STE WILLIAMS

A close analysis of the code that took down part of the 2018 Winter Olympics infrastructure appears to show a cunning plan to make it look as though the culprit was North Korea.

On the first day of the games in PyeongChang, the main website crashed, Wi-Fi networks around the events became unusable and data was wiped from servers by malware later dubbed Olympic Destroyer. Security firms had warned of an attack before the event, after a phishing campaign was spotted, and the attack was beaten off rather quickly.

In the weeks that followed, several analyses suggested that the attack was the work of the North Korean state-sponsored hacking team known as the Lazarus Group. However, an analysis by Kaspersky Lab engineers suggests that Lazarus didn’t write the code, despite appearances to the contrary.

Vitaly Kamluk, head of the APAC research team at Kaspersky Lab, told the company’s Security Analysts Summit that the misattribution was understandable. The data wiping part of Olympic Destroy looks, at first glance, exactly the same as the Lazarus Group wiper used in the Bluenoroff malware responsible for the $81m cyber-heist against the Central Bank of Bangladesh last year – even down to the header.

“We can say with 100 per cent confidence that the attribution to Lazarus is false,” he said.

But the wiper function’s rich header, which contains some metadata, including hints to the development environment the code was written in. The Lazarus Group malware is a C++ application, but the Olympic Destroyer code showed it was developed using Visual Studio 10 and made to look as though the code was the same as Bluenoroff.

“The only reasonable conclusion that can be made is that the rich header in the wiper was deliberately copied from the Bluenoroff samples; it is a fake and has no connection with the contents of the binary,” the technical report states.

“It is not possible to completely understand the motives of this action, but we know for sure that the creators of Olympic Destroyer intentionally modified their product to resemble the Bluenoroff samples produced by the Lazarus group.”

So who did write the code? Kamluk said he didn’t know for sure, but that some of the methods of propagation and the VPNs used in the attack could link it to the Russian state-sponsored APT28 group.

Costin Raiu, Kaspersky’s director of global research and analysis, warned the conference that attribution is going to get tricky in the next couple of years. Security firms are building code databases that could automate the attribution of malware samples, but at the same time coders are getting smarter and we could see similar false flag operations in the future. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/08/analysis_suggests_norks_not_behind_olympic_destroyer_malware_attack/