How the 2018 Olympic Cyberattack Was Traced To Russian Hackers

Sparrowvsrevolution writes: In a lengthy article, Wired tells a newly detailed narrative of the cyberattack on the 2018 Winter Olympic games, which hit the Olympics network during the opening ceremony. The piece details how the malware used in that attack was designed to incorporate multiple sophisticated false flags, and how forensic analysts overcame those red herrings to eventually trace the attack to a specific unit of Russia's GRU military intelligence agency.
It's a good read. Wired calls it "perhaps the most deceptive hacking operation in history," but they finally get an answer from a 28-year-old former anarchist punk turned security researcher at the Reston, Virginia, office of the security and private intelligence firm FireEye. The tell-tale clue: the malware used "a certain common set of hacking tools called PowerShell Empire." He soon deduced that the source of that signal in the noise was a common tool used to create each one of the booby-trapped documents. It was an open source program, easily found online, called Malicious Macro Generator. Michael Matonis speculated that the hackers had chosen the program in order to blend in with a crowd of other malware authors, but it had ultimately had the opposite effect, setting them apart as a distinct set... When he looked at the command and control servers that the malware connected back to -- the strings that would control the puppetry of any successful infections -- all but a few of the IP addresses of those machines overlapped too...

Matonis began painstakingly checking every IP address his hackers had used as a command and control server in their campaign of malicious Word document phishing; he wanted to see what domains those IP addresses had hosted... At the end of his long chain of internet-address connections, Matonis had found a fingerprint that linked the Olympics attackers back to a hacking operation that directly targeted the 2016 US election. Not only had he solved the whodunit of Olympic Destroyer's origin, he'd gone further, showing that the culprit had been implicated in the most notorious hacking campaign ever to hit the American political system.

Re: agreed

[Anonymous Coward 42]

I am not assuming the Russians innocent, but I haven't been at all impressed by so-called evidence (or the source of such) from the prior political arguments on this subject. On this one, if that security kid knows about that software, wouldn't a bunch of other kids also know? So it was tracked to an IP. That is interesting, but besides showing a *possible* correlation, does it give any ownership data? ______ Besides the obvious implications of trusting the security company of one's political opponents b

The False Dilemma Fallacy

[Viol8]

Just because there may well be machinations going on in the US government doesn't make the Russians innocent. In fact anyone who assumes the russians are behaving themselves at the moment probably has a number of sales brochures for bridges.

Re:

[Dunbal]

It gets even better when you consider a port scan to be a "hacking attempt".

Re:

[UWM]

<quote><p></p><p>Ohh Ahh, IP address, you can hire servers all over the planet, install the software you want and run them by remote control, completely legal and ohh ahh, their Russian, Chinese, American, Australia what ever. </p><p> .</p></quote>

They did prove it in court, and many Russians were indicted; there was also video evidence from Dutch Intelligence of them perpetrating the hack, so it went well beyond "Ohh Ahh, IP address."

Stop the whataboutism, de

Re:

[Shotgun]

You can indict a ham sandwich, and considering that Mueller indicted a company that did not exist when the crime happened, indicting ham sandwiches seems to be a common occurance. In any case, NOTHING was proven, because there wasn't a trial. Mueller only indicted entities that he knew wouldn't show for the trial.

Re:

[Dunbal]

Ahh yes, the famous "they're bound to be guilty of something" argument.

Re:The False Dilemma Fallacy

[Zero__Kelvin]

Ah, the "it's entirely possible that Putin is a trustworthy lad who might not be up to no good" stupidity.

Re:Each time I read "Russian hackers" ...

[Anonymous Coward]

The current administration, which those Russian hackers helped put in place, is doing their best to cut social services that help homeless people and starving students. That same administration is implementing policy after policy which will increase the disparity of wealth, creating more starving students and homeless people.

But hey... why think about the causes of these things when you can flail your arms about wildly and demand that people somehow fix them without addressing the causes.

Re:

[Powercntrl]

They wouldn't be starving if they didn't spend all their money on booze, drugs and partying.

If avoiding booze, drugs and partying was the secret to success, I should have like 7 Teslas by now.

Re:Each time I read "Russian hackers" ...

[GrumpySteen]

Yes, that's the reason. Not the $10,000+ tuition, $10,000+ for housing, $1,200+ for textbooks and so on (and that's at a cheap state college for students who live in the state... better colleges cost far more).

Here's a clue for you; the students who spend the most time partying are the ones who have wealthy parents who are paying for it all. They aren't the ones who are starving.

Re:

[Powercntrl]

In ye olden days of Slashdot, the meta-mods used to weed most of the bad moderators from the pool. I'm guessing either no one bothers to meta-mod anymore, or that part of Slashcode broke a long time ago, and Slashdot has changed hands so many times now, that no one knows how to fix it.

Re:

[Ol Olsoc]

... my eyes glaze over.

Then the process is working as intended.

NSA is getting better everyday

[Anonymous Coward]

The NSA is just getting better and better at impersonating Russia. Soon they will be almost believable.

Russian Hackers?

[Anonymous Coward]

Oh, you mean those friends of Putin who is the one pulling you know who's strings.
This was just a dry run for the elections in a years time. Russia wants Trump to get another 4 years.

So it was

[AHuxley]

North Korea first for real, then Romanian something, but geopolitical motivations so it had to be Russia?
But Windows security? Found the "apparent Russian calling cards"?
But "no clear code matches"...
Lets keep reading...
North Korean again ...
But wait for the Russia did it...
Its "Chinese government"?
How much reading until it Russia, Russia, Russia?
IP addresses...
Ukrainian?
Finally GRU ...
From an IP range and some Cyrillic?
Why would the GRU let its code litter be seen/found... ?
Few people found the GCHQ, CIA, MI6 code litter in the wild...
yet "GRU" is found "Cyrillic" code litter and ip range in the code?
The world gets to read about the methods used to track the GRU? In real time? No waiting 30-40 years? For some approved author to mention something about US cyber in a book 40 years later?
To protect US methods?

Re:

[loonycyborg]

If GRU actually left "a calling card" then it would be AKSU-74, accidentally dropped and forgotten while they were hacking their servers with a crowbar.

Re:

[UWM]

"Enigmas have no solution. Drawing upon the overall umbrella of events surrounding the crime and the multitude of players and events, paint the entire affair as too complex to solve. This causes those otherwise following the matter to begin to lose interest more quickly without having to address the actual issues."

https://cryptome.org/2012/07/gent-forum-spies.htm

IRA in full effect

[UWM]

Look at these comments!

The Putin Propaganda Posse is in full force today. I would recommend everyone make themselves aware of the common methods employed by online actors.

https://cryptome.org/2012/07/gent-forum-spies.htm