Darknet Diaries - 77: Olympic Destroyer
Episode Date: October 27, 2020In February 2018, during the Winter Olympics in Pyeongchang South Korea, a cyber attack struck, wiping out a lot of the Olympic’s digital infrastructure. Teams rushed to get things back up,... but it was bad. Malware had repeatedly wiped the domain controllers rendering a lot of the network unusable. Who would do such a thing?We will talk with Andy Greenberg to discuss Olympic Destroyer, a chapter from his book Sandworm (affiliate link).SponsorsSupport for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.Support for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.
Transcript
Discussion (0)
Hackers in the Olympics? Yeah, it's happened.
In the fencing competition of all places, have you watched modern fencing lately?
If you watch it, I have one tip for you. Don't blink.
Fencing is extremely fast. The blades are whipping through the air.
As a spectator, you're trying to see who hit who first.
Keeping your eyes on two different swords at once, it's impossible to tell.
In fact, it's impossible for the judges to tell too. So they've
adopted technology to help. I'm not talking about some high-speed camera. No, it's more technical
than that. There's circuitry involved. In order to score a point, your foil or sword needs to apply
0.75 kilograms of pressure to the opponent's target area, which is their head or chest. And
you have to directly
poke with the foil. Slashing or hitting the target with the side of the foil doesn't count.
So to help the judges figure out who struck who first with enough force, they've added electronic
components to the sword and protective gear. Basically, there are wires going up the center
of the sword and at the tip is a little pressure plate. So when you push the tip of the sword with 0.75 kilograms of pressure, it completes the circuit of the sword. And each fencer has a
helmet and chest protector, which is wired to the same electronic circuit. So basically, to add it
all up, when the sword is pressed into the opponent's chest or helmet at 0.75 kilograms of
pressure or more, an electronic circuit is complete, and a point is scored.
It's a fairly simple but technical way of scoring in fencing, but this means electronics and
computers are now the judges. And you see where I'm going with this, right? In the 1976 Olympics
in Montreal, Quebec, this got exploited. Fencing competitor Boris Anishenko, representing
the Soviet Union, rigged his sword. He hacked it and added a button on the grip so that he could
push it and complete the circuit whenever he wanted. His plan was to swing at the opponent,
push the button, and the computer judge would count it as a hit. So he went up against a British opponent and did just that.
He lunged, missed, pushed the button, and a point was scored for Boris.
Genius.
The judges didn't catch it, and he was now in the lead.
But his British opponent protested and said he didn't feel the hit at all,
and asked the judges to inspect the sword.
And that's when they found Boris's button and disqualified him from the event for hacking.
The British team that exposed him went on to win the gold medal. Yeah, hackers in the Olympics.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive. It's endless and it's not a fair fight. But I realized I don't need
to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a subscription
service that finds and removes personal information from hundreds of data brokers websites
and continuously works to keep it off. Data brokers hate them because Delete.me makes sure
your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring Thank you. by signing up for Delete Me, now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash darknetdiaries
and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries. Use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that
does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call. I'm sure they
can help. But the founder of the company, John Strand, is a teacher and he's made it a mission
to make Black Hills Information Security world-class in security training. You can learn
things like penetration testing, securing the cloud, breaching the cloud, digital forensics,
and so much more. But get this, the whole thing is pay what you can. Black Hills believes that great intro security
classes do not need to be expensive, and they are trying to break down barriers to get more people
into the security field. And if you decide to pay over $195, you get six months access to the
MetaCTF Cyber Range, which is great for practicing your skills and showing them off
to potential employers, head on over to BlackHillsInfosec.com to learn more about what
services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com. BlackHillsInfosec.com.
For this episode, we're going to visit with our old friend, Andy Greenberg.
We had Andy on before to tell us the story of NotPetya back in episode 54.
And as you may recall, Andy wrote a book called Sandworm, which went into great detail about the NotPetya attack.
He's an amazing investigative journalist.
