Surprise: Norks not actually behind Olympic Destroyer malware outbreak – Kaspersky

Who framed Pyongyang, then, we wonder

By Iain Thomson in San Francisco

Posted in Security, 8th March 2018 18:49 GMT

A close analysis of the code that took down part of the 2018 Winter Olympics computer network reveals a cunning plan to seemingly falsely pin the blame on North Korea.

On the first day of the games in Pyeongchang, South Korea, the main website crashed, Wi-Fi networks around the events became unusable, and data was wiped from servers by malware later dubbed Olympic Destroyer. IT security outfits had warned of a cyber-assault looming before the event, after a phishing campaign was spotted, and the attack was beaten off rather quickly.

In the weeks that followed, several analyses suggested that the attack was the work of the North Korean state-sponsored hacking team known as the Lazarus Group. However, a study by Kaspersky Lab engineers suggests that Lazarus didn’t write the code, despite appearances to the contrary.

Vitaly Kamluk, head of the APAC research team at Kaspersky Lab, told the antivirus biz’s Security Analysts Summit this week that the misattribution was understandable. The data wiping part of Olympic Destroy looks, at first glance, exactly the same as the Lazarus Group wiper used in the Bluenoroff malware responsible for the $81m cyber-heist against the Central Bank of Bangladesh last year – even down to the header.

“We can say with 100 per cent confidence that the attribution to Lazarus is false,” he said.

But the wiper function’s Rich header, which contains some metadata, included hints to the development environment the code was written in. The Olympic Destroyer code showed it was developed using Visual Studio 10 and made to look as though the code was the same as the C++-written Bluenoroff.

“The only reasonable conclusion that can be made is that the Rich header in the wiper was deliberately copied from the Bluenoroff samples; it is a fake and has no connection with the contents of the binary,” Kaspersky's technical report on the matter states.

“It is not possible to completely understand the motives of this action, but we know for sure that the creators of Olympic Destroyer intentionally modified their product to resemble the Bluenoroff samples produced by the Lazarus group.”

So who did write the code? Kamluk said he didn’t know for sure, but that some of the methods of propagation and the VPNs used in the attack could link it to the Russian state-sponsored APT28 group.

Costin Raiu, Kaspersky’s director of global research and analysis, warned the conference that attribution is going to get tricky in the next couple of years. Security firms are building code databases that could automate the attribution of malware samples, but at the same time coders are getting smarter and we could see similar false flag operations in the future. ®

Sign up to our NewsletterGet IT in your inbox daily

52 Comments

More from The Register

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Medic! Orangeworm malware targets hospitals worldwide

Hacking campaign goes after care providers and equipment

Security bods liberate EITest malware slaves

Miscreants' command and control network traffic sent down sinkhole

Hey, govt hacker bod. Made some really nasty malware? Don't be upset if it returns to bite you

RSA 2018 Cough, cough, EternalBlue, cough, cough Wannacry, splutter, Stuxnet

Infosec brainiacs release public dataset to classify new malware using AI

Data is the secret sauce to advancing AI research

Crumbs! Crunchyroll distributed malware for a couple of hours

Anime-streamer is fine again, and disinfection is easy

Researchers create AI attacker to defeat AI malware defender

It's like Spy Vs Spy, but with neural network boffins

Slingshot malware uses cunning plan to find a route to sysadmins

Advanced router code has been in circulation for six years

'R2D2' stops disk-wipe malware before it executes evil commands

'Reactive Redundancy for Data Destruction Protection' stops the likes of Shamoon and Stonedrill before they hit 'erase'

Taiwanese cops give malware-laden USB sticks as prizes for security quiz

What was second prize? We think we'd rather have that