ntickets. The opening ceremony reporting was degraded due to WiFi failing for reporters on site.\r\nThe malware delivery mechanism is currently unknown which means the infection vector could be a multitude of\r\noptions, but, if the attacker already had access to the environment, this attack could have been carried out\r\nremotely. This would allow the actors to specifically pinpoint the moment of the opening ceremony and would\r\nallow them to control their time of impact.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such asNGFW,NGIPS, andMeraki MX can detect malicious activity associated with\r\nthis threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nhttp://blog.talosintelligence.com/2018/02/olympic-destroyer.html\r\nPage 7 of 8\n\nOlympic Destroyer: edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\r\nBrowser Stealer: 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea (unpacked:\r\nab5bf79274b6583a00be203256a4eacfa30a37bc889b5493da9456e2d5885c7f )\r\nSystem Stealer: f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936 (unpacked\r\na7d6dcdf5ca2c426cc6c447cff76834d97bc1fdff2cd14bad0b7c2817408c334 )\r\nDestroyer: ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85\r\nPsexec (legit): 3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef\r\nAdditional Olympic Destroyer:\r\nD934CB8D0EADB93F8A57A9B8853C5DB218D5DB78C16A35F374E413884D915016\r\nEDB1FF2521FB4BF748111F92786D260D40407A2E8463DCD24BB09F908EE13EB9\r\n3E27B6B287F0B9F7E85BFE18901D961110AE969D58B44AF15B1D75BE749022C2\r\n28858CC6E05225F7D156D1C6A21ED11188777FA0A752CB7B56038D79A88627CC\r\nSource: http://blog.talosintelligence.com/2018/02/olympic-destroyer.html\r\nhttp://blog.talosintelligence.com/2018/02/olympic-destroyer.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"http://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
	],
	"report_names": [
		"olympic-destroyer.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434035,
	"ts_updated_at": 1775791272,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb74695657339a576ee68d1152f6d3337880d560.pdf",
		"text": "https://archive.orkl.eu/cb74695657339a576ee68d1152f6d3337880d560.txt",
		"img": "https://archive.orkl.eu/cb74695657339a576ee68d1152f6d3337880d560.jpg"
	}
}