Home Malware Programs Malware Olympic Destroyer

Olympic Destroyer

Posted: May 29, 2019

The Olympic Destroyer malware first gained attention in 2018 when it was used against the computer network used by the organizers and partners of the Winter Olympic Games 2018. The event was held in South Korea, and cybersecurity experts suspect that this might have been a politically motivated attack that aimed to disrupt the event by using a destructive network worm able to wipe important files and collect saved login credentials. A closer look at the Olympic Destroyer’s source code revealed that the attackers are likely to have had inside information about the IP addresses and domain settings that the Olympic Games computer network used since such details were hardcoded in the Olympic Destroyer’s sample.

However, this was not the first and last time that the Olympic Destroyer malware hit – it was later used against biological and chemical laboratories situated in Europe and Ukraine. Another attack focused on financial institutions in Russia. All samples of the Olympic Destroyer function the same way, and their sole purpose appears to be to cause irreversible damage to the victim’s file system.

The initial infection vector used in the attack against the Olympic committee is unknown, but the next attack campaigns are likely to have been executed with the use of spear-phishing emails that contain a macro-laced document. Once deployed to a computer, the Olympic Destroyer executes several actions that are meant to disable data recovery options, delete potentially important data, and disrupt the system’s overall functionality.

The first action that the malware executes on infected devices is to scout through hostnames and login credentials that can be used to infect other computers that are members of the same network. This worm-like behavior is what enables the Olympic Destroyer to cause a lot of damage to networks without sufficient security measures. Thankfully, the malware does not wipe out local files, but it does focus on deleting all files stored on network shared drives – this data is likely to be of high importance in the case of companies and organizations.

The Olympic Destroyer malware uses the Windows Command Prompt to launch the ‘vssadmin’ Windows utility and use it to wipe out all saved Shadow Volume Copies. It then uses the ‘WBAdmin’ (a backup utility integrated into Windows) to disable backup services and wipe out the configuration and recovery files. Last but not least, the Olympic Destroyer makes sure to render the ‘Windows Recovery Console’ useless since it also may be used to restore at least a fraction of the system’s functionality. Once all recovery options have been taken care of, the malware proceeds to wipe out the latter entries in the Windows Security Event Log, therefore making it a bit more difficult to detect and analyze its behavior.

The Olympic Destroyer is by no means a state-of-the-art cyber threat, but it combines a range of classic and contemporary malware features that have enabled it to cause long-lasting damage to high-profile computer networks worldwide. Thankfully, using a reputable anti-malware software suite should be more than enough to identify the Olympic Destroyer’s actions and put a stop to them before they cause any damage.

Loading...