A postmortem of the Olympic Destroyer malware used in the PyeongChang Olympics attack reveals a deliberate attempt by adversaries to plant a false flags when it comes to attribution, according to researchers. Days after the crippling attack on the backend networks tied to the Winter Olympic Games, a chorus of security experts attributed the attacks to everyone from Russia, Iran, China and groups such as Lazarus, the nation-state backed gang linked to North Korea. However, security experts now believe a skilled and mysterious threat actor behind the malware intended to sow confusion among those attempting to assign attribution to the attack. “Perhaps no other sophisticated malware has had so many attribution hypotheses put forward as the Olympic Destroyer,” said Vitaly Kamluk, researchers who co-authored a report released on the attacks. “Given how politicized cyberspace has recently become, the wrong attribution could lead to severe consequences and actors may start trying to manipulate the opinion of the security community in order to influence the geopolitical agenda.”
In the days proceeding the attack a steady stream of theories emerged that were later debunked and ruled inconclusive. “How the industry responded was a disaster,” Kamluk said. “There was too much finger pointing with no certainty.” Beyond the Lazurus false flag, researchers said Russian-speaking cyber espionage group Sofacy (also known as Fancy Bear and APT28) was also imprecisely implicated in the attack. Other bits of malware code linked Chines-affiliated cyber espionage groups APT3 (Gothic Panda), APT10 (MenuPass Group), and APT12 (IXESHE).
Actually, this is just one more example. According to Kamluk, time is a powerful tool for determining the attribution of an incident. True. However, in most cases we will not be able to wait indefinitely for decisions.
Cryptocurrency Firms Targeted in SEC Probe
The Securities and Exchange Commission sent subpoenas in recent weeks to dozens of tech companies and individuals who are involved in cryptocurrency, The Wall Street Journal reported Wednesday evening, citing anonymous sources. The targets of the subpoenas include companies that have launched initial coin offerings (ICOs), the cryptocurrency equivalent of IPOs, as well as their lawyers and advisers. The subpoenas reportedly include requests for information on how ICO sales and pre-sales are structured, the anonymous sources told WSJ. The SEC is also requesting the identities of the investors who bought digital tokens, The New York Times found. The SEC declined to comment.
NSA Retreats From Targeted PCs If They’re Already Infected by Other APT Malware
Hacking tools leaked last year and believed to belong to the US National Security Agency (NSA) contain an utility for detecting the presence of malware developed by other cyberespionage groups. This utility, going by the codename of Territorial Dispute, is meant to alert NSA operators about the presence of other cyberespionage hacking groups on a compromised computer and allows an NSA operator to retreat from an infected machine and avoid further exposure of NSA hacking tools and operations to other nation-state attackers.
Rest of the Week´s News
Facebook Automatically Upgrading Links to HTTPS to Boost Security
Facebook announced on March 5, that it is turning on a new capability that will automatically direct users to an HTTPS secured version of a link target, if one is available. The feature known as HTTP Strict Transport Security (HSTS) preloading is being rolled out across facebook.com and Instagram. With HSTS preloading, a site link that a user posted as an un-encrypted HTTP link will automatically be re-directed to an encrypted HTTPS link for a given site.
Microsoft Fights Massive Cryptocoin Miner Malware Outbreak
Microsoft has blocked a rapidly spreading malware outbreak that could have infected nearly 500,000 Windows PCs within hours on March 6. The trojan, known as Dofoil or Smoke Loader, was designed to deliver a range of payload. However, in this case, it dropped a cryptocurrency miner on infected PCs, in order to earn those behind the trojan Electroneum coins from victims’ CPUs.
Chinese APT Group TEMP.Periscope Targets US Engineering and Maritime Industries
Past attacks conducted by the group aimed research institutes, academic organizations, and private firms in the United States. FireEye researchers confirmed that the tactics, techniques, and procedures (TTPs) and the targets of the TEMP.Periscope overlap with ones both TEMP.Jumper and NanHaiShu APT groups.