Cisco’s Talos Group recently identified a new strain of malware they’ve dubbed “Olympic Destroyer” which is wreaking havoc in Pyeong Chang’s computer networks and causing downtime to internal WiFi and television systems. This has impacted the games’ opening ceremonies, and stands an excellent chance of further disrupting the rest of the festivities.
Because the threat was only recently discovered, the Talos team’s initial assessment and report was spotty and short on details, but the group recently amended their initial findings. The results aren’t pretty, and the malware is seen as being both more dangerous and more advanced than originally thought.
The big three findings in the team’s amended report are as follows:
- It’s Polymorphic – As the malware spreads, it collects new credentials from each machine it infects, adding these to its binary on the fly. Members of the Talos team had this to say about the behavior: “I have not seen a malware sample modify itself to include harvested creds before and I’ve been doing this stuff longer than I should admit. Polymorphic malware isn’t a new idea by itself, but I’ve never seen any examples of malware modifying itself to include harvested credentials.”
- It Spreads Via The EternalRomance Exploit – This bit of information comes to us from the Windows Defender team. The mechanism by which Olympic Destroyer spreads is industrial grade, utilizing an exploit from the NSA leaked by the Shadow Brokers last year.
- Finally, It Wipes Data – This is perhaps the most significant of the three updates to the Talos report. The malware has a data wiping mechanism built into it that it utilizes at every opportunity in an attempt to delete files on network shares. Since it only seems to target shared files, it’s not deleting items key to OS functionality. Even so, these shared files are important, and this is what’s causing operational disruptions.
More details will no doubt become available as the various teams researching Olympic Destroyer get a better understanding of what they’re looking at. The bottom line is, it’s a pretty advanced threat and will likely inspire copycats in the months ahead.