The IT company supporting the Winter Olympics apparently never had a chance. According to CyberScoop, it was hacked well before the Pyeongchang games ever began.
Destructive wiper malware dubbed “Olympic Destroyer” is reportedly behind a series of security breaches disrupting the Games, including local wi-fi downtime and the crash of the Winter Olympics website, which hindered ticket sales during the opening ceremony. Russia, China, and North Korea have all been fingered publicly as culprits by a variety of sources—though, as in virtually every cyberattack, attribution remains nearly impossible to lock down.
According to CyberScoop, experts have determined that Olympic Destroyer—first identified by Cisco’s Talos unit—was likely deployed on 9th February by an actor who had previously infiltrated Atos, the IT provider hosting the Olympics’ cloud infrastructure.
CyberScoop reports that evidence linking Destroyer to a previous cyberattack at Atos was unearthed via VirtusTotal, a popular site run by Google’s Alphabet that analyses suspicious files using myriad antimalware scanners. A sample of Destroyer was found to contain Atos employee credentials, suggesting the actor who deployed it had also penetrated an Atos network months prior.
The evidence was recently posted to the VirusTotal repository, but information associated with the malware samples carries indications that the hackers were inside Atos systems since at least December. Some of the earliest samples were uploaded by unnamed VirusTotal users geographically located in France, where Atos is headquartered, and Romania, where some members of Atos’ security team work.
Atos told the news site that it is, in fact, investigating a potential breach with the help of McAfee’s Advanced Threat Research team.
“Following technical incidents during the Olympic Games Pyeongchang 2018 opening ceremony, a thorough investigation is being conducted,” a spokesperson said, adding: “The credentials embedded in the malware do not indicate the origin of the attack.”
Atos, which said authorities are involved at this stage, noted that no Olympics competition has been affected by the attacks thus far. [CyberScoop]