The advanced hacking group that sabotaged the Pyeongchang Winter Olympics in February has struck again, this time in attacks that targeted financial institutions in Russia and chemical- and biological-threat prevention labs in France, Switzerland, the Netherlands, and Ukraine, researchers said.
The new campaigns began last month with spear-phishing emails that were designed to infect targeted companies with malware that collected detailed information about their computers and networks.
Researchers from Moscow-based Kaspersky Lab said that documents in the phishing emails closely resemble those used to infect organizers, suppliers, and partners of the Winter Olympic Games in the months preceding the February Pyeongchang attack. These initial infections allowed the attackers to spend months developing detailed knowledge of the networks supporting the games. One of the key reasons the malware dubbed Olympic Destroyer was so successful in disrupting the Olympics was it used this knowledge to sabotage the networks. The discovery of a new phishing campaign by the same group raises the possibility they are intended to support new sabotage hacks.
“It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives,” Kaspersky Lab researchers wrote in a blog post. “That is why it is important for all biochemical-threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.”
One of the similarities between the recent phishing campaigns and the ones leading up to Olympic Destroyer is a technique to obfuscate malicious Powershell commands. It uses array-based rearranging to mutate the original code, and it protects all commands and strings, including the ones involving the command and control server address. The documents in both spear phishing campaigns also used a Powershell-based command to implement a routine involving the RC4 encryption cipher. Decryption relies on a hardcoded 32-byte ASCII hexadecimal alphabet key.
I’m not saying it was Russia, but …
As is typical for Kaspersky Lab reports, this one doesn’t directly identify the group or country behind the attacks. It does, however, say that the tactics, techniques, procedures, and operational security used in the Olympic Destroyer attack “bear a certain resemblance to Sofacy,” the name of the advanced persistent group that works for the Russian government.
That would be consistent with a February article in that reported how US intelligence officials determined, with some confidence, that the attack was carried out by individuals working on behalf of a Russian intelligence agency. Prior to the report, some researchers had said fingerprints inside the Olympic Destroyer malware suggested it was the work of North Korean hackers.
The report of Russian involvement was bolstered by research published the same day as the article by Cisco’s Talos security team. It showed that Olympic Destroyer included decoy code that was designed to falsely implicate North Korea when, in fact, a series of operational mistakes showed that a rival hacking group was responsible. Such decoys in hacking operations are often referred to as false flags.
Adding to the linkage of Russian actors, Kaspersky Lab’s latest report said that spear phishing emails used in Ukraine contained documents written in perfect Russian, a finding that suggests they were probably prepared with the help of a native Russian speaker and not automated translation software.
It’s still not clear how the recent spear-phishing campaigns against such a motley number of targets fit together. Kaspersky Lab researchers wrote:
The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests—, a group primarily interested in financial gain through cybertheft and another group or groups looking for espionage targets. This could also be a result of cyberattack outsourcing, which is not uncommon among nation-state actors. On the other hand, the financial targets might be another false-flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.
Certain conclusions could be made based on motives and the selection of targets in this campaign. However, it is easy to make a mistake when trying to answer the question of who is behind this campaign with only the fragments of the picture that are visible to researchers. The appearance, at the start of this year, of Olympic Destroyer with its sophisticated deception efforts, changed the attribution game forever. We believe that it is no longer possible to draw conclusions based on few attribution vectors discovered during regular investigation. The resistance to and deterrence of threats such as Olympic Destroyer should be based on cooperation between the private sector and governments across national borders. Unfortunately, the current geopolitical situation in the world only boosts the global segmentation of the internet and introduces many obstacles for researchers and investigators. This will encourage APT attackers to continue marching into the protected networks of foreign governments and commercial companies.
What does seem clear is that a group with a track record for successful sabotage campaigns is targeting a new group of companies in a variety of countries. Kaspersky Lab provides a list of detailed indicators of compromise people can use to determine if they were among the targets.