And today, Andy is going to talk to us about
hacking the Olympics. My name is Andy Greenberg. And I, did you ask me my title? My title is a
senior writer at Wired. But I guess for the purposes of this interview, I'm still
the author of Sandworm because this is a story from Sandworm.
The story takes place in the Winter Olympics in 2018, which was in South Korea,
in the city of Pyeongchang. The opening ceremony was on February 8th. The city was well below
freezing at that time, and volunteers donned face masks to protect themselves from the icy wind
blowing through the stadium. Sang Jin Oh, the man running IT for the Olympics, was sitting
in a plastic chair a few dozen rows above the stadium,
waiting for the opening ceremony to start.
A lot of preparations took place to get to this point.
And you might not think about how many IT preparations there are for the Olympics,
but there are a ton.
Sang-jin Oh managed it all.
Just to start out, he had 150 employees to manage the IT infrastructure for these Olympics.
That's a pretty big IT staff. I mean, it's bigger than the size of some Fortune 500 IT teams.
And it's that big because there's a ton of things to manage. There's restricted areas,
which require electronic key cards to access. There are phone apps to help spectators enjoy
their experience. There's ticketing systems, Wi-Fi in stadiums, fields, and around the villages.
And a ton of other systems to help people get from one place to another.
And of course, there's many stadiums, courses, and buildings where all this IT infrastructure has to work.
They set up a data center with 24-7 network operations center monitoring everything that was going on.
And O felt like everything was ready
for the games to begin he sat in the stadium to watch the opening ceremony this was the pinnacle
of his career or so he thought the lights dimmed everyone went quiet the ceremony was starting Ten seconds before 8 p.m., this choir of Korean children begins to do this countdown,
this ten-second countdown to the beginning of the opening ceremony.
And just as they're counting down in Korean, and this is reverberating across the stadium,
Sang-jun Oh looks down at his phone and sees that he has this flood of text messages
telling him that all of the domain controllers in the Olympics data centers in Seoul are being wiped one by one.
These domain controllers were incredibly important.
They controlled authentication and authorization for everything from the Wi-Fi on-site to the Olympic app.
And the app managed everything that athletes, visiting dignitaries, staff,
and tens of thousands of attendees needed for finding their way around, handling their tickets, and gaining access to secure locations, and even check into the hotels.
Basically, all the stuff that would allow anyone to get access to anything was on the fritz.
But he starts responding to his subordinates.
He starts texting them back.
And then he realizes that he needs to get to the technology
operations center in Gangneung. So he gets up, he runs out of the opening ceremony. As he's leaving,
he can already hear journalists complaining that the Wi-Fi isn't working in the stadium. The IPTV
systems are down across the facility and other facilities around the whole Olympic campus in
Pyeongchang. The app seems to be failing as well.
People are trying to get into the stadium
and they're unable to access tickets, it turns out.
You know, this is perhaps the worst possible news
that you could get at this exact moment
as you're hoping to watch this event come to fruition
that you've been working on for three years.
100 medal events.
So a little bit of history is being made
during these games in 2018.
And I wonder how the organizers are feeling right at this moment. They have worked so hard to get
to this stage. Hours, days, years. And this is the culmination. This is it. This is the start.
This is the big, big moment. As all of this is happening, Oh is running out of the stadium.
He meets up with two of the people who work for him on his staff,
and they get into an SUV, and they start this long drive to Gangneung, this neighboring town.
Well, when he arrives, in fact, the staff is in like kind of such a state of, I wouldn't say panic, but sort of disarray,
that they're kind of standing up and talking to each other in clumps.
They can't even access their email.
All of their systems seem to be down.
And when we say that all their systems seem to be down,
you have to understand just how massive the infrastructure of these games were.
We're talking 10,000 PCs, 20,000 mobile devices,
6,300 Wi-Fi routers, and 300 servers,
which existed in two different data centers in Seoul.
All this being managed by a team of 150 IT staffers.
We find out later, in fact, the ticketing system, which is integrated into the Olympics app,
was broken too, and that some people had been locked out of the opening ceremony.
But that was later. In this particular moment, it was chaos.
