Kaspersky Labs is warning all European bio-chemical threat prevention organizations to bolster cybersecurity after finding the malware that disrupted IT systems at the PyeongChang Winter Olympics is now being aimed at European organizations.
Olympic Destroyer, the malware that knocked out South Korea’s Winter Olympic website and wifi at the PyeongChang stadium, has returned with new European targets in sight.
The malware steals credentials from browsers and Windows systems, which are then used to automatically spread across networks and destroy infected PCs.
The malware was noted for its skillful use of misleading clues that left different researchers pointing the finger at state-backed hackers from Russia, North Korea, and China.
Kaspersky researchers however said there was enough evidence to rule out North Korea’s Lazarus hacking group, despite clues pointing to the group.
Kaspersky Lab researchers today revealed a new Olympic Destroyer campaign it spotted in May and June using new spear-phishing documents that share traits with the ones used at the Winter Olympics.
The malware was delivered to targets in France, Netherlands, Switzerland, Germany, Ukraine, and Russia. The malware targeted a curious mix of financial organizations in Russia and chemical and biological threat prevention labs in Europe and Ukraine.
To deliver the payload, the attackers this time compromised web servers running out of date versions of the Joomla content management system. The attack documents contained embedded VBA macros that execute a Powershell command.
Kaspersky Lab notes that the VBA code was obfuscated with the same technique used in the first Olympic Destroyer spear-phishing campaign.
Notably, one of the malicious Word documents referenced Spiez Convergence, a conference to be held in September and run by Spiez Laboratory, the Swiss Federal Institute for Nuclear, Biological and Chemical (NBC) Protection.
The organization provided technical assistance during the UK’s investigation of the nerve agent poisoning of the former Russian double agent Segei Skripal and his daughter in Salisbury.
Another document used in the attacks also referenced the nerve agent used to poison the pair.
The report doesn’t attribute the malware to any attack group, though Kaspersky notes some of the documents are written in perfect Russian.
Kaspersky Lab researchers believe this wave of Olympic Destroyer may have been part of an information gathering exercise in preparation for a destructive attack, which was how the attack on the South Korean Olympics took place.
However, given Europe’s fresh vote to ban Kaspersky Lab products from use in EU institutions, and Kaspersky Labs subsequently suspending cooperation with Europol, the company’s expertise may not be available to help investigate if such an attack occurs.
Kaspersky researchers offered an argument for why banning its products might be against the interests of the EU, and other nations, including the US, UK and Netherlands that have recently excluded it from government networks.
“The resistance to and deterrence of threats such as Olympic Destroyer should be based on cooperation between the private sector and governments across national borders,” Kaspersky Lab researchers wrote.
“Unfortunately, the current geopolitical situation in the world only boosts the global segmentation of the internet and introduces many obstacles for researchers and investigators. This will encourage APT attackers to continue marching into the protected networks of foreign governments and commercial companies.”
The researchers urged all European biological and chemical threat prevention and research organizations in to beef up security and conduct unscheduled audits.
They also speculate the mix of financial and non-financial targets could be due to multiple groups with different goals using the malware for their own purposes. Alternatively, the Russian financial targets could be another false flag.