Hackers uncovered: how they hacked the Olympics

Oliver Pinson-Roxburgh Headshot
Oliver Pinson-Roxburgh
CEO & Co-founder

Trained, experienced, certified

Bulletproof Co-founder & CEO, Oliver Pinson Roxborough, talks us through how hackers hide, the perceived threat from nation states, and what that means for your business. Watch the video here:

A South Korean story

Setting the scene for how hackers hide, my story starts in 2018 at the winter Olympics in South Korea. Though 2018 feels like a while ago, the lessons we learn from here are still just as relevant as today, and the story I’m going to tell no less interesting.

There’s a serious amount of IT infrastructure in place at an event like the Olympics. With over 150 site staff coming and going, 24/7 gate and entry systems, a phone app, a ticketing system for patrons, and multiple data centres to maintain, security at the event is a complex process.

On the evening of the opening ceremony, the head of IT is sitting comfortably in the crowd. They’ve done a lot of preparation to get everything operating correctly and he’s looking forward to enjoying the event. At 7.59pm with less than one minute to go his phone starts blowing up, and as he’s looking through the messages, he sees that their domain controllers are being taken offline.

He thinks it’s likely a general issue, so he heads out to where his teams are to help figure out what the problem is, and he’s greeted by a massive disruption as domain controllers are being wiped in their environment by a worm; a piece of malware that is deliberately sabotaging the games.

Olympic-level worm

Everything starts crashing. The domain controllers that are used to authenticate everything on the network are being wiped right in front of them, the ticketing systems start malfunctioning, 10,000 PCs, 20,000 mobile devices, 6,000 Wi-Fi routers and 300 servers across multiple data centres go down in an instant. They’d been preparing and planning for the event for years. The IT team had met up over 20 times to do drills and think through multiple security challenges, yet they’d been hit by an attack.

They’d been preparing and planning for the event for years. The IT team had met up over 20 times to do drills and think through multiple security challenges, yet they’d been hit by an attack.

The team worked through the night rebuilding the domain controllers, which they had to do several times because they kept getting wiped again by the malware (more on that later). In the end they took drastic action and turned off their network. They managed to contain the worm so it couldn’t propagate further, and they were finally able to bring their domain control back online by 8am the next morning.

How smart is an Olympic hacker?

The team showed resilience and ingenuity under serious pressure, but they still needed to find out what lead to the attack. Analysts and researchers would first try to identify where it came from by analysing the malware itself, pulling the code apart to look for snippets that could be attributed to an individual attacker or nation state based on previous attack data. They found code snippets that suggested links to Russia, North Korea or China, but they also found lots of off-the-shelf components.

The popular perception is that hackers are ‘getting smarter’ by always finding new and interesting ways to attack systems and overcome obstacles, and it’s true that being a hacker involves continuously learning how to beat security controls and exploit vulnerabilities. But as the Olympic Destroyer reveals, it’s not always the most sophisticated technologies that are used in hacking, and you don’t need to be the smartest hacker to carry out attacks.

It’s not always the most sophisticated technologies that are used in hacking, and you don’t need to be the smartest hacker to carry out attacks.

In cyber security for example, I see the same old attacks being carried out over the years. This suggests that hackers don’t need to evolve their knowledge if we constantly end up falling foul of the same ‘low hanging fruit’ by not getting the basics right. Those obvious, easy quick wins are what attackers will scale the internet for, finding targets to exploit.

Of course, attackers are always willing to find new things and its always a bit of an arms race, but if they can reuse technologies because we're not putting a lot of the obvious, simple controls in place then were leaving the door open for pretty much any amateur with basic coding knowledge to exploit.

Top Tip: Security from the start

When we as businesses follow general best practices around security, like turning on MFA and resetting default passwords, we give ourselves a better chance of fending off the hackers. It’s easy for businesses to ignore security if they haven’t done it from the beginning, as it’s an evolution that continually improves over time. It’s also difficult to scale fast and do things quickly if you introduce security into an environment that has already been established, so it’s a worthwhile endeavour to get security right from the very beginning.

Put simply, get security involved from the beginning and it’ll be easy for it to grow and scale with your business. It’s never too late to plant a tree. And don’t think about security as something that has to be done. It’s not a bolt on; it’s an integral part of your business operations.

How are hackers evolving?

One of the ways in which hackers are getting smarter is by making it harder to detect them in the first place. They are testing organisations to see if their detection and response systems try to boot them out of an environment during the early stages of an attack. If they don’t, then they know that it’s a target worth exploring. This is why early detection and response protects a business at the earliest stages of an attack, making them a less likely target. Hackers are also looking for ways to monetise their attacks and obviously still finding new vulnerabilities, but the most interesting thing for me as a security expert is the new approach to attribution linking back to the Olympic Games attack, which at the time was difficult to attribute to any one attacker or hacking group.

Where hackers have previously always used their own custom tools and written their own software, we're not seeing hackers using their custom code anymore because it gives a fingerprint of that attacker, and the attack can be attributed back to the individual.

We're not seeing hackers using their custom code anymore because it gives a fingerprint of that particular attacker.

Instead, they’ve started to use off the shelf open-source tools that anybody can access which makes it very difficult to attribute an attack to an individual or group.

To make attribution even harder, hackers can do things like geolocation spoofing, use anonymous proxies, and bounce off lots of different servers to mask the attack origin. Anyone can legitimately buy access to many different servers, so hackers can register servers hosted anywhere in a country that doesn’t really control who can rent them. An interesting attack vector is also other businesses: hackers can target businesses with weak security, compromise them, and use the compromised company as proxy for the hacker’s attacks. This makes it more difficult to link an attack back to the real perpetrators.

What does this ambiguity mean for your business?

A key part of your security strategy in response to unclear attribution is making use of a managed SIEM to know what normal looks like for you. Even without knowing where an attack is coming from, one of the key things that organisations can do is monitor environments to get a sound understanding of what their profile looks like. Form this you can recognise unexpected actions and requests to systems and servers.

You should also be looking to block traffic from IP addresses that are known to be hostile, which isn’t as straightforward as it should be when so many seemingly legitimate addresses are being compromised. In our cyber security report we found that the honeypots we set up to were attacked by 9,000 different IP addresses, but only 1.7% of those were known to be malicious. This also raises the question that if everything and anything on the internet can become a target, then what intel can you really trust? which again points to the importance of log monitoring and MDR in business security.

If everything and anything on the internet can become a target then what intel can you really trust?

Is everyone at risk?

While it’s unlikely that most businesses would be attacked by nation states, who tend to go after specific targets, that doesn’t mean that smaller organisations won’t be attacked. Hacking tools get leaked and proliferate down the food chain. So, hacks that were once nation-state end up in the hands of entry-level cyber criminals. The more immediate threat to most businesses though, is opportunistic hackers who are more about making money, focusing on easy wins, and scouring the internet looking for vulnerable systems where they can rinse and repeat the same attack.

Top Tip: Secure your credentials

Our knowledge of how hackers behave in terms of scanning the internet for weaknesses and the risk this poses to businesses online is another reason why looking at basic security measures such as default credentials is so significant. This too is backed up by our study which revealed that just three usernames and password combos accounted for 85% of attacks against our honeypot servers; the reason being that they tend to work! Opportunists are using default credentials to successfully exploit systems on the internet and continue to use them because they haven’t been secured.

Our study revealed that just three usernames and password combos accounted for 85% of attacks against our honeypot servers.

Even nation state hackers keep it simple

Targeted attacks by nation states are no different to an attack on a smaller business in that hackers will still use common techniques if they can get away with it. Returning to the story, the Olympic Games hack used a phishing attack to deliver the malware, which of course is a tried and tested approach that we have also seen increase according to our data.

The use of simple techniques, off the shelf tools and open-source technologies in hacking shouldn’t really surprise us when we consider that they continue to work. In the case of using off the shelf malware, hackers have an opportunity to test the security of an organisation while remaining anonymous. If they get detected, they can move on to another target with their anonymity intact, and if they don’t get detected then they can not only attack, but they are harder to identify because the malware being used cannot be attributed.

How can we stop the hacking?

The best approach is of course to start by getting the basics right, following best practices to solve general security problems and ensure that you are protected. Beyond the basics, take a risk-based approach to make sure your security investment is actually mapped to threats.

If you can invest in security, then finding a trusted security partner who can really understand your business requirements and become an extension of your team will also greatly bolster your position.

As for what the basics are? I consider regular penetration testing and vulnerability scanning to be the most elemental, as this will provide an ongoing understanding of what their security posture and attack surface looks like. Alongside this is proactive log monitoring with SIEM as I mentioned earlier, to gather intelligence data and build a picture of your infrastructure. Again, if you don’t have the expertise within your business to understand threat intel, then investing in a cyber security partner can help you to know what you should be doing with threat data and ensure that the intelligence you are collecting is relevant to your environment.

Being proactive about security will also really help you to spot the early signs of an attack to make sure that you can deal with threats as early as possible, whether you have a security team of 1 or 150 as seen at the Olympic Games.

So, who was the Olympic Destroyer?

Despite extensive investigation analysing every piece of code, the IT team could never fully attribute the attack to any one nation state purely based on the malware. One smart researcher went back to look not just at the malware but also at the delivery mechanism and found that it used a technique that had previously been attributed to Russia in a similarly styled attack.

This previous attack method created phishing emails that had a word document containing heavily obfuscated macros built using an off the shelf commercial tool, which were very difficult for anti-malware to detect. When analysing the method of delivery for the previous attack the analyst managed to find a specific domain name that matched a domain linking directly to the US election attack of 2016, which has been widely attributed to Russian interference. Interestingly, that exact domain name was also linked to the attack on the 2018 Winter Olympics, and the US government have since openly stated that the believe that Russia sabotaged the Olympic Games. So, whether you believe their statement, the matching domain name is a telling piece of evidence which the hackers forgot to hide after all.

Oliver Pinson-Roxburgh Headshot

Meet the author

Oliver Pinson-Roxburgh CEO & Co-founder

Information security wizard, evangelist, and guru – not to mention co-founder of Bulletproof. Oli’s always sharing deeply interesting and insightful things on this blog and on his LinkedIn. With many years’ of experience in understanding information security and innovation, Oli’s blogs are always a highlight.

Protect your business with penetration testing

Learn how penetration testing is a fundamental cyber security component, from startups to enterprise.

Get started today

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.