It's hard to focus and troubleshoot one thing when there's a million things going wrong at once.
The pressure that the whole world is watching right now makes the stress so much worse.
Now, Oh had followed best practices for setting up the IT infrastructure of the Olympics.
His team had done its best to prepare in case something bad happened.
Their cybersecurity advisory group had met 20 times since 2015, and they'd done drills
for fires and earthquakes and even cyber attacks. But then when the actual moment hits, when the
disaster actually came, it was still very shocking. No drills can prepare you for an actual destructive
cyber attack of this scale. They know that if they can't fix all of this before the end
of the opening ceremony in two hours, then a kind of chaos will unfold where 35,000 people leave the
stadium and can't figure out where to go next. It'll be this massive embarrassment in one of
the world's most wired countries. The team frantically created a workaround to get the
official Olympic app working, which would allow visitors to get in and out of the opening ceremony. But their domain controllers and many other parts
of the network remained down throughout the entire opening ceremony, causing a lot of problems.
Embarrassing, yes. Frustrating, yes. But now that the opening ceremony was over, a new clock started.
The IT staff knew they had all night to evict the hackers, rebuild the systems, and try to get the network back up and operational again by the time the first competition started in the morning.
So then these poor IT staffers spend the entire nights battling to rebuild the entire backbone of the Olympics.
They initially bypass all of their domain controllers, which are down.
That allows them to bring some services back online, but they know that that's not a stable or secure way to maintain a network.
Then they spend hours and hours trying to rebuild everything, but they find that as they're rebuilding domain controllers, for instance, they're being wiped again by some piece of malware in their system.
They are able to figure out that it's this one malicious file called winlogon.exe.
Ugh, I hate it when hackers do this.
The malware was called winlogon.exe, which is also the name of a real process within
Windows, a normal, benign, critical process
that's required for your operating system to work.
I hate it because when you're going through the computer
looking for malware,
you're not going to notice that's the malware
because it has the same name of a process
that should be running.
But this malicious winlogon.exe was a worm
that would first try to spread itself
to as many other machines as it could
and then begin wiping the entire system it infected,
deleting configurations, settings, applications, files.
And it would even screw up the operating system,
rendering the core servers of the Winter Olympics unusable.
You know, there's this kind of fog of war
where they don't know what is kind of erasing their work as they go.
I mean, their domain controllers are being
wiped repeatedly. So eventually they resort to actually taking their whole network offline
around midnight, which results in even their website going down. This is a pretty extreme
measure because they think that the hackers somehow are still maintaining remote access
to their systems. Only around 5 a.m. are they able to, with the help of this
Korean security company OnLab, isolate and create a signature for this automated piece of malware.
At 6.30 a.m., they think that they've essentially eradicated this malware, and they reset every
staffer's password in the hopes of locking out the hackers from any further access. And just before 8 a.m., 12 hours after the cyber attack began,
they finally finish reconstructing the entire IT backend,
rebuilding all the servers from backups and restarting everything.
And amazingly, this works.
This is kind of a kind of feat of IT heroics.
They just barely got the network back up in time for visitors, competitors, and staffers to pour into stadiums and fields and Olympic villages that morning.
But what happened here? Malware ripped through the IT infrastructure of the Winter Olympics in South Korea at the exact moment the opening ceremony started?
Was this sabotage? A targeted attack? Some teenage hacktivists making a statement?
It was unclear, but there was no time to stop and think about that. The IT teams were exhausted,
and they had to make sure the games continued without any more problems. And the heroic effort
of the IT teams that put into keeping that network stable paid off. For the rest of that Olympic Games,
there were no more cyber attacks.
But when I spoke to Sang-Jun Oh,
the director of the Olympics IT staff,
he remains today almost traumatized by these events.
He knows that they were just minutes or hours
at the very least from disaster
and that it took a kind of enormous effort
to save these Pyeongchang Olympics from
utter digital chaos. And he's still very angry that someone would dare to launch this cyber
attack against an actual global and peaceful event. You know, it's always a kind of test of
a country's organizational capabilities to run an event this big. And it would have been a kind of
black mark on the Olympics for forever that
it had been digitally broken. After the break, we're going to find out who did this. Stay with us.
