Now that the world’s largest global sporting event has wrapped up, with medals awarded and athletes returned home, now’s the time to reflect and judge what exactly went down. While it may not have hit mainstream headlines at the time, an explosive spear phishing attack and other IT security issues elevated this year’s event to among the most hacked sporting events of all time. Today’s cybercriminals want to steal the gold, and their recent tactics reveal a lot about preventing cybercrime in 2018.
Not only was this year’s event one of the most political in history, but as Wired pointed out, “In 2018, [it’s] also become a nexus of hacker skullduggery.” The complex cybercrime spree that began weeks prior would have made even MafiaBoy proud. The campaign involved a near-perfect symphony of hacking techniques, including social engineering, complex technical tactics, nightmarish malware, and more.
Waking up to a spear phishing nightmare
On December 22, 2017, South Korean organizations associated with setting up for the massive event received an email appearing to originate from South Korea’s National Counter-Terrorism Centre (NCTC). Not only was the purported sender a trustworthy source, but the email was also timed perfectly to coincide with NCTC’s on-the-ground anti-terror drills.
Included with the email was a document attachment containing a script-laden image with a hypertext application implant. This ushered in a PowerShell back door at 2 a.m., when the assailants correctly assumed the recipients would not actively be using their work computers. Next, four strains of malware—dubbed Gold Dragon, Brave Prince, Ghost419, and Running Rat by McAfee analysts—worked in tandem to help the hackers establish a permanent presence on the target’s network and siphon away any information they wanted from their victims’ computers.
What went down during this attack?
Attribution is notoriously difficult, particularly when it comes to such sophisticated campaigns. However, analysts agreed the issues were likely state-sponsored or, at least, politically motivated. Ryan Sherstobitoff told CyberScoop the attacks had certain signatures that point to perpetration by a group—not an individual. One significant clue pointing to this conclusion is that the attacks aren’t financially motivated, at least not in the quick payload style of today’s viral ransomware epidemic. Sherstobitoff says, “The persistent data exfiltration we see from these implants could give the attacker a potential advantage.”
If it proves true the cyber attacks were politically motivated, you can add them to the pile of state-sponsored cybersecurity issues surrounding Pyeongchang. A notorious hacker outfit known as Fancy Bear had also stolen and leaked documents with the apparent intent of framing the Russian doping allegations as politically motivated, and a statement published on the group’s website hinted of more leaks to come.
3 vital hacking prevention lessons
This year’s event in Pyeongchang had a reported cybersecurity budget of $1.2 million, which was certainly no small amount—until you consider the entire IT infrastructure was built from the ground up for the two-week event. With over 300 computer systems hacked before the torch was even lit, security officials declined to say exactly how they were responding but made it clear they were stepping up to meet the challenge. Although the majority of tourists were unaware of the attack and the hackers stopped short of messing with official event scoring, there were plenty of practical hacking prevention insights to be gleaned in all this IT security drama. Here are three lessons you can put to good use from these sophisticated attacks:
1. Even the Jamaican bobsled team moves slower than hackers
The email attack was launched December 22—just two days after the new tool, Invoke-PSImage, was released to the public. This tool enables steganography, or the ability to embed a script into the pixels of a .PNG image. What’s clear is it took hackers only two days to build the technical mechanisms of the attack.
“There is no need to use a zero day, because cybercriminals now develop and apply hacking tools much more quickly,” writes Raj Samani in Forbes. While zero-day threats are still a frightening reality, the idea that hacker collectives are moving so quickly could be even scarier.
2. Don’t just watch as social engineering tactics soar
You can hardly blame the organizations who fell prey to the Pyeongchang email attacks. After all, the emails appeared to coincide perfectly with the anti-terror activities being conducted by the NCTC. When coupled with the scheduled 2 a.m. install of the back door and malware, it’s clear the cyber attacks in Pyeongchang—like most IT security incidents—were strategically planned.
3. IT security attacks prove more difficult to detect today
The email crime spree fits the profile of file-less attacks, which is technically a misnomer, since threats within this profile aren’t technically file-free—they’re simply much harder to detect than traditional modes of depositing malware. File-less attacks rely on vulnerabilities within whitelisted programs to deposit malware, such as Flash and the Windows PowerShell tool. According to the Ponemon 2017 State of Endpoint Security Risk Report, 77 of percent last year’s compromised security incidents were file-less. In general, this category is significantly more effective than alternatives.
The growth of file-less attacks, sophisticated social engineering, and rapid-fire hacker coding is bad news if your security is solely reliant on old-school protection methods, like traditional, signature-based antivirus. It’s not good news any way you slice it, but you’ve got less to worry about if you have best-of-class security solutions in your corner—like a business printer engineered to detect attacks and self-heal to prevent them from infecting your entire network.
With over a million dollars put into cybersecurity, you can’t say the organizations working to support this year’s event in Pyeongchang weren’t invested in preventing cybercrime. While you can hope the spear phishing attack in late December represented the worst cybersecurity issue of the event—and all future events—the signatures of the likely state-sponsored hack teach some invaluable lessons on the state of cybersecurity in 2018.