Hackers have disrupted the Winter Olympics in Pyeongchang, and the world’s security experts are trying to determine if Russia is the culprit.
For about 45 minutes on Friday night, some Olympic computers and networks, including Wi-Fi systems, were hit with malicious software that targeted users with a @pyeongchang2018.com email address.
“We can confirm that the technology issues experienced on Friday night were caused by a cyber-attack,” Jihye Lee, a spokesperson for the 2018 games, said in a statement. No systems were affected, and organizers are still investigating, she said.
That the attack didn’t do more significant damage appears to be by design. Researchers at Cisco Talos who analyzed dozens of samples of the malware that affected Olympic computers called the software a “wiper” — malicious software designed to wipe a computer’s files — but that it intentionally holds back from inflicting maximum damage. Instead of deleting all the files on a computer, it only deleted those related to booting up, meaning an average tech could fix it with relative ease. Researchers have never seen that sort of restraint before from that kind of malware.
“This could have been as destructive as this attacker potentially wanted it to be,” Warren Mercer, Talos’s technical leader, told BuzzFeed News.
“It’s a very interesting change of pace from other types of wiper malware,” said Craig Williams, the company’s senior technical leader. "I read this as the attacker was trying to send the victim a message — they’re clearly saying ‘I could have wiped your data, and I have full access to your systems, and I could have destroyed it, but instead I just kinda turned off your services, deleted your boot record, and turned your machine off.’”
Any hack during the Olympics has as its prime suspect Russia, which was formally banned from competing in the 2018 games for its widespread, state-sponsored conspiracy to let its athletes get away with blood doping.
Lurking in systems for espionage purposes is common for countries with significant cyber capabilities, but one advanced hacker group, popularly called Fancy Bear or APT 28, has been involved in much more visible attacks and has in recent years hacked and leaked files from both the Democratic Party and the Olympic World Anti-Doping Association. The US intelligence community and a number of cybersecurity companies around the world assert that Fancy Bear is run by Russia’s GRU, its primary foreign intelligence service.
While there isn’t yet concrete evidence, there’s indication that Fancy Bear was responsible for the most recent attacks, said Adam Meyers, vice president of intelligence at CrowdStrike, the cybersecurity company that in 2016 originally identified the Russian government as behind the hack of the Democratic National Committee.
The malware that hit the 2018 Olympics was written on Dec. 27, Meyers said, and his team observed a Fancy Bear campaign in November and December that stole credentials of users with Olympic related email address and mapped out their owners’ networks. His team noticed other hackers targeting Olympic targets in recent weeks, but only Fancy Bear had conducted such a campaign before that malware was written.
“There is a Fancy Bear campaign that lines up with the timeframe, but we don’t necessarily have any conclusive evidence,” Meyers said.
“We have anticipated an attack of some nature on the events for quite a while, particularly by a Russian actor,” John Hultquist, the director of analysis at cybersecurity firm FireEye, said in a statement to BuzzFeed News. “Actors like APT28 have unceasingly harassed organizations associated with the games, and the Russians have been increasingly willing to leverage destructive and disruptive attacks.”
Still Hulquist said, this firm wasn’t prepared to attribute the malware to any known group.
In a preemptive statement on Wednesday — before the Olympic cyberattacks had actually taken place — the Russian Ministry of Foreign Affairs denied responsibility.
“We are aware that the Western Olympic Games in the Republic of Korea are based on pseudo-investigations that reveal the ‘Russian trace’ in hacking attacks on information resources,” the ministry said. “One gets the impression that a number of states have already grown accustomed to attributing all of their domestic political problems to Russia's alleged cyber interference.”
The type of email address that CrowdStrike found Fancy Bear actors targeting in November and December was misrepresented in an earlier version of this story.