First shots at South Korea could herald malware campaign of Olympic proportions

Russia, Norks and dog lovers all potential perps, say pundits

By John Leyden

Posted in Security, 8th January 2018 13:05 GMT

A malware campaign has been unleashed against organisations involved with next month's Pyeongchang Winter Olympics.

An email1 with a malicious Microsoft Word document attached was sent to a number of groups associated with the event, most of them targeting ice hockey organisations.

"The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script," security firm McAfee reported. "They also wrote custom PowerShell code to decode the hidden image and reveal the implant."

The attackers appear to be casting a wide net, with several South Korean organisations included in the spam run. The majority of these had some link to the Olympics, either by providing infrastructure or in a supporting role.

Global gatherings such as the Olympics – where world leaders, businesses and governmental organisations converge on one location – make them a naturally attractive target for cyberspies. Travelling VIPs can be easier to target when they are abroad using a variety of techniques.

Threat intel firm Anomali warned that the malware incident is a just a taste of what might be in store. South Korea is a frequent target of hacks and North Korea, Russia and China might all look to exploit vulnerabilities when the world's focus is on the nation.

Using hotel Wi-Fi to spy on executives and people of interest is a likely scenario. DarkHotel and the Russian APT28 have both reportedly engaged in such shenanigans and similar activity was associated with the Sochi Olympics in Russia four years ago.

Phishing lure techniques, such as links promising live streaming of Olympic events, could form the basis of attacks by regular cybercrooks slinging ransomware and other crud as well as spies.

Recent activity from Fancy Bear's Hack Team and other hacktivist groups might lead to campaigns directed against the International Olympic Committee (IOC) and the Olympics in general. This may be because of the decision to ban Russian athletes from participating under the national flag, something already attributed as the motive behind attacks against the World Anti-Doping Agency.

Last but not least, animal welfare groups could stage a protest and/or boycott over South Korea's dog and cat meat trade. Twitter chatter on this topic is already taking place and may be a harbinger of things to come, Anomali cautioned.

Many sponsors and partners of the games have already experienced hacks and this is another area of potential concern:

Some of the attacks have been attributed to Kimsuky (North Korea), RGB (North Korea), APT3 (China), and Nexus Zeta, Anomali said.


1The original file name was 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc ("Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics").

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Winter Olympics website downed by cyber attack

Updated There was nothing to see here, but please move along, nothing to see here...

Winter Olympics 5G isn't real 5G, says Qualcomm, that won't land until 2019

Chipmaker names 18 carriers who'll get real with 5G real soon now, promise

Olympics bans GIFs

Tokyo rebrands 2020 Olympics

LOGOWATCH New logos trade 'plagiarism' for 'elegance and sophistication'

Phisherfolk phlock to Rio for the Olympics

Virtually, that is. Zeus trojan ported to bash Brazil banks

Irish Olympics' officials digital devices seized in Rio

Phones and laptops taken amid Games' tickets investigation

Russian gay dating app dev: We've been BLOCKED just DAYS before Winter Olympics

Threats issued to 'Russian Grindr' users and 72k profiles deleted, says exec

Ex-Prez Bush, Cheney sued for email, phone spying during Olympics

Former mayor of Salt Lake City personally heads class-action lawsuit over winter games

Now the Olympics is over, Theranos is withdrawing its Zika test application

Medical unicorn spins FDA concerns as a 'positive interaction'

Micro Anvika goes titsup after Olympics fails to save its shops

Calls in the receivers, keeps biz open in bid to sell it as going concern