Delaware, USA – February 13, 2018 – During the opening ceremony of the 2018 Winter Olympics, unknown threat actor performed a cyberattack on the event’s infrastructure. During the attack, hackers managed to shut down the Olympics website for 12 hours and also caused failures in the work of WiFi and digital television. Researchers from Cisco Talos continue to examine “Olympic Destroyer,” the malware that was used in this attack. While it was not possible to determine the initial infection vector, but it is known that the site of the Winter Olympics was compromised before the attack, as the malware leveraged hardcoded credentials stolen from the site. Olympic Destroyer was able to steal credentials from browsers and systems, and it used PsExec and WMI for lateral movement. The primary role of malware was to destroy shadow copies and any data recovery capabilities, turn off all services and shutdown the system.
It seems that the goal of the attack was to inflict maximum damage to the infrastructure, as we know, the attackers did not attempt to steal any data. You can detect disabling services on systems and suspicious activity using Windows Security Monitor for ArcSight, QRadar and Splunk. This use case visualizes security events and informs the administrator about any deviations that need to be investigated..