After the high-profile malware attack on the 2018 Winter Olympics opening ceremony, security researchers are beginning to dig through the digital rubble in the hopes of finding the culprit.
Initial theories pointed the finger at Russia or North Korea but experts have been hesitant to make any conclusions. As the Olympics continue to unfold, a trickle of forensic evidence leading back to Russia and North Korea is starting to be uncovered.
Malware writers don't exactly leave a calling card in their code so determining who caused an attack is often difficult. What we do know so far is that the attack, dubbed "Olympic Destroyer," lasted under an hour on Friday and targeted users with an @pyeongchang2018.com email address. This caused the Pyeongchang 2018 website to go down and briefly interrupted some video streams.
The malware works by turning off the infected machine's services, destroying the boot information and generally rendering the machine unusable. One surprising characteristic is that it does show some restraint and does not appear to cause maximum damage. Rather than deleting all of the system's files, it only targets the boot information. A trained technician can restore the data relatively quickly.
Olympic Destroyer's spreading and targeting techniques resemble that of NotPetya and BadRabbit, pieces of malware the CIA and others in the security community have attributed back to Russia.
Given that Russia was banned from competing at the Olympics due to the doping scandal, they are naturally the prime suspect. For their part, they have stated that "We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea."
We will likely never know who was behind the attacks but with the whole world watching Pyeongchang, it certainly makes for a prime target from someone wishing to send a message.