The Olympic Destroyer malware behind an attack on the 2018 Winter Olympic Games in Seoul resurfaced with new targets in its sites: financial organizations and biological and chemical threat prevention laboratories, according to new research from Kaspersky Lab.
Olympic Destroyer was first spotted back in February as a cyberattack on the Olympics’ opening ceremony intent on destroying systems and disrupting the games–hence the name. At the time security researchers at Cisco Talos said the malware caused some technical issues to non-critical systems and administrators were able to complete recovery in about 12 hours.
Now Olympic Destroyer is back, and it seems attackers have set their sights on much more vulnerable targets, with the potential to do far much more damage than merely shutting down the Olympics, researchers said.
“Our experts recently found traces of activity similar to Olympic Destroyer, but this time they are targeting financial organizations in Russia, and biological and chemical-threat-prevention laboratories in the Netherlands, Germany, France, Switzerland and Ukraine,” according to a blog post by Kaspersky’s Nikolay Pankov.
Specifically, researchers identified a new breed of spear-phishing attacks containing documents, with payloads resembling tools of the original Olympic Destroyer, Pankov wrote. The samples identified include a non-binary executable infection vector and obfuscated scripts to evade detection. That suggests the malware’s creator is likely the same group of attackers that staged the attempted Olympics sabotage.
Master of deception
While the worm itself has not yet reared its ugly head, the documents researchers identified thus far appear to be a part of some kind of reconnaissance stage, which also is similar to previous attempts at sabotage, Pankov said.
Kaspersky revealed more technical details of the samples they identified in a blog post on Securelist, the company’s cyberthreat research and reports site.
“The attackers behind Olympic Destroyer forged automatically generated signatures, known as Rich Header, to make it look like the malware was produced by Lazarus APT, an actor widely believed to be associated with North Korea,” according to the post on Securelist. “The deceptive behavior of Olympic Destroyer, and its excessive use of various false flags, which tricked many researchers in the infosecurity industry, got our attention.”
For this reason, Kaspersky researchers continued to track the group, resulting in its recognition of similar deceptive tendencies in the new malware, researchers said.
New targets be warned
However, more than the fact that the attackers–wherever they may be–are still active, it is the targets of the new attacks that are the real news in the latest findings, Pankov wrote.
“Our analysis of the decoy letters shows that this time, the cyber-criminals are trying to infiltrate biological- and chemical-threat-prevention laboratories,” he said. “Among their new targets are also Russian financial organizations–although the financial focus may be just another false flag.”
Moreover, the documents also contain references to a conference held in Switzerland for biochemical-threat researchers called “Spiez Convergence,” suggesting intent to stage attacks against this industry. The sponsor of the Spiez Convergence, Spiez Laboratory, investigated the poisoning of infamous Russian double-agent Sergei Skripal and his daughter Yulia.
While typically security experts advise clients to be mindful about opening suspicious documents if they know of imminent spear-phishing attacks, Pankov wrote that this time that type of defense just won’t work because “the documents are not suspicious.”
“Decoys created for this spear-phishing attack are tailored to be relevant to the victim,” he said.
That said, Kaspersky is advising that biochemical-threat-prevention and -research companies and organizations in Europe run unscheduled security audits to give themselves the best chance at thwarting any attack. They also recommend installing protective solutions from security vendors–such as the company itself, natch–to detect and destroy malware before it can do harm to a system.