revealing the secret: the secret war behind the olympic games and the truth behind it

Posted by tzul at 2020-03-18

Summary of events

The Pyeongchang Winter Olympic Games were held in South Korea in 2018. On the eve of the games, it was reported on December 6 that the International Olympic Committee banned Russia from participating in the Pyeongchang Winter Olympic Games in the name of the country, during which there were many scandals.

On February 24, 2018, according to US intelligence, Russian military spies hacked hundreds of computers used by managers of the 2018 South Korean Winter Olympics.

On February 26, 2018, Pingchang officials admitted that the opening ceremony of the Winter Olympics held on February 9, 2018 was attacked by Internet, but they refused to confirm that the attack was carried out by Russians. On the night of the opening ceremony, there were problems with the Internet, the broadcasting system and the Olympic website. Many spectators were unable to print their tickets, resulting in empty seats.

Recently, media wired published a report by Andy Greenberg. The following story is excerpted from his new book "sandwich: a new era of cyberwar and the hunt for the Kremlin's most dangerous hackers", which was introduced in detail in our previous analysis report on Ukrainian power grid.

The book will be published on November 5, 2019.

Direct attack on the scene of network attack

At around 8:00 p.m. on February 9, 2018, at a high place in the northeast mountain area of South Korea, the technical director of the Organizing Committee of the Pingchang Olympic Games, alias a, sat in a plastic chair. He was responsible for supervising the setting of the IT infrastructure of the Olympic Games, including more than 10000 pcs, more than 2000 mobile devices, 6300 Wi Fi routers and 300 servers in two Seoul data centers.

At this time, a is only tens of meters away from Pingchang Olympic Stadium, and the opening ceremony of 2018 Winter Olympic Games is about to start.

When the lights around the stadium dimmed, the lights on the mobile screens of 35000 people around the stadium were like fireflies, and a large number of machines seemed to work well.

However, half an hour ago, a got the news of a thorny technical problem. The source of the feedback was an it contractor who rented another 100 servers from the IT company for the Olympic Games. However, the data center in Seoul, South Korea, did not report any related problems, so they thought the Contractor's problems could be solved. However, at this time, a did not know that many spectators could not enter the venue by printing tickets.

Ten seconds before 8 p.m., when the countdown to the Olympic Games began, a's Samsung mobile phone suddenly lit up and received a message from his subordinates in kakaotalk: something is shutting down every domain control server in the data center of Seoul, and these servers constitute the backbone network of the IT infrastructure of the Olympic Games.

When a heard the news and rushed out of the press release area at the exit, the reporters around him began to complain that Wi Fi seemed to stop working suddenly. Thousands of connected TVs were supposed to be broadcast, but the screens were blacked out. In addition, all RFID based security doors to each Olympic building have been closed. The official Olympic application (including its digital ticketing function) has also been unable to start because the back-end server trying to request it has not returned data to it.

It is important to know that Pingchang organizing committee has made full preparations for this. Since 2015, its network security advisory group has held 20 meetings to conduct network attack exercises, including even disasters such as fire and earthquake. However, it happened. Their remedy would be to distribute Wi Fi hotspots to journalists and have staff manually check credentials.

Later, a arrived at the technical operation center of Jiangling city at 9 p.m. to start rescue. Due to the failure, they could not access many basic services, such as mail service. Through troubleshooting, it was found that 9 domain server control servers in the data center had different degrees of failures.

In this case, the field staff decided to adopt a temporary solution: they will operate all the servers that are still running separately, and provide some basic service support for Wi Fi and Internet TV with these available servers, so as to make the services online first and delay time to try to provide basic services a few minutes before the opening ceremony Our system is back online to prevent visiting VIPs and viewers from finding that they don't have Wi Fi connection or access to the Olympics app after the end of the day.

In the next two hours, when they tried to restart the domain control server to restore the previous stable network, engineers found that the server had been paralyzed again and again, which can fully explain that there are still some malicious existence in their system, and the speed of destroying the machine is faster than rebuilding the machine.

A few minutes before dawn, the technical team reluctantly decided to take a desperate measure: they disconnected the entire network from the Internet, trying to separate it from the saboteurs, who they thought were still active inside. This means that all services, even the public websites of the Olympic Games, must be shut down, while they are eradicating any malware infection.

This also led to the reason that could not be opened for a period of time and was found by the security community and widely spread in the Internet.

At 5 a.m. the next day, AhnLab, a South Korean security company, managed to create an anti-virus signature that could help the machines perform anti-virus operations to resist the mysterious malware that infected them.

At 6:30 a.m., the administrator of the Olympic Games reset the password of the staff, so as to prevent hackers from attacking through credentials. Subsequent code analysis proved that they did it right.

Around 8 a.m. that day, almost 12 hours after the start of the Olympic network attack, the technicians completed the work of rebuilding the server from the backup and started to restart all services. The Olympic Games were also held successfully. However, many people did not know that on the night of the opening ceremony of the Olympic Games, a group of people fought against an invisible enemy.

