This previous winter, malware ripped by the Pyeongchang Olympics, disrupting Wi-Fi, shutting down the Olympics web site, and inflicting generalized digital havoc. The so-called [Olympic Destroyer attack](https://www.wired.com/story/olympic-destroyer-malware-pyeongchang-opening-ceremony/] gained infamy, too, for utilizing a variety of false flags to muddy attribution. Now, researchers at Kaspersky Lab say the group behind these February assaults has returned, with a brand new goal: organizations that reply to and defend towards organic and chemical threats.
Whereas the exercise Kaspersky has seen has not turned harmful, researchers there say that hackers have taken steps that echo the early groundwork laid by the Olympic Destroyer group. Utilizing a classy spearphishing approach, the group has tried to achieve entry to computer systems in France, Germany, Switzerland, Russia, and Ukraine. The priority: That these early intrusions will escalate in the identical harmful manner Olympic Destroyer did.
“We’re pretty confident this is the same group,” says Kaspersky safety researcher Kurt Baumgartner. “We’re saying the same sort of tactics. We’re seeing targeting that may line up with the previous group. We’re seeing multiple places where there may be crossover.”
These techniques, thus far, contain spearphishing emails that current themselves as coming from an acquaintance, with a decoy doc hooked up. The execution, Baumgartner says, is remarkably much like how Olympic Destroyer started: Emails goal a gaggle of individuals affiliated with a selected occasion; in the event that they open the doc, a macro runs, enabling a number of scripts to run within the background that allow entry to the goal laptop.
Whereas the hacker group excels at avoiding detection, its exercise has sufficient hallmarks that Kaspersky has excessive confidence that it’s a repeat efficiency. “When you look at the obfuscation that they’re looking in the spearphishing macros, this is a very specific set of macros,” says Baumgartner. “No one else is using this stuff.”
Within the case of Olympic Destroyer, that early entry was finally used to deploy malware designed to destroy information on sufferer machines. Kaspersky says it selected to go public with its findings as a result of if these newest assaults the identical timeline as Pyeongchang, they could be about to escalate similarly.
‘Nobody else is utilizing these things.’
Kurt Baumgartner, Kaspersky Lab
The hackers seem like primarily focusing on folks affiliated with an upcoming biochemical risk convention, known as Spiez Convergence. That occasion is organized by Spiez Laboratory—a testing outfit that was tangentially concerned within the investigation into the poisoning of former Russian double agent Sergei Skripal, and his daughter Yulia, in Salisbury, England in March. The UK and the US each attributed the tried murders to Russia, and expelled dozens of Russian diplomats every.
One of many decoy paperwork Kaspersky noticed seems to be like a press launch for the Spiez Convergence. One other seems to be a information report in regards to the nerve agent used within the Salisbury assault. The hackers additionally seem to have proficiency in Russian language.
Kaspersky, itself a Russian firm embroiled in controversy within the US over its purported ties to the Russian authorities, didn’t counsel attribution for the Olympic Destroyer group. But it surely does appear price noting that each the Pyeongchang Olympics, from which Russia was banned, and European biochemical safety businesses, which didn’t absolve Russia of what seems to be a high-profile worldwide assassination try, arguably share a typical bond of Russian provocation. To not point out that US intelligence officers had already reportedly determined months in the past that Russia was behind the Olympics hack in any case.
Nonetheless, the group behind Olympic Destroyer very successfully covers its tracks. It has additionally individually focused Russian monetary establishments on this newest spherical of assaults, which Kaspersky chalks as much as the identical malware being utilized by teams with totally different pursuits—or probably as one more false flag by a hacker crew that revels within the observe.
Whoever is finally behind the assaults, Kaspersky advises hypervigilance on the a part of organic and chemical risk analysis entities in the interim. Whereas the hackers haven’t but profitable moved previous its reconnaissance section, the influence may very well be extreme if and when it does.
“We want to get the warning out that this group is active again, because they are destructive,” says Baumgartner. “It looks like they’re failing, but give them another few weeks. We’ll know for certain.”