On February 9th, 2018, a malware designed to self-spread inside the network and destroy each device it infects was detected in the Winter Olympics network. According to U.S. Intelligence, Russian military spies were behind the attack, and it managed to infect several hundred computers used by authorities at the 2018 Winter Olympics. The hack was a retaliation for banning the Russian team from the Olympic games in Pyeongchang.
According to US Intelligence agencies, the Russians also hacked routers in South Korea prior to the attack. This might have been the initial infection vector of the new malware.
The “Olympic Destroyer Malware” follows the same attack blueprint as all other APTs: establish a foothold, elevate privileges, steal credentials, destroy/disable/delete local files, and move laterally. Although the objectives and intended outcomes are different across the APTs we’ve seen, the methodologies are similar. They all leverage the vulnerabilities that naturally occur in an Active Directory environment.
Once the malware is executed on a compromised machine, it performs the following actions:
- Dumps browser credentials
- Dumps domain credentials from the LSASS
- Fetches the list of computers in the same LAN from the ARP table
- Queries the domain for a list of all the domain computer names
After collecting the data, it tries to authenticate using the stolen passwords with a list of hard-coded usernames from previous recon gathering. As it tries to perform lateral movement using PsExec, it disables all Windows storage recovery methods and all services, basically destroying your endpoints. Once completed, your infected PCs won’t be able to boot ever again.
We wanted to test out the Olympic Destroyer methodologies against Javelin AD|Protect, so we put it in our lab. More importantly, we want to use this example to elevate awareness around the vulnerabilities in an Active Directory environment. In the video below, learn how this malware operates in an AD environment and how Javelin would have prevented its success.
If you would like more information about AD|Protect, please get in touch: firstname.lastname@example.org