Olympic Games hackers tried to frame Russia, North Korea

Kaspersky Lab researchers say the clues left behind in the 2018 Winter Games hack were designed to pin the attack on other countries.

Alfred Ng Senior Reporter / CNET News

Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.

See full bio

Alfred Ng

March 8, 2018 11:16 a.m. PT

2 min read

2018 Winter Olympic Games Opening Ceremony PyeongChang Feb 9th — The 2018 Winter Olympic Games suffered a cyberattack during its opening ceremony. The hackers behind it purposely left fake clues to frame other nations, researchers say.
Roland Harrison/Action Plus via Getty Images

When Olympic Destroyer hit the 2018 Winter Games in South Korea, a quick list of suspects behind the attack surfaced.

Reports attributed the destructive attack to Russia and North Korea. In the malware, which was designed to wreak havoc on the Olympics IT system, there were lines of code that only North Korean hackers had used in the past.

But new research from Kaspersky Lab shows these codes were purposely left in there to throw researchers off their trail.

"Attackers are becoming smarter and they know that creating the ultimate false flag is the ultimate defense," Vitaly Kamluk, director of Kaspersky's global research and analysis team, said Thursday at the cybersecurity company's conference in Cancun, Mexico.

Finding out who's behind cyberattacks is essential for taking countermeasures, but it can be difficult for researchers to pinpoint the exact perpetrators. Just because WannaCry, a global ransomware attack from 2017, used the NSA's hacking tools, doesn't mean the US government was behind it, for example. It took about eight months before the White House was able to announce that Russia was behind "NotPetya," calling it the "most destructive cyberattack in history."

Researchers are still working to find out who was really behind the Olympic Destroyer attack, Kamluk said, but he noted that code from North Korea's hacking unit Lazarus Group had been forged.

Kaspersky Lab's researchers discovered the forgery by looking at the "Rich Header" section of the malware, the part of the code that can be found in most executable Windows files. They found several inconsistencies in the Rich Header that didn't match up with previous Lazarus Group attacks. The section was a blatant copy, said Igor Soumenkov, a Kaspersky researcher.

Forging another nation's signature on attacks is like leaving someone else's DNA at a crime scene, Kamluk said. It throws off researchers and creates public confusion and chaos, which attackers want.

"We managed to find 100 percent proof that they were forged. It was to confuse the general public," Kamluk said.

The Kaspersky Lab research team said they expect this to continue with future attacks, and that attribution will have to be much more careful in the future.

"This campaign shows us that nation-state actors know to play games with researchers," Kamluk said. "They wanted this error."

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.