New attack by Olympic Destroyer seems to be in the making

Researchers from Kaspersky Lab found out that the hacker group responsible for the so-called network worm Olympic Destroyer is back. Olympic Destroyer now seems to be focusing on Russian financial institutions and laboratories active in the protection against chemical and biological weapons in the  Germany, France, Switzerland, Ukraine and Russia.

Winter Olympics in Pyeongchang

At the beginning of this year, this destructive network worm has been firmly held at the opening of the Olympic Winter Games in South Korea. The researchers now advise comparable organizations to remain alert and, where possible, to take additional security measures.

During the last Olympic Winter Games, organizers, suppliers and partners were struck by Olympic Destroyer, an all-devouring network worm. There were many contradictory indications in February this year about the origin of this malware . This caused confusion in the security industry.

This is how Kaspersky Lab initially pointed in the direction of the North Korean Lazarus group. However, in March the cybersecurity company confirmed that there was an extensive and convincing false flag operation and that involvement of Lazarus was unlikely.

Now Kaspersky Lab researchers are discovering that Olympic Destroyer is once again active with a number of previously applied infiltration and exploration tools. However, the targets are in Europe this time.


The malware is distributed via spear-phishing documents that were also used to prepare for the Winter Olympics. One of the documents refers to the ‘Spiez Convergence’, a conference on biochemical threats in Switzerland organized by Spiez Laboratory. This organization played a key role in the investigation into the Salisbury attack. The Ukrainian health and veterinary control authority is also targeted. Some of the discovered spear-phishing documents contain Russian and German texts.

All payloads that can be deduced from the harmful documents have been developed to provide generic access to the infected computers. The free open-source framework Powershell Empire was used for the second phase of the attack.

The attackers seem to use vulnerable web servers to host and manage the malware. These servers use the popular open-source content management system (cms) Joomla. The researchers conclude that one of the servers runs on Joomla 1.7.3, a version from November 2011. That suggests that a strongly outdated variant of the cms is used to hack the servers, the researchers note.

Target Olympic Destroyer

According to the same researchers, Olympic Destroyer targets targets in the Germany, France, Switzerland, Ukraine and Russia. For this discovery, Kaspersky Lab has relied on telemetry and uploaded files to multi-scanner services.

At the beginning of this year, the sophisticated deception tactic of Olympic Destroyer made it clear once and for all how quickly researchers can draw wrong conclusions if the picture is not complete yet, ” says Vitaly Kamluk, security researcher within the GReAT team at Kaspersky Lab. “ The private sector has to work together with governments to analyze and avoid such threats, and we hope that the disclosure of our findings will help incident and security researchers to quickly identify and fight similar attacks in the future.

Similar attack

The reconnaissance phase of the previous attack began a few months before the start of the Winter Olympics. The group behind Olympic Destroyer is now, with new motives, likely to be preparing a similar attack.