As Oh made his way out of the press section toward the exits, reporters around him had already begun complaining that the Wi-Fi seemed to have suddenly stopped working. Thousands of internet-linked TVs showing the ceremony at the stadium and twelve other Olympic facilities had gone black. Every RFID-based security gate leading into every Olympic building was down. The Olympics’ official app was broken, too, reaching out for data from back-end servers that suddenly had none to offer. That meant some unknown number of audience members had been unable to load their tickets to their phones, locking them out of the performance.
The feeling, for Oh, was both infuriating and surreal. The Pyeongchang organizing committee had prepared for this: Their cybersecurity advisory group had met twenty times since 2015. They’d conducted drills as early as June of the previous year, simulating disasters like cyberattacks, fires, and earthquakes. But Oh could still hardly believe one of those nightmare scenarios was now playing out in reality. “It’s actually happened,” Oh thought to himself, as if to shake himself out of the sense that it was all a bad dream.
Once Oh made his way through the crowd, he ran to one of the stadium’s exits, out into the freezing air of the Pyeongchang winter night and across the parking lot, now joined by two other IT staffers. They jumped into a Hyundai SUV and began the forty-minute drive east, down through the mountains to the coastal city of Gangneung, where the Olympics’ technology operation center was located.
From the car, Oh immediately made calls to tell staffers at the stadium to start distributing Wi-Fi hot spots to reporters and to tell security to check badges manually, because all RFID systems were down. But he knew that in just over two hours the opening ceremony would end, and all of the tens of thousands of athletes, visiting dignitaries, and spectators at the event would find that they had no Wi-Fi connections and no access to the Olympic app full of schedules, hotel information, and maps. The result would be a humiliating confusion. And if they couldn’t recover the servers by the next morning, the entire IT back end of the organizing committee—responsible for everything from meals to hotel reservations to event ticketing—would remain off-line. A kind of technological fiasco that had never before struck the Olympics would take place in one of the world’s most wired countries.
By 9:00 p.m., halfway into the ceremony, Oh had arrived at the technology operations center in Gangneung, a large open room, one wall covered in screens, with desks and computers for 150 staffers. When he walked in, many of those staffers were standing, clumped together, anxiously discussing how to respond to the attack that had also locked them out of many of their own basic services like email and messaging.
All nine of the Olympic staff’s domain controllers, the same backbone servers whose erasure had nearly crippled Maersk, had somehow been paralyzed. The staff decided to respond with a temporary workaround, setting all surviving servers that powered critical services, such as Wi-Fi and the Olympic app, to simply bypass those dead domain controllers. They managed to bring those systems back online just minutes before the end of the ceremony.
Over the next two hours, as they attempted to rebuild the domain controllers to re-create a more long-term, secure network, the staffers would find that the servers were mysteriously crippled again and again. Some malicious presence in their network remained, disrupting the servers faster than they could be rebuilt.
A few minutes before midnight, Oh and his administrators reluctantly decided to cut off all their systems from the internet in an attempt to isolate them from the saboteurs, who must still have maintained a presence inside. That meant taking down every service—even the Olympics’ public website—while they worked to root out whatever malware infection was tearing apart their network from within.
For the rest of the night, Oh and his staff would work desperately to rebuild the Olympics’ IT infrastructure. It wasn’t until just after 5:00 a.m. that a Korean security company working with the organizing committee, AhnLab, managed to create an antivirus signature that could help Oh’s staff vaccinate the network’s thousands of PCs and servers against the mysterious malware that had been at the root of the attack, a file named simply winlogon.exe. At 6:30 a.m., the Olympics’ administrators reset 120 staffers’ passwords to lock out whatever means of access the hackers might have stolen. Just before 8:00 that morning Korean time, almost exactly twelve hours after the cyberattack on the Olympics had begun, Oh and his sleepless staffers finished reconstructing their servers from backups and restarting every service.
Amazingly, their emergency triage response worked. The day’s snowboarding, ski jumping, and curling events went forward with little more than a few Wi-Fi hiccups. Thousands of athletes and millions of spectators remained blissfully unaware that the Olympics’ IT staff had just spent the prior night fighting off a cyberattack that threatened the entire event.
Even so, Oh still smoldered when he thought back to the night of the opening ceremony. “For me, the Olympics are about peace. It still makes me furious that without any clear purpose, someone hacked this event,” he told me months later. “If we hadn’t solved it, it would have been a huge black mark on these games of peace. I can only hope that the international community can figure out a way that this will never happen again.”
35
FALSE FLAGS
Within hours, rumors began to trickle out into the cybersecurity community that the website, Wi-Fi, and app glitches during the Olympics’ opening ceremony had been caused by foul play. The Pyeongchang organizing committee soon confirmed that it had indeed been the target of a cyberattack. But it refused to comment on the attack’s source. Instead, the incident became a hacker whodunit on a global stage—with a vexing number of potential culprits.
