A new attribution method helped Kaspersky Lab to identify a very sophisticated false flag
Kaspersky Lab’s Global Research and Analysis Team has published the results of its own research into attacks by the OlympicDestroyer malware, providing technical evidence of a very sophisticated false flag placed inside the worm by the malware creator in order to knock threat hunters off the trail to its real origin.
The OlympicDestroyer worm made some headlines during the Winter Olympic Games. The Pyeongchang Olympics experienced a cyberattack that temporarily paralyzed IT systems ahead of the official opening ceremony, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets.
Kaspersky Lab has also found that several ski resort facilities in South Korea suffered from this worm, which disabled the operation of ski gates and ski lifts at the resorts. Although the actual impact of attacks with this malware was limited, it clearly contained the capability to be devastating, which luckily didn’t happen.
Nevertheless, the real interest of the cybersecurity industry lay not in the potential or even actual damage caused by the Destroyer’s attacks, but in the origin of the malware. Perhaps no other sophisticated malware has had so many attribution hypotheses put forward as the OlympicDestroyer.
Within days of its discovery, research teams from all over the world had between them managed to attribute this malware to Russia, China and North Korea, based on a number of features previously attributed to cyber-espionage and sabotage actors allegedly based in these countries or working for these countries’ governments.
Kaspersky Lab researchers were also trying to understand which hacking group was behind this malware. At some point during their research, they came across something that looked like 100% evidence connecting the malware to Lazarus – an infamous nation state backed group linked to North Korea.
This conclusion was based on a unique trace left by the attackers. A combination of certain features of the code development environment stored in the files can be used as a ‘fingerprint’, in some cases identifying the malware authors and their projects.
In the sample analyzed by Kaspersky Lab, this fingerprint gave a 100% match with previously known Lazarus malware components and zero overlap with any other clean or malicious file known to date to Kaspersky Lab. Combined with other similarities in tactics, techniques and procedures (TTPs), it drew researchers to the preliminary conclusion that OlympicDestroyer was yet another Lazarus operation.