Olympic Destroyer

Olympic Destroyer Description

The Olympic Destroyer piece of malware was detected back in 2018 initially. Malware researchers spotted this threat being employed in an attack targeting networks linked to the organizers of the Winter Olympic Games 2018 held in South Korea, as well as partnering actors. It has been speculated that the motives behind this operation may have been political with the goal of causing disruption and collecting sensitive data. When experts analyzed it further, it became apparent that the attackers had had inside information about the network targeted such as domain settings and IP addresses.

Later, there was another operation that employed the Olympic Destroyer. This time the targets were institutions operating in the financial sector in Russia. Then, the Olympic Destroyer was used against chemical and biological laboratories located in Ukraine and around Europe. The Olympic Destroyer is very destructive in its nature – one of its goals is to wreak havoc on the system targeted by causing damages, which are impossible to reverse.

It is not yet confirmed what the propagation method of the Olympic Destroyer is but malware researchers believe that the main mean of spreading is via spear-phishing email campaigns containing an infected attachment.

When the Olympic Destroyer infiltrates a system, it will halt processes related to the ability of the computer to recover the wiped data. Then, the Olympic Destroyer scans the login credentials and hostnames to find sensitive data linked to the computers, which are part of the same network. The Olympic Destroyer does not seem to target data that is hosted locally but instead targets network shared drives as it is more likely that a business or an institution would be keeping their important data there.

The Windows Command Prompt is then employed by the Olympic Destroyer to fire up the 'vssadmin' utility and then delete the Shadow Volume Copies stored on the system making retrieving any wiped data virtually impossible. Next, the Olympic Destroyer will employ 'WBAdmin' to halt services used for backup and recovery and delete their configuration files. In another attempt to prevent the victim from recovering any data lost, the Olympic Destroyer will disable the 'Windows Recovery Console.' When these steps are completed, the Olympic Destroyer will proceed to delete the last entries in the Windows Security Event Log, which would make it harder to analyze this threat, if it gets detected.

The Olympic Destroyer has already been implemented in several campaigns successfully, and it is a highly destructive and harmful threat. This is why users must always make sure they have downloaded and installed a reputable anti-malware suite, which would keep them safe from pests like the Olympic Destroyer.