Delaware, USA – June 20, 2018 – The hacker group behind the attack during the Winter Olympics Opening Ceremony in Pyeongchang is preparing a new operation. In February, cybercriminals used the Olimpic Destroyer wiper in attempt to disrupt the ceremony, and they succeeded partially: for 12 hours the Olimpic website was unavailable, and they caused failures in the work of WiFi and digital television. Investigating and analyzing malware did not help establish the threat actor responsible for this attack, as malware authors left a lot of false clues pointing to several Chinese groups, Lazarus and Sandworm that presumably was involved in the attacks of NotPetya and BadRabbit. Kaspersky Lab discovered a new campaign of this group, and its analysis allowed researchers to uncover new evidence leading to the Sandworm group. Now attackers targeted chemical and biological laboratories in several European countries and Ukraine, as well as financial organizations in Russia. Researchers believe that this may indicate two independent campaigns or an attempt to mislead the investigation. Adversaries use spear phishing sending emails with a malicious Word document attached. If a lured user enables macro, it launches a multi-stage installation of Powershell Empire agent, the pentester tool allowing adversaries to fully control the attacked system. Furthermore, attackers use compromised servers with Joomla CMS installed as command and control servers.
Threat actor behind the Olimpic Destroyer malware use obfuscated scripts to avoid detection by security solutions, and they also use a script to disable Powershell logging to complicate the investigation. You can detect malicious activity using SIEM with APT Framework and Threat Hunting Framework use cases. In addition, you can detect VPN Filter malware created by Sandworm group using Sigma rules from Threat Detection Marketplace.