Security

First shots at South Korea could herald malware campaign of Olympic proportions

Russia, Norks and dog lovers all potential perps, say pundits

By John Leyden

6 SHARE

A malware campaign has been unleashed against organisations involved with next month's Pyeongchang Winter Olympics.

An email1 with a malicious Microsoft Word document attached was sent to a number of groups associated with the event, most of them targeting ice hockey organisations.

"The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script," security firm McAfee reported. "They also wrote custom PowerShell code to decode the hidden image and reveal the implant."

The attackers appear to be casting a wide net, with several South Korean organisations included in the spam run. The majority of these had some link to the Olympics, either by providing infrastructure or in a supporting role.

Global gatherings such as the Olympics – where world leaders, businesses and governmental organisations converge on one location – make them a naturally attractive target for cyberspies. Travelling VIPs can be easier to target when they are abroad using a variety of techniques.

Threat intel firm Anomali warned that the malware incident is a just a taste of what might be in store. South Korea is a frequent target of hacks and North Korea, Russia and China might all look to exploit vulnerabilities when the world's focus is on the nation.

Using hotel Wi-Fi to spy on executives and people of interest is a likely scenario. DarkHotel and the Russian APT28 have both reportedly engaged in such shenanigans and similar activity was associated with the Sochi Olympics in Russia four years ago.

Phishing lure techniques, such as links promising live streaming of Olympic events, could form the basis of attacks by regular cybercrooks slinging ransomware and other crud as well as spies.

Recent activity from Fancy Bear's Hack Team and other hacktivist groups might lead to campaigns directed against the International Olympic Committee (IOC) and the Olympics in general. This may be because of the decision to ban Russian athletes from participating under the national flag, something already attributed as the motive behind attacks against the World Anti-Doping Agency.

Last but not least, animal welfare groups could stage a protest and/or boycott over South Korea's dog and cat meat trade. Twitter chatter on this topic is already taking place and may be a harbinger of things to come, Anomali cautioned.

Many sponsors and partners of the games have already experienced hacks and this is another area of potential concern:

Some of the attacks have been attributed to Kimsuky (North Korea), RGB (North Korea), APT3 (China), and Nexus Zeta, Anomali said.

Bootnote

1The original file name was 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc ("Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics").

Sign up to our NewsletterGet IT in your inbox daily

6 Comments

More from The Register

Trend Micro tools tossed from Apple's Mac App Store after spewing fans' browser histories

Updated Data caught being siphoned off to outside server

Russia's national vulnerability database is a bit like the Soviet Union – sparse and slow

By design, though, not... er, general rubbishness

Trend Micro AV nukes innocent Sharepoint code, admins despair

Servers fall over after JavaScript file trashed by mistake

US senators get digging to find out the truth about FCC DDoS attack

And why serial self-promoter John McAfee is a security expert on Russian hacking

World's biggest DDoS-for-hire souk shuttered, masterminds cuffed

Webstresser.org taken down by Europol plod and chums

DraftKings rides to court, asks to unmask 10 DDoS suspects

Fantasy sports outfit looks to hunt down group that bombarded its site

Patch out for 'ridiculous' Trend Micro command execution vuln

Password Manager, Maximum Security and Premium Security are all at risk

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

World's biggest DDoS attack record broken after just five days

Memcached attacks are going to be this year's thing

SAP's Business Client can own entire apps, DDOS them into dust

And that's the worst of ten patches awaiting lucky, lucky SAP admins