The usual suspect for any cyberattack in South Korea is, of course, North Korea. The two countries had never officially called an end to the civil war that followed their split in 1945, and hackers working on behalf of the hermit kingdom had long used their southern neighbors as the same sort of online punching bag that Russia had made out of Ukraine. For a decade, North Korean hackers had hit South Korean targets with everything from crude waves of junk web traffic to data-wiping malware—broadsides as relentless as Sandworm’s cyberwar tactics, if not as sophisticated. In the run-up to the Olympics, analysts at the cybersecurity firm McAfee had warned that Korean-speaking hackers had targeted the Pyeongchang Olympic organizers with phishing emails and what appeared to be espionage malware, hinting in a phone call with me that North Korea was likely behind the spying scheme.
But as the Olympics began, the North had seemed as if it were experimenting with a friendlier approach. The North Korean dictator, Kim Jong Un, had sent his sister as a diplomatic emissary to the games and had invited South Korea’s president, Moon Jae-in, to visit the North Korean capital of Pyongyang. The two countries had even taken the surprising step of combining their Olympic women’s hockey teams in a show of friendship. Why would North Korea launch a disruptive cyberattack in the midst of that charm offensive?
Then there was Russia. The Kremlin had its own motive for an attack on Pyeongchang: Its Fancy Bear hackers had, in fact, been hacking and leaking data from Olympics-related targets for years in retaliation for the anti-doping investigations that had punished Russian athletes for their coordinated performance-enhancing drug use. Ahead of the 2018 winter games, the International Olympic Committee had taken the final measure of officially banning Russia altogether. Russian athletes could compete but not wear Russian flags or national colors, and any medals would be credited to them individually, not to their home country.
It was exactly the sort of slight that might inspire the Kremlin to unleash a piece of disruptive malware against the opening ceremony. If the Russian government couldn’t enjoy the Olympics, then no one would.
If Russia was trying to send a message with the attack on the Olympics’ servers, however, it was hardly a clear one. Days before the opening ceremony,
it had preemptively denied any Olympics-targeted hacking. “We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea,” Russia’s Foreign Ministry had told Reuters. “Of course, no evidence will be presented to the world.”
In fact, there would be plenty of evidence vaguely hinting at Russia’s responsibility. But analyzing the attack’s forensic fingerprints would turn out to be even more confusing than untangling its geopolitical motive.
Three days after the opening ceremony, Cisco’s Talos security division revealed that it had obtained and dissected the Olympics-targeted malware, which it named Olympic Destroyer. Someone from the Olympics organizing committee or perhaps the Korean security firm AhnLab had uploaded the code for analysis on VirusTotal, where Cisco’s reverse engineers found it. The description of Olympic Destroyer’s anatomy that Cisco published broadly resembled both NotPetya and Bad Rabbit: It had a Mimikatz-like password-stealing tool, again combining those stolen passwords with legitimate Windows features to spread among computers on a network, and then a wiping component that deleted a boot configuration file from the machine before shutting the computer down so that it couldn’t be rebooted.
But unlike Bad Rabbit, there seemed to be no clear code matches between NotPetya and Olympic Destroyer. Although it contained similar features, they had apparently been re-created from scratch or copied from elsewhere. Analysts at the security firm CrowdStrike would find other apparent Russian fingerprints: the version of the programming language C++ the Olympic malware used matched Sandworm’s XData ransomware, for instance, as well as its mechanism for handling the credentials it stole from victim machines. But as malware analysts dug deeper, the clues became stranger. The data-wiping portion of Olympic Destroyer shared characteristics with a sample of data-wiping code that had been used not by Russia but by the North Korean hacker group known as Lazarus. When Cisco researchers put the logical structures of the wipers side by side, they seemed to roughly match. And both destroyed files with the same distinctive trick of deleting just their first one thousand bytes. Was North Korea behind the attack after all?
But there were still more contradictory signposts. The security firm Intezer noted that a chunk of the Mimikatz-like code in Olympic Destroyer matched exactly with tools used by a hacker group known as APT3. The company also traced a component Olympic Destroyer used to generate encryption keys back to a third group, APT10. They pointed out that the encryption component had never been used before by any other hacking teams, as far as the company’s analysts could tell. Both APT3 and APT10 had been named by multiple cybersecurity companies as likely linked to the Chinese government.
Russia? North Korea? China? The deeper forensic analysts looked, the further they seemed to be from a definitive conclusion.
The security world had seen plenty of false flags before: The state-sponsored hackers behind every major attack for years had pretended to be something else, their masks ranging from those of cybercriminals to hacktivists to another country’s agents. But this was different. No one had ever seen quite so many deceptions folded into the same piece of software. Wading into the Olympic Destroyer code was like walking into a maze of mirrors, with a different false flag at every dead end.
* * *
■
In the midst of that fog of confusion and misdirection, a leak to The Washington Post’s Ellen Nakashima cut through with an unequivocal statement. Her headline: “Russian Spies Hacked the Olympics and Tried to Make It Look Like North Korea Did It, U.S. Officials Say.” Again, the Post cited anonymous U.S. intelligence sources—two of them—who claimed that the GRU’s Main Center for Special Technology was behind the attack, the same hackers responsible for NotPetya. Olympic Destroyer, it seemed to follow, was the work of Sandworm, or at least its colleagues at the same agency.
