Olympic Destroyer: When Hackers Hit the Winter Olympics
During the opening ceremony of the Pyeongchang Winter Olympics on February 9th, a cyberattack took down the Olympics' official website, disrupted Wi-Fi in the stadium, and affected the broadcast. Attendees couldn't print tickets. The official app crashed. Press access was disrupted.
The malware, dubbed "Olympic Destroyer," was designed to cause maximum disruption. But the most interesting thing about it isn't what it did. It's how it tried to hide who did it.
What Happened
Olympic Destroyer was a wiper disguised as a disruptive tool. It spread through the Olympic organization's network using stolen credentials and legitimate Windows tools (PsExec and WMI, the same tools NotPetya used). It destroyed boot records, deleted event logs, disabled Windows recovery tools, and killed services. The goal was to make systems unrecoverable.
The attack was timed precisely: it hit during the opening ceremony for maximum embarrassment and media coverage.
The False Flag Game
Here's where it gets interesting. When security researchers analyzed the malware, they found code fragments and techniques that pointed to multiple different nation-state hacking groups. Some indicators pointed to North Korea (the Lazarus Group). Others pointed to China. Others pointed to Russia.
The attackers had deliberately planted false attribution clues in the malware. They copied code snippets from known malware families, used metadata from different groups' tools, and created a trail designed to confuse investigators.
Attribution in cybersecurity is already difficult. When attackers actively plant false flags, it becomes nearly impossible to determine the true source based on technical evidence alone. Intelligence agencies eventually attributed the attack to Russia's GRU military intelligence, but that conclusion relied on sources beyond just the malware analysis.
What This Means for You
You're probably not going to be targeted by a nation-state. But Olympic Destroyer demonstrates several trends that apply to every organization:
Credential Theft Is the Primary Attack Vector
Olympic Destroyer spread using stolen usernames and passwords. Not zero-day exploits. Not sophisticated hacking tools. Stolen credentials. The same technique used in virtually every major attack we've covered. Two-factor authentication. Password managers. Stop reusing passwords. We keep saying it because it keeps being the answer.
Legitimate Tools Are Weaponized
PsExec, WMI, PowerShell. These are standard Windows administration tools. Attackers use them because they don't trigger antivirus alerts and they blend in with normal network activity. Modern security requires monitoring for suspicious use of legitimate tools, not just scanning for known malware.
Wipers Are Increasing
NotPetya was a wiper. Olympic Destroyer was a wiper. The trend toward destructive attacks (rather than ransom-driven ones) is growing. Against a wiper, your backup is your only recovery option. There's no ransom to pay, no decryption key to obtain. Your data is gone unless you have a clean backup.
Event-Timed Attacks
The attack was timed for the opening ceremony. Attackers targeting businesses often time their attacks for maximum impact: the night before a major deadline, the start of tax season, the busiest day of the week. Plan your security accordingly.
The Olympics are supposed to bring the world together. Apparently, that includes the world of cybercrime.