A hacker group, likely working on behalf of an unidentified government, has tried to take over the computers of dozens of South Koreans involved in the upcoming Winter Olympics, according to an analysis published this week by the cybersecurity firm McAfee.
The purpose of the cyberattack is unclear, but the targeting of multiple computers used by both participants and organizers of the 2018 Winter Olympic Games, which take place next month in the northeastern South Korean city of Pyeongchang, come during a time of high tension between North and South Korea, two nations known for their aggressiveness in hacking operations. The two sides agreed Friday to talks that are expected to include whether North Korea will send a delegation to the games.
Suspects include North Korea, China, and Russia, which is widely believed to have hacked and disseminated athletes’ medical files from the World Anti-Doping Agency in 2016 after some of its athletes were banned for cheating. Russia has been banned from the 2018 Olympics entirely.
Cyberespionage operations, in which a government casts a wide net against civilian targets to gather intelligence before an important geopolitical event, are not uncommon, but they often go undetected or unreported to the public.
This one, however, was initiated Dec. 28 when the hackers sent an email to firstname.lastname@example.org, an email address used to recruit temporary employees to help to manage hockey operations in Pyeongchang. The email address was spoofed to appear to come from South Korea’s National Counter-Terrorism Council, which has hosted counter-terrorism drills in Pyeongchang in preparation for the Olympics.
Attached was a Microsoft Word document that, once opened, instructs the user in Korean to “enable content,” which allows Word to run macros, or repeated tasks, and which is a common red flag that a Word file is malicious. Once enabled, the file runs script crafted to hide its tracks and creates an encrypted channel that allows the attacker to quietly run commands and install additional programs on the victim’s computer.
That email was also sent to at least 50 targets across South Korea, with a wide range of connections to the Olympics, said Ryan Sherstobitoff, a senior researcher at McAfee Advanced Threat Research, which obtained the email and released an analysis of it Monday.
That email was also sent to at least 50 Olympics-related targets across South Korea, Sherstobitoff, said. Recipients included ski resorts hosting competitions, a nearby airport, and government employees. It’s unclear how many recipients, if any, fell for it, or how many other people affiliated with the Pyeongchang games received similar emails.
“From what we can tell, they’re trying to potentially establish the ability to gather information on chatter, communications around the upcoming Olympics,” Sherstobitoff told BuzzFeed News.
“With any espionage activity, there’s a first stage reconnaissance to understand who is interesting, casting a wide net,” Sherstobitoff said.
McAfee declined to speculate who was behind the attack, save to say the attachment’s sophistication and the nature of its targets strongly indicate a nation-state directed it. Attributing any cyberattack can be a dicey proposition. Nation-state hacking groups often reuse tactics, and Sherstobitoff’s team has not previously identified activity clearly linked to this operation, indicating it’s a new tool or campaign.
Any number of countries could have the motivation for such an operation, said Adam Segal, director of the digital and cyber program at the Council on Foreign Relations.
“For North Koreans, motivations would range from wanting to know what was happening to planning for disruption if South Korea or US embarrass or pressure Pyongyang. Chinese I would guess intel gathering, mainly to avoid surprises,” he told BuzzFeed News.
“Russia [is] a possibility, given passed hacks of doping agencies,” he said. “Given previous attacks on sports infrastructure, [it] now seems routine.”
The name of the World Anti-Doping Agency was misstated in an earlier version of this post.