Olympic Destroyer, the destructive malware that hit the 2018 Winter Olympics in Pyeongchang earlier this year, has returned to infect new victims in Europe and Russia.
Kaspersky Lab researchers said they have detected new infections in May and June 2018 targeting Russian financial institutions in Russia as well as biological and chemical threat prevention laboratories in Europe and Ukraine.
Although the malware’s previous campaign was considered to be espionage-oriented, it appears that Olympic Destroyer’s new campaign may have more to do with stealing money. According to Kaspersky,’s researchers, many of the malware’s victims are organizations from the financial sector in Russia. The malware is also currently targeting Germany, Netherlands, France and Switzerland among others. are among the nations that the malware is currently targeting.
The malware uses a malicious decoy documents that refer to various topics to lure victims.
“According to metadata, the document was edited on June 14th. The Cyrillic messages inside this and previous documents are in perfect Russian, suggesting that it was probably prepared with the help of a native speaker and not automated translation software,” Kaspersky researchers noted. “Once the user enables macro, a decoy document is displayed, taken very recently from a Ukrainian state organization (the date inside indicates 11 June 2018). The text of the document is identical to the one on the official website of the Ukrainian Ministry of Health.”
In February 2018, the Olympic Destroyer malware hit organizers, partners and suppliers during the Winter Olympics held in Pyeongchang, South Korea. The attack was preceded by a reconnaissance and infiltration campaign that recruited the most vulnerable networks that could serve as a launchpad for the malware to wreak the most havoc.
The attack on the Winter Olympics was considered to be stealthy and deceptive. According to security researchers at Kaspersky Lab, the malware was designed to look like it was created by Lazarus - the prolific North Korean hacker group.
Various security researchers linked the malware to three Chinese hacker groups. Meanwhile, some of the code used by the malware also hinted at the leaked NSA EternalRomance exploit, while other code was found to be similar to the NotPetya and BadRabbit ransomware variants. Some of the tactics, techniques and procedures (TTPs) and operational security (opsec) used by the malware also mirrored the activities of the infamous Russian hacker group - Fancy Bear.
“When it comes to false flags, mimicking TTPs is much harder than tampering with technical artefacts. It implies a deep knowledge of how the actor being mimicked operates as well as operational adaptation to these new TTPs,” Kaspersky researchers wrote in a blog. “However, it is important to remember that Olympic Destroyer can be considered a master in the use of false flags: for now we assess that connection with low to moderate confidence.”
Prior to Olympic Destroyer’s previous attack against the Winter Olympics in Pyeongchang, a reconnaissance stage of the attack was launched in late 2017. Kaspersky researchers believe that the recent attack could be a similar reconnaissance campaign that precedes a much larger cyber-sabotage stage aimed at paralyzing the targeted industries.
The researchers have advised all bio-chemical threat prevention agencies in Europe to bolster their security and regularly run security checks.
Given that the Olympic Destroyer malware targeted a variety of both financial and non-financial organizations in the recent campaign, researchers suggest that the malware may have been operated by more than one hacker/hacker group - one primarily focused on financial gain and the other on espionage.
“This could also be a result of cyberattack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention,” Kaspersky researchers added.