Researchers at Cisco’s security unit Talos have said they have found the malware that was used in an internet attack on the organization of the Winter Games. That would only be aimed at disruption.
The company writes that it can say “with moderate certainty” that it is actually the malware that was deployed at the opening of the Winter Games. Although the malware distribution method is unclear, it uses the same methods to spread over the network as NotPetya and BadRabbit malware. Talos concludes that the attacker must have had knowledge of his target’s infrastructure, because the malware uses 44 pre-programmed accounts in addition to so-called stealers to spread further across the network after infection.
The destructive side of the malware, nicknamed Olympic Destroyer by Talos, initially deletes all shadow copies present on the infected system, which contain snapshots for backup purposes. This should make recovery more difficult, Talos said. Then the malware stops Windows from attempting a repair at startup. Finally, the malicious software disables all services on the system and shuts down the system.
Over the weekend, the organization of the Winter Olympics in South Korea announced that it had been hit by an internet attack. As a result, the website was not accessible and visitors could not, among other things, print tickets. The problems arising from the attack lasted about twelve hours.