However, the motives and other inconsistencies with Lazarus TTPs uncovered during the investigation by Kaspersky Lab onsite at the compromised facility in South Korea made researchers revisit the rare artefact.
Following another careful look at the evidence and manual verification of each feature, researchers discovered that the set of features didn’t match the code – it had been forged to perfectly match the fingerprint used by Lazarus.
As a result, the researchers concluded that the features’ ‘fingerprint’ is a very sophisticated false flag, intentionally placed inside the malware in order to give threat hunters the impression that they had found ‘smoking gun’ evidence, knocking them of the trail to more accurate attribution.
“To our knowledge, the evidence we were able to find was not previously used for attribution. Yet the attackers decided to use it, predicting that someone would find it. They counted on the fact that forgery of this artefact is very hard to prove. It’s as if a criminal had stolen someone else’ DNA and left it at a crime scene instead of their own. We discovered and proved that the DNA found on the crime scene was dropped there on purpose. All this demonstrates how much effort attackers are ready to spend in order to stay unidentified for as long as possible. We’ve always said that attribution in cyberspace is very hard as lots of things can be faked, and OlympicDestroyer is a pretty precise illustration of this,” said Vitaly Kamluk, Head of APAC Research Team, Kaspersky Lab.
“Another takeaway from this story for us is that attribution is has to be taken extremely seriously. Given how politicized cyberspace has recently become, the wrong attribution could lead to severe consequences and actors may start trying to manipulate the opinion of the security community in order to influence the geopolitical agenda,” he added.
The accurate attribution of OlympicDestroyer is still an open question – simply because it is a unique example of the implementation of very sophisticated false flags. However, Kaspersky Lab researchers found that the attackers used privacy-protecting service NordVPN and a hosting provider called MonoVM, which both accept Bitcoins. These and some other discovered TTPs were previously seen to be used by Sofacy – the Russian-speaking actor.
Kaspersky Lab products successfully detect and block the OlympicDestroyer malware.
Read more about how Kaspersky Lab researchers investigated the OlympicDestroyer attacks in South Korea and Europe in the blogpost on Securelist.com.
