This past winter, malware ripped through the Pyeongchang Olympics, disrupting Wi-Fi, shutting down the Olympics website, and causing generalized digital havoc. The so-called Olympic Destroyer attack gained infamy, too, for using a number of false flags to muddy attribution. Now, researchers at Kaspersky Lab say the group behind those February attacks has returned, with a new target: organizations that respond to and protect against biological and chemical threats.
While the activity Kaspersky has seen has not turned destructive, researchers there say that hackers have taken steps that echo the early groundwork laid by the Olympic Destroyer group. Using a sophisticated spearphishing technique, the group has attempted to gain access to computers in France, Germany, Switzerland, Russia, and Ukraine. The concern: That these early intrusions will escalate in the same destructive way Olympic Destroyer did.
“We’re pretty confident this is the same group,” says Kaspersky security researcher Kurt Baumgartner. “We’re seeing the same sort of tactics. We’re seeing targeting that may line up with the previous group. We’re seeing multiple places where there may be crossover.”
Those tactics, so far, involve spearphishing emails that present themselves as coming from an acquaintance, with a decoy document attached. The execution, Baumgartner says, is remarkably similar to how Olympic Destroyer began: Emails target a group of people affiliated with a specific event; if they open the document they trigger a malicious macro, which allows multiple scripts that enable access to the target computer to run in the background.
While the hacker group excels at avoiding detection, its activity has enough hallmarks that Kaspersky has high confidence that it’s a repeat performance. “When you look at the obfuscation that they’re using in the spearphishing macros, this is a very specific set of macros,” says Baumgartner. “No one else is using this stuff.”
In the case of Olympic Destroyer, that early access was eventually used in Pyeongchang to deploy malware designed to destroy data on victim machines. Kaspersky says it chose to go public with its findings because if these latest attacks follow the same timeline they may be about to escalate in a similar fashion.
‘No one else is using this stuff.’
Kurt Baumgartner, Kaspersky Lab
The hackers appear to be primarily targeting people affiliated with an upcoming biochemical threat conference, called Spiez Convergence. That event is organized by Spiez Laboratory—a testing outfit that was tangentially involved in the investigation into the poisoning of former Russian double agent Sergei Skripal, and his daughter Yulia, in Salisbury, England in March. The UK and the US both attributed the attempted murders to Russia, and expelled dozens of Russian diplomats each.
One of the decoy documents Kaspersky observed looks like a press release for Spiez Convergence. Another appears to be a news report about the nerve agent used in the Salisbury attack. The hackers also appear to have Russian language proficiency. Kaspersky, itself a Russian company embroiled in controversy in the US over its purported ties to the Russian government, did not suggest attribution for the Olympic Destroyer group. But it does seem worth noting that both the Pyeongchang Olympics—from which Russia was banned—and European biochemical protection agencies—which did not absolve Russia of what appears to be a high-profile international assassination attempt—arguably share a common bond of Russian provocation. Not to mention that US intelligence officials already reportedly decided months ago that Russia was behind the Olympics hack after all.
Still, the group behind Olympic Destroyer very effectively covers its tracks. It has also separately targeted Russian financial institutions in this latest round of attacks, which Kaspersky chalks up to the same malware being used by groups with different interests—or possibly as yet another false flag by a hacker team that revels in the practice.
Whoever is ultimately behind the attacks, Kaspersky advises hypervigilance on the part of biological and chemical threat research entities for the time being. While the hackers haven’t yet successful moved past its reconnaissance phase, the impact could be severe if and when it does.
“We want to get the warning out that this group is active again, because they are destructive,” says Baumgartner. “It looks like they’re failing, but give them another few weeks. We’ll know for certain.”