This episode is sponsored by SpyCloud. With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever. I recently visited
spycloud.com to check my darknet exposure and was surprised by just how much stolen identity data criminals have at their
disposal. From credentials to cookies to PII. Knowing what's putting you and your organization
at risk and what to remediate is critical for protecting you and your users from account
takeover, session hijacking, and ransomware. SpyCloud exists to disrupt cybercrime
with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure
from third-party breaches, successful phishes, or info-stealer infections.
Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
So, we have a major attack on a major sporting event the world is all watching.
Who are the usual suspects here?
Who would want to attack the Olympics like this?
I guess this was maybe my first thought,
was that this was probably North Korea,
because North Korea has a history
of these kind of wanton, irrational cyber attacks
against South Korea in particular.
They might be incentivized
just to try to embarrass their neighbors,
who they're always, you know,
they remain actually formally at war with South Korea. This is an opportunity to throw a wrench in the works and humiliate their South Korean neighbors. Okay, that makes sense. North Korea definitely has a motive.
They've attacked South Korea numerous times and have the capability to do such a thing like this.
But it's just shocking to me to think that this is a nation-state sponsored attack. Because the Olympics are supposed to be a peaceful event,
where we can celebrate the world coming together for a friendly sporting competition.
But North Korea was not the only suspect.
There was one country that didn't get invited to the Winter Olympics that year.
A country who's highly competitive and always wins gold medals every Olympics.
See, the Winter Olympics, just before this, was in Sochi, Russia. And there, a bunch of Russians
won gold medals and were tested for using steroids and other illegal drugs to enhance their performance.
But the tests all came back negative for the Russians. They were all clean. But an investigation
years later discovered that some of the tests and samples were swapped before being sent to the Russians. They were all clean. But an investigation years later discovered that
some of the tests and samples were swapped before being sent to the lab, which returned a negative
result even if the athlete was doping. The Worldwide Anti-Doping Agency and the International
Olympic Committee discovered that Russia was doping and faking the drug tests. And because
of that, they banned Russia from competing in the 2018 Olympics in South Korea.
Russia denied that any doping took place and was furious with this ban.
Russia had been banned from these Olympics for doping.
Russia had, in fact, already been carrying out a kind of hacking campaign
against the worldwide anti-doping agency,
stealing and leaking documents that were designed to embarrass the
agency and to show that they were biased and that their investigation of Russia's doping efforts,
which were very real and organized, to show that that investigation was somehow fraudulent or
unfair. For Russia to be banned from the Olympics and then hack into the worldwide anti-doping agency and International Olympic Committee to publish private emails as a retaliation?
Yeah, it's definitely sounding like Russia has the motive, capability, and know-how to wage an attack on the Winter Olympics like this.
But once we look at the forensics, then that's where it starts to get weirder, because China comes up as well.
Like, there's all three.
Oh, great. Now China's a suspect, too. Why can't it ever be easy to figure out who's behind these attacks?
So, as people began analyzing this malware, they saw that parts of the code were written by Chinese hackers.
Specifically, this section of the code appeared in previous attacks done by China, and no other attacking team used code like that.
Now, when O's IT team was busily trying to defeat this malware, someone uploaded it to VirusTotal.
VirusTotal is a website where you can upload malware, and it'll tell you information about that malware.
It's a great tool to help you understand what you're dealing with.
But this malware was new, and VirusTotal had no information on it.
Now, when new malware gets uploaded to VirusTotal,
premium members can get a copy of it to analyze it.
So when O's team uploaded it,
a bunch of threat research companies downloaded it and started analyzing it.
One of those teams who took a look was Cisco Talos.