The Post’s story rang true. Despite all its ruses, Olympic Destroyer had struck me as exactly the sort of reckless sabotage that Sandworm and the GRU had been engaged in for years. But Nakashima’s report cited no evidence—at least nothing that the public could verify. With the Kremlin’s proactive denial of any Olympics hacking, the result was a kind of standoff between two governments’ contradictory claims. Though one of those governments was vastly more credible than the other, the debate was hardly settled for the cybersecurity community’s skeptics. How could they be certain that anonymous “U.S. officials” had solved the mystery and not simply fallen for one of Olympic Destroyer’s layered lies?
Soon another set of clues emerged from an unlikely source: Kaspersky Labs. After the Shadow Brokers’ theft from the NSA had been linked to Kaspersky’s software, the cloud of suspicions around the Moscow-based security firm had only grown thicker. But in March 2018, it waded into the Olympic Destroyer morass and emerged with evidence that actually bolstered the case against Russia.
Kaspersky had obtained its copy of the Olympic Destroyer malware not from the Olympics organizing committee, but from a ski resort hotel that had also been struck in the attack. It seemed, in fact, that the hackers had attempted to hack a wide range of Olympics-related targets beyond the Olympics themselves, but Kaspersky could confirm only that two ski resorts had been breached (along with a ski equipment automation firm and Atos, an IT services provider in France). The hotel that shared the malware sample with Kaspersky had been seriously infected, to the degree that its automated ski gates and ski lifts were temporarily paralyzed.
When Kaspersky’s Korea-based staff sent the malware sample back to Moscow for analysis, its Global Research & Analysis Team had begun dusting it for fingerprints. But rather than focus on the malware’s code, as other companies like Cisco and Intezer had immediately done, they’d looked at its “header,” one part of the file’s metadata that includes clues about what sorts of programming tools were used to write it. Comparing that header with others in Kaspersky’s vast database of malware samples, they found it perfectly matched the same sample of North Korean data-wiping malware that Cisco’s Talos had already pointed to as sharing traits with Olympic Destroyer.
But in this case, one senior Kaspersky researcher named Igor Soumenkov decided to look a step further. Soumenkov, a hacker prodigy who’d been recruited to Kaspersky’s research team as a teenager years earlier, had a uniquely deep knowledge of file headers and decided to double-check his colleagues’ findings. By the end of a late night at the company’s Moscow office, he had determined that the header metadata didn’t actually match other clues in the Olympic Destroyer code itself; the malware hadn’t been written with the programming tools that the header implied. The metadata had been forged.
This was something different from all the other signs of misdirection that researchers had fixated on. The other red herrings in Olympic Destroyer had been so vexing in part because there was no way to tell which clues were real and which were deceptions. But now, deep in the folds of false flags wrapped around the Olympic malware, Soumenkov had found one flag that was provably false.
It was now perfectly clear that someone had tried to make the malware look North Korean and only failed due to a slipup in one instance and through Soumenkov’s fastidious triple-checking. “It’s a completely verifiable false flag. We can say with 100 percent confidence this is false, so it’s not the Lazarus Group,” Soumenkov would later say in a presentation at the Kaspersky Security Analyst Summit, using the name for the hackers widely believed to be North Korean. Still, whether out of skeptical rigor or some secret influence of the Kremlin, Kaspersky’s researchers refused to state publicly who they believed was behind the malware.
If Olympic Destroyer was the work of the GRU, its timing seemed more than coincidental. Just as the Russian military was about to be publicly called out and punished for the biggest cyberattack in history, a piece of malware had conveniently appeared that seemed designed to call i
nto question the fundamental ability of security researchers to determine the source of any cyberattack. “Even as it accomplished its mission, it also sent a message to the security community: You shouldn’t be so quick to attribute things,” Cisco’s Craig Williams told me. “You can be misled.” It was as if the GRU, feeling the proximity of investigators on its tail, had dropped a smoke bomb and made its escape.
All signs, more than ever, pointed to Russia, not North Korea, as the perpetrators of the Olympic hacking. But as the mystery unfolded, I was reminded of the jump boots Vladimir Rezun had described the spetsnaz wearing, with soles designed to impersonate enemy tracks. The false flags were serving their purpose: Once they appeared, every piece of evidence was tainted with doubt, even when the truth was displayed plainly in front of your eyes.
36
74455
On a warm fall day in September 2018, I stepped out of John Hultquist’s car and onto the driveway of his two-story house in an idyllic suburb of Washington, D.C., complete with a well-furnished backyard and a very affectionate goldendoodle named Penny.
Hultquist, wearing a green T-shirt and shorts, invited me in. We were meeting at his home because he’d been out of the FireEye headquarters on paternity leave for the last month, following the birth of his second child. That time away from the office, of course, had not diminished his obsession with Sandworm. When we sat down at his kitchen table, he first told me that he was ten thousand words into writing a Tom Clancy–style novel—purely fictional, of course—about a cybersecurity researcher who finds himself tracing the trail of destruction of a team of über-hackers. His working title, for the moment: “Johnny Saves the Internet.”
Sandworm Page 27