Olympic Destroyer
Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Olympic Destroyer uses WMI to help propagate itself across a network.[1] |
|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.[1] |
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.[1] |
| Enterprise | T1485 | 数据销毁 |
Olympic Destroyer overwrites files locally and on remote shares.[1][2] |
|
| Enterprise | T1489 | 服务停止 |
Olympic Destroyer uses the API call |
|
| Enterprise | T1570 | 横向工具传输 |
Olympic Destroyer attempts to copy itself to remote machines on the network.[1] |
|
| Enterprise | T1070 | .001 | 移除指标: Clear Windows Event Logs |
Olympic Destroyer will attempt to clear the System and Security event logs using |
| Enterprise | T1529 | 系统关机/重启 |
Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.[1][2] |
|
| Enterprise | T1490 | 系统恢复抑制 |
Olympic Destroyer uses the native Windows utilities |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Olympic Destroyer utilizes PsExec to help propagate itself across a network.[1] |
| Enterprise | T1016 | 系统网络配置发现 |
Olympic Destroyer uses API calls to enumerate the infected system's ARP table.[1] |
|
| Enterprise | T1135 | 网络共享发现 |
Olympic Destroyer will attempt to enumerate mapped network shares to later attempt to wipe all files on those shares.[1] |
|
| Enterprise | T1021 | .002 | 远程服务: SMB/Windows Admin Shares |
Olympic Destroyer uses PsExec to interact with the |
| Enterprise | T1018 | 远程系统发现 |
Olympic Destroyer uses Windows Management Instrumentation to enumerate all systems in the network.[1] |
|
Groups That Use This Software
References
- Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015.
- CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020.
- Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
- UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.
- Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
- Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.