Researchers have now found the Olympic Destroyer operation is back in action, using some of its original infiltration and reconnaissance toolset, and focusing on targets in Europe. Olympic Destroyer is an advanced threat that hit organizers, suppliers and partners of the Winter Olympic Games 2018 in Pyeongchang, South Korea with a cybersabotage operation based on a destructive network worm.
A few rare and sophisticated signs discovered by Kaspersky Lab suggested that Lazarus group, a North Korea-linked threat actor, was behind the operation. However, in March, the company confirmed that the campaign featured an elaborate and convincing false flag operation, and Lazarus was unlikely to be the source.
The threat actor is spreading its malware through spear-phishing documents that closely resemble the weaponized documents used in preparation for the Winter Olympics operation. One such decoy document referred to the ‘Spiez Convergence’, a bio-chemical threats conference held in Switzerland and organized by the Spiez Laboratory, an organization that played a key role in the Salisbury attack investigation. Another document was targeting an entity of the health and veterinary control authority of Ukraine. Some of the spear-phishing documents uncovered by researchers carry words in Russian and German.
All final payloads extracted from the malicious documents were designed to provide generic access to the compromised computers. An open-source and free framework, widely known as Powershell Empire, was used for the second stage of the attack.
The attackers appear to use compromised legitimate webservers to host and control the malware. These servers use a popular open-source content management system (CMS) called Joomla. The researchers found that one of the servers hosting the malicious payload used a version of Joomla (v1.7.3) released in November 2011, which suggests that a very outdated variant of the CMS could have been used by the attackers to hack the servers.
Based on Kaspersky Lab telemetry and files uploaded to multi-scanner services, the interests of this Olympic Destroyer campaign appear to have been entities in Germany, France, Switzerland, the Netherlands, Ukraine and Russia. Kaspersky Lab products successfully detect and block Olympic Destroyer-related malware.