Olympic Destroyer Malware is Back to Wreak Havoc

Olympic Destroyer Malware is Back to Wreak Havoc

The notorious Olympic Destroyer malware which disrupted the last Winter Games has resurfaced, targeting several countries in Europe as well as Russia and Ukraine, according to Kaspersky Lab.

The Russian AV company warned that the latest activity could spell the start of new destructive malware campaigns from the group behind the threat.

“In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led us to believe that we were looking at the same actor again,” the firm explained.

“However, this time the attacker has new targets. According to our telemetry and the characteristics of the analyzed spear-phishing documents, we believe the attackers behind Olympic Destroyer are now targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine.”

Phishing emails were used to infiltrate and map out target networks ahead of a destructive campaign which disrupted the Pyeongchang Olympics earlier this year, leading the firm to speculate that this new activity could lead to similar.

It warned all biochemical-threat prevention and research organizations in Europe to bolster their defenses and run unscheduled security audits.

It’s not clear what the link between these new targets is, with the group behind it considered “a master in the use of false flags.” However, Kaspersky Lab claimed the TTPs and operational security techniques used by the group “bear a certain resemblance” to Sofacy/Fancy Bear/APT28, the notorious Kremlin hacking outfit that disrupted the 2016 US presidential election.

“The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cyber-theft and another group or groups looking for espionage targets,” the vendor concluded.

“This could also be a result of cyber-attack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.”

Source: Information Security Magazine