The hackers that attacked the Winter Olympics 2018 left false clues to hide their identity

- Adrian Ungureanu

The Pyoengchang Winter Olympics weren’t cyber-security issues free, and a rather dangerous malware paralyzed the IT systems shortly before the opening ceremony.

The malware called the Olympic Destroyer stopped all monitors, the Wi-Fi network and made the website inaccessible so visitors could not print their tickets anymore.

According to Kaspersky Lab several other South Korean ski resorts have been affected by the same malware, which stopped the operation of ski facilities and lifts in those resorts.

“Although the real impact of attacks with this malware has been limited, it has clearly had the ability to be a destructive one, which has not happened fortunately,” the security solutions provider said in a press release.

Within a few days of discovery, research teams around the world have attributed this malware to Russia, China and North Korea on the basis of features previously associated with cyber spying and sabotage groups backed by different countries.

Kaspersky Lab researchers have found something that seemed to be a sure proof that Lazarus was a state-backed group with links to North Korea. But they realized something was wrong and started a new analysis of the malware. But according to Kaspersky, the evidence they found that the culprit is the Lazarus group was placed intentionally to mislead the security firms. Until now, IT security companies believe that each hacking group have their own “fingerprint” that help specialists identify the attacers. Well, that’s not the case anymore.

Therefore, the researchers concluded that the “fingerprint” is a sophisticated false malicious intent, intentionally placed in malware, to give specialists the impression that they have found evidence that destroys the attackers but actually removes them from the track correct assignment.

Accurately assigning the Olympic Destroyer attack remains an unanswered question for the moment – simply because it is a unique example of implementing a very fake clue.

However, Kaspersky Lab researchers have discovered that attackers have used a NordVPN identity protection service and a hosting provider called MonoVM, both accepting Bitcoin. These clues as well as other TTPs were previously seen in Fancy Bear (Sofacy) – a Russian-speaking attacker.