First shots at South Korea could herald malware campaign of Olympic proportions
Russia, Norks and dog lovers all potential perps, say pundits
A malware campaign has been unleashed against organisations involved with next month's Pyeongchang Winter Olympics.
An email1 with a malicious Microsoft Word document attached was sent to a number of groups associated with the event, most of them targeting ice hockey organisations.
"The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script," security firm McAfee reported. "They also wrote custom PowerShell code to decode the hidden image and reveal the implant."
The attackers appear to be casting a wide net, with several South Korean organisations included in the spam run. The majority of these had some link to the Olympics, either by providing infrastructure or in a supporting role.
Global gatherings such as the Olympics – where world leaders, businesses and governmental organisations converge on one location – make them a naturally attractive target for cyberspies. Travelling VIPs can be easier to target when they are abroad using a variety of techniques.
Threat intel firm Anomali warned that the malware incident is a just a taste of what might be in store. South Korea is a frequent target of hacks and North Korea, Russia and China might all look to exploit vulnerabilities when the world's focus is on the nation.
Using hotel Wi-Fi to spy on executives and people of interest is a likely scenario. DarkHotel and the Russian APT28 have both reportedly engaged in such shenanigans and similar activity was associated with the Sochi Olympics in Russia four years ago.
Phishing lure techniques, such as links promising live streaming of Olympic events, could form the basis of attacks by regular cybercrooks slinging ransomware and other crud as well as spies.
Recent activity from Fancy Bear's Hack Team and other hacktivist groups might lead to campaigns directed against the International Olympic Committee (IOC) and the Olympics in general. This may be because of the decision to ban Russian athletes from participating under the national flag, something already attributed as the motive behind attacks against the World Anti-Doping Agency.
Last but not least, animal welfare groups could stage a protest and/or boycott over South Korea's dog and cat meat trade. Twitter chatter on this topic is already taking place and may be a harbinger of things to come, Anomali cautioned.
Many sponsors and partners of the games have already experienced hacks and this is another area of potential concern:
- Huawei products propagated the "Satori botnet" (variant of Mirai IoT malware)
- Hanjin Group file exposures in 2014 and 2016
- KORAIL government officials' smartphones were infected in 2016 and used to launch a larger attack
- A Hyundai app software vulnerability left vehicles potentially susceptible to theft for three months
Some of the attacks have been attributed to Kimsuky (North Korea), RGB (North Korea), APT3 (China), and Nexus Zeta, Anomali said.
1The original file name was 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc ("Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics").