A cyber attack during the opening ceremony of last month's Winter Olympics appears to have been carried out using sophisticated malware that has the hallmarks of a Russian-speaking group, Sofacy.
The announcement was made on the opening day of the annual Kaspersky Security Analyst Summit which is being held in Cancun, Mexico.
Kaspersky Lab researchers said the malware, named Olympic Destroyer by researchers from Cisco's Talos Group as iTWire reported, had been attributed to an outfit named Lazarus, which has been claimed to have connections with North Korea, by different security firms, including Kaspersky.
But, the longer they looked at the way the malware was coded, the Kaspersky researchers concluded that the tactics, techniques and procedures, which had resulted in this preliminary conclusion, were a false flag designed to mislead security researchers.
{loadposition sam08}Kaspersky found that the attackers used the privacy-protecting service NordVPN and a hosting provider called MonoVM, which both accept bitcoins. These and some other discovered TTPs were previously seen to be used by Sofacy.
Vitaly Kamluk speaking at the Kasersky Security Analyst Summit in Cancun on Thursday.
“To our knowledge, the evidence we were able to find was not previously used for attribution. Yet the attackers decided to use it, predicting that someone would find it," said Vitaly Kamluk, head of the APAC Research Team at Kaspersky Lab.
"They counted on the fact that forgery of this artefact is very hard to prove. It’s as if a criminal had stolen someone else’s DNA and left it at a crime scene instead of their own.
"We discovered and proved that the DNA found on the crime scene was dropped there on purpose."
Kamluk said this demonstrated how much effort attackers were prepared to make in order to stay unidentified for as long as possible.
"We’ve always said that attribution in cyber space is very hard as lots of things can be faked, and Olympic Destroyer is a pretty precise illustration of this.
“Another takeaway from this story for us is that attribution is has to be taken extremely seriously. Given how politicised cyber space has recently become, the wrong attribution could lead to severe consequences and actors may start trying to manipulate the opinion of the security community in order to influence the geopolitical agenda.”
The writer is attending the Kaspersky Security Analyst Summit as a guest of the company.
Photo: courtesy Kaspersky Lab