The cyber attack that disrupted some networks and servers at the opening of the Winter Olympics in PyeongChang left a number of conflicting forensic clues about its source. The attack used a blend of techniques, tools, and practices that blended the fingerprints of threat groups connected to North Korea, China, and Russia.
But according to a report by Ellen Nakashima of the Washington Post, US intelligence officials have determined with some confidence that the attack was in fact a “false flag” operation staged by individuals working on behalf of a Russian intelligence agency—an attack that went as far as to route traffic through IP addresses associated with North Korea to mask the attack’s origin.
In the wake of the February 9 attack, which affected Web servers and network routers connected to the Winter Games organizing committee—including the press center’s network, public Wi-Fi networks, and Web servers associated with ticket sales for the Games’ events—several security firms rapidly assessed malware connected to the attack. Initial evaluation of the malware showed some commonalities in techniques with NotPetya, the “wiper” malware attributed to Russia by UK and US intelligence. Cisco’s Talos Labs later revised its report, originally published on February 12, after discovering that the malware samples actually used credential-stealing tools to obtain logins and passwords and then wrote those credentials into the code used to spread the infection across the network.