Hell of attribution: OlympicDestroyer is here to trick the industry presented at Shakacon 2018

by Seongsu Park,

Summary : The PyeongChang Winter Olympic Games in this year are remembered as a very successful Olympics, but it’s remembered as other things in information security industry. According to organizers of the Pyeongchang Olympics there was a cyber-attack that temporarily paralyzed IT systems ahead of official opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets. According to this attack, security companies started publishing in their blogs about this attack, finger-pointing at different directions in terms of attribution: cybercriminal ransomware, Russian state-sponsored actors, Chinese-speaking APTs, North Korean Lazarus malware, etc.We had the opportunity of conducting an investigation in an infected network in South Korea. We were provided with administrative access to one of the affected servers located in the compromised company and found not only Olympic Destroyer but another tool of the attacker from the compromised host. Based on the additional finding, we can assemble more of the attack process and finally can find suspected initial infection method related to this attack. We also found this attack has a highly sophisticated false flag to trap threat intelligence researcher.In this presentation, I will share the full story of Olympic Destroyer investigation and what we found such as attacker’s opsec failure. In addition, I will explain in detail the false flag to deceive threat intelligence researchers. Eventually, attendees will understand about emerging game changer of threat intelligence industry and the TTPs of attacker behind this attack.