Network worm weapon, fake flag constantly

So what is the origin of this mysterious malware? According to the report of foreign security manufacturers, the red raindrop team analyzed one of the key samples. Before that, I will introduce a concept: false flag action, which is called false flag in English, is a kind of covert action. It refers to the action that misleads the public to think that the action is carried out by other organizations by using other organizations' flags, uniforms and other means. Fake flag operations are very common in espionage, and they are often used in private political elections.

This kind of behavior is also quite common in the network security field, such as using the network weapons commonly used by other attackers as their own weapons to attack, thus blaming activities on others.

In this attack, the fake flag mentioned is reflected in the cyber weapons of the cyber army, hereinafter referred to as the special Trojan horse, abbreviated as Tema. It mainly embeds many binary code features commonly used by other network forces into Tema itself.

The initial sample Olympic Destroyer for Olympic attacks is a network worm that collects user credentials with host names and appends new data to the end of existing data to further penetrate.

The attack sample has several features, such as naming the pipeline 123, which is used for pipeline communication with the two secret files mentioned below.

1、 Release psexec remote control tool for lateral movement

2、 Release and run C: \ users \ user \ appdata \ local \ temp \ \.

And "YWL" will execute commands through CMD respectively:

Call wbadmin.exe to delete all the snapshots on the system.

Call bcdedit.exe to disable automatic system repair

Call wevtutil.exe to clear the system log

In addition, it will disable all services on the system, and change the parameter to 4 through the service startup type changeserviceconfig function, that is, disable service startup.

After that, the destroyer will try to connect to the file share directory and copy the files in the directory by creating files to achieve the effect of erasure.

After performing the above operations and sleeping for an hour, the destructor shuts down the system, and you can imagine what happens when the victim tries to turn on the computer to restore the system.

After the test by the red raindrop team, it was found that after the system was turned on, it would cause frequent restart and blue screen, unable to enter the system, and unable to enter the security mode. If you want to enter, you need to perform the recovery system operation.

From this point, it can be seen that the attackers did not intend to steal secrets in the first place, but simply intended to disrupt the holding of the Olympic Games. In terms of technique, it is similar to notpetya and badrabbit blackmail software.

What's more interesting is that the attacker adopts a novel attack technique, which embeds user credentials in the sample, so as to make use of and move horizontally. is the official website of the Olympic Games, and the attacker moves horizontally through the domain credentials, which can ensure that all the attackers are the Olympic Games staff. In addition, after the credentials are stolen by the credentials module, it will be updated to the new binary file, and then released by the way of horizontal movement again, which can maximize the authority Using a worm like mechanism.

According to statistics, the organization has obtained credentials for about 44 staff members.

And in terms of details, the intranet IP of Pingchang Olympic Games system is also suspected to be mastered.

In the following remote commands, use psexec and WMI for program propagation.

Flow chart

The functions of network weapons are basically the same, but there are some codes related to other attack activities or attack organizations in each link of the code.

1、 Olympicdestroyer and notpetya extort similar event log cleanup and disable system recovery code.

In addition, the sample uses the code of eternal romance but does not call it, which successfully deceives Microsoft

2、 Intezer said that the sample codes of apt3 and apt10 are similar.

3、 Related to blue noroff of Lazarus, the North Korean apt organization.

The evtchk.txt file name mentioned in the above analysis is very similar to the file name used by bluenoroff / (evtdiag.exe, evtsys.exe and evtchk. Bat), which was used in the 2016 swift network robbery in Bangladesh. And a similar eraser code is used.

In addition, Kaspersky's researchers say there is a high degree of similarity between Lazarus and Olympic destroyer in North Korea. For example, use the same technology to decrypt the payload. Lazarus uses this feature in its malware loader to protect its backdoor modules from reverse analysis because they contain some default C2 information.

Although the method is very similar, there are great differences in usage:

Lazarus uses a long alphanumeric password (more than 30 characters). Instead, olympicdestroyer uses a very simple password: 123.

Lazarus has never hardcoded the password of the protected payload into the malware principal, but olympicdestroyer needs to hardcode because it needs to self propagate.

In addition, there is a place where the PE header of the Olympic destroyer contains the "rich" tag that appeared in the previous bluenoroff sample.

It is reasonable to say that the cyber attacks between North Korea and South Korea are very frequent. It may be normal for North Korea to launch attacks for the purpose of interfering with the Pingchang Olympic Games. But Kim's sister was also invited to the Olympics, which also reduced the likelihood of an attack.

After that, Kaspersky found that when compiling code in the same environment, the positions of rich flag headers were inconsistent. And later analysis found that there was an attack sample uploaded from France to vt at 13:46:23 on February 9, 2018. This is a sample of a version of the Pingchang Olympic attack, but some of the carelessness exposed the fact that they were fakes.

1. This attack sample turns off the sleep time before shutting down, that is, shutting down after sleeping for one hour as mentioned in the above analysis.

