Winter Olympics hit with cyber attack during opening ceremony

Officials confirm that issues during the Winter Olympics opening ceremony in PyeongChang were a caused by a cyber attack.

Officials confirmed that the 2018 Winter Olympics were hit with a cyber attack during the opening ceremony in PyeongChang on Friday.

The “servers were hacked by an unidentified attacker,” reported the South Korean publication Yonhap News.

At first, the attack caused internet protocol TVs to malfunction at the main press center. When organizers responded by shutting down servers to prevent more damage, it took down the Winter Olympics website. With the site down, attendees who had purchased reservations were unable to print their tickets. The Wi-Fi also went down in the PyeongChang Olympic stadium. It took about 12 hours before the website and other non-critical systems were fully restored.  

The drones, which were supposed to film the two-hour opening ceremony, also failed to deploy, reported Reuters, so prerecorded footage was used instead. It was unclear if the problems with drone deployment were related to the system issues caused by the attack. An International Olympic Committee (IOC) spokesman said, “Due to impromptu logistical changes it [drone deployment] did not proceed.”

On Saturday, Olympic Games spokesman Sung Baik-you said it was too early to confirm a cyber attack; instead, Sung would only say “some issues” affected “non-critical systems,” but those issues did not disrupt any event or impact the safety and security of athletes and spectators.

Cyber attack confirmed, but source not revealed

On Sunday, however, organizers confirmed the cyber attack but would not reveal the source of the attack.

“We know the cause of the problem, but that kind of issue occurs frequently during the Games,” Sung said. “We decided with the IOC we are not going to reveal the source" of the attack.

“Maintaining secure operations is our purpose,” said IOC spokesman Mark Adams. According to Reuters, Adams cited best international practices as the reason not to talk about the attack at this stage.

“We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure,” he said.

Russia, which was banned from the Games for doping, denied involvement in the attack, although there had been some evidence that Russian-backed hackers might have been planning an attack in retaliation for Russian's exclusion of the PyeongChang Games.

Days before the Games kicked off, Russia’s foreign ministry said, “We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea. Of course, no evidence will be presented to the world.”

Cyber threat warnings before the Winter Games started

In January, McAfee Advanced Threat Research discovered a spearphishing campaign targeting organizations involved with the Olympics. The PowerShell script used image stenography techniques in order to hide the first-stage implant.

At the start of February, US-CERT warned travelers to the Olympics that “cyber criminals may attempt to steal personally identifiable information or harvest users’ credentials for financial gain. There is also the possibility that mobile or other communications will be monitored.”

Shortly before the Games kicked off, McAfee added that the fileless attack it previously discovered “used a PowerShell implant that established a channel to the attacker’s server to gather basic system-level data. What was not determined at that time was what occurred after the attacker gained access to the victim’s system.”

The newest McAfee report included additional information about the Korean-language, data-gathering implant Gold Dragon. The researchers concluded:

The implants covered in this research establish a permanent presence on the victim’s system once the PowerShell implant is executed. The implants are delivered as a second stage once the attacker gains an initial foothold using fileless malware. Some of the implants will maintain their persistence only if Hangul Word, which is specific to South Korea, is running.

With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics.

Related:

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)