2. Compile time stamp is 10:42:19, February 9, 2018

3. The position of rich Mark head is in accordance with the standard.

All the above operations prove that the attacker at that time may be in a hurry to launch an attack, so it is hoped that the target system can be shut down directly after the sample is started, so the sleep operation is closed. After all, the Olympic Games will open at 8 p.m. that night, so after compiling in a hurry, we forgot to forge the rich mark and launched it.

Therefore, this also confirms that the attacker behind Olympic destroyer tried to cover up the attribution and try to blame North Korea through the fake flag action.

Russian military intelligence unit Gru?

After the incident, in order to thoroughly investigate the attribution, fireeye's mattonis began to conduct traceability analysis. Unlike other security vendors, he did not immediately start from malware, instead, he adopted the method of "Olympic" Destroyer has launched the phishing document analysis, and this series of phishing attacks release Trojans like PowerShell and HTA, which are not the malicious software used to destroy.

It is found that all documents are written and constructed by people named "AV", "BD" or "John", and the IP address of the server connected by the malware also overlaps. The continuous association discovery has two attack documents against Ukraine in 2017, which means that the attacker has the intention to attack Ukraine. However, although it points to Russia, there is no more obvious evidence.

After in-depth analysis, matonis found that the IP resolved by the domain name used by the organization was resolved to a domain name

In the domain name, mattonis said that in the FBI news, he claimed that Russian Gru had used the domain name for attack in 2016 against the U.S. general election.

Based on this, he believed that the net army behind the attack on the Olympic Games was telling the truth.

In the course of mattonis's analysis, two unnamed intelligence officials from the US National Security Agency (NSA) and the Central Intelligence Agency (CIA) told the Washington Post that the Olympics were a cyber attack by Russia that attempted to frame North Korea. The attack was specifically attributed to the Russian military intelligence unit Gru, which planned to intervene in the 2016 U.S. general election and the power outage attack on Ukraine, and launched the destruction of notpetya.

And the analysis of matonis, combined with the disclosure of the United States, may be more accurate for the profile of the behind the attack on the Olympic Games.

Gru, founded on October 21, 1918, is the largest and most secret intelligence agency in the Russian Federation. Its full Chinese name is the general intelligence department of the general staff of the Russian Federation army.

On July 13, 2018, Robert Mueller filed an indictment against 12 Gru hackers for their involvement in electoral intervention, arguing that they had invaded the DNC and Clinton campaign evidence.

In the 29 page indictment, Anatoly sergeyevich kovalev, a Gru hacker, was named a member of Gru unit 74455, a 20 story building in the northern suburb of shimky, Moscow.

The indictment states that the 74455 force has provided a back-end server for Gru's invasion of DNC and the Clinton campaign. But more surprisingly, the indictment also said the group "assisted" in the operation to reveal emails stolen in those operations. Unit 74455 helped set up or even guccifer 2.0, a fake Romanian hacker who claimed to have been hacked and provided stolen emails to WikiLeaks to the Democratic Party, the charges said.

Attacks continue

Six months after the attack, it was found that the group was still active, targeting Russian financial organizations and biological and chemical threat prevention laboratories in Europe and Ukraine. Kaspersky has now named the organization Hades.

In addition, there is a new activity exposed by checkpoint on November 15, 2018.

It can be seen that in the follow-up attacks, most of the targets are Russian interest related targets.


Like the Ukrainian blackout report prepared by the former intelligence center under the threat of Kian shin, this retaliatory attack suspected of coming from Russia is still a destructive action, and every time before the destructive action is launched, there will always be conflicts between countries. Therefore, the control of international current affairs will also lead to the prediction of attacks, so that the early warning of attacks can be carried out in advance.

While attackers are still thinking about how to make the target computer unavailable when they conduct network attacks. Unlike the previous attacks that wanted to destroy the Ukrainian power plant directly, what they have taken this time is how to make the system recover later so as to affect the holding of the Olympic Games. Therefore, the network army creatively uses the worm propagation technique to automatically carry out horizontal movement and diffusion , and attach the acquired credentials to the back of the new code, and continue to propagate.

It can be seen that, in fact, they have achieved their goal and successfully affected the normal operation of the opening ceremony on that night.

Based on the recent network attack report prepared by hongyudi team, it can be seen that destructive actions may become the main option among the network subjects who are facing fierce confrontation. Whether the Olympic Games involved in this analysis or the previous wannacry blackmail and sabotage attacks are all initiated by one country trying to interfere with the order of another country.

Therefore, plan B should be prepared for any major activities and infrastructure, including backup network facilities and backup facilities recovery plan. In this era, disaster recovery is the top priority. In fact, the emergency measures of South Korea in this Olympic Games have been perfected to a certain extent, but the key point is that they have carried out on-site attack and defense exercises before, but they will still be invaded, which shows that to a certain extent, the exercises still need to be strengthened to prevent the stronger enemies from drilling holes.

After all, the attack and defense are not equal, so you can't predict the arrival of the attacker. Then we can only carry out systematic defense programs. The qi'anxin Threat Intelligence Center will also work together to promote the defense system construction program, so as to analyze this case and contribute a little to the network security cause.

Reference link