This is a threat intelligence team within Cisco, who took a look was Cisco Talos. This is a threat
intelligence team within Cisco, which is a company that makes networking equipment. Cisco Talos
analyzed winlogin.exe, that malicious file that wiped the computers. And it was Talos that gave
this worm a name, Olympic Destroyer. So the basic components of Olympic Destroyer were a kind of password-stealing tool,
and then a component that would use those stolen passwords with remote access features
to spread among computers and destroy all of the data on them,
essentially by deleting the boot configuration from infected machines
and then disabling all of their Windows services and shutting the computer down so it couldn't be rebooted. In some ways, those components looked very familiar in their kind of basic form,
resembled two other pieces of disruptive malware, NotPetya and BadRabbit, both of which were these
worms released in Ukraine and very widely believed to be Russian in origin. Both of those attacks
also had contained password-stealing tools to spread
and then a destructive wiper as their kind of payload.
Interesting that this resembled NotPetya.
If you don't know about NotPetya, I highly recommend listening to episode 54,
because NotPetya was a major cyber attack waged on Ukraine,
knocking a huge portion of Ukraine's network offline,
which could absolutely be seen as an act of cyber war.
So once again, that's an indicator that this could have been a state-sponsored attack from Russia.
But strangely enough, Russia denied this cyber attack on the South Korean Olympics before it happened.
The Russian government had actually made a statement
about the fact that they had not done a cyber attack
against the Olympics before the Olympics began.
They said, in fact, that we will be accused
of doing a cyber attack against the Olympics,
but there will be no evidence,
which was a very weird thing.
And everybody who saw that, I think, was like,
what? We haven't even said anything yet.
Why are you trying to deny having done an attack that has not even occurred yet? I mean, it was very weird.
Yeah, who knows what to make of that? It's certainly fishy. But then you look at the code and there's one big problem.
Although it kind of had that same shape, it was also kind of rewritten from scratch.
Olympic Destroyer didn't seem to actually share
any code with NotPetya or BadRabbit. Cisco Talos published their analysis,
and it was not what the forensic researchers were expecting.
Researchers are always looking for answers to this attribution problem, who is behind the cyber
attack, because it's often very difficult. But there are fingerprints, there are code links,
like similar code used in different pieces of malware or infrastructure links,
like they're using the same servers as the command and control infrastructure for the attack, that sort of thing.
Here, it wasn't that there were no clues to provide those answers.
It was that there were too many, and they pointed in every different direction.
There were, for instance, code matches with malware from the North Korean group called Lazarus
that's responsible for the Sony attack and lots of other high profile attacks.
This Olympic destroyer malware had some of the same wiper code as had been used by those Lazarus
hackers. Both wiping components, for instance, deleted files by destroying the first 4,096 bytes, for instance,
which seems like a real giveaway that this was North Korea.
Oh, I see. The technique the Koreans used to wipe systems in previous attacks
were the same techniques used in the Olympic destroyer malware.
Nobody else used that technique.
So that shifts the focus back to North Korea.
Threat research groups continued to analyze this malware to look for clues.
But then at the same time, a security firm called Inteaser pointed out that
a chunk of the password-stealing code in Olympic destroyer
matched with a different hacker group called APT3, which is widely understood to be Chinese.
So was it North Korea or was it China?
Meanwhile, the security firm CrowdStrike found similarities in parts of Olympic Destroyer with a piece of ransomware that Russian hackers had used called Xdata.
It was just a kind of tangle of forensics
with clues pointing in every direction.
And as soon as you thought that you had come to a conclusion,
there was another hypothesis to undermine it.
It was just a kind of unprecedented scenario
where it seems like the hackers,
instead of trying to simply cover their tracks,
they had built-in tracks pointing in every direction at once.
What a wild concept to build in tracks, which leads to many different sources of who this attacker could be.
So were all these false flags, red herrings, distractions from the truth?
There was a whole collection of them. And at first glance,
at least, it was impossible to figure out what was a real clue and what was a false flag.
As you can imagine, this type of thing happens a lot. Hackers typically don't like being discovered
and will hide their tracks with distracting clues and false evidence all the time.
Like they'll use another foreign language in the code to throw people off, make them think
they're from a different country than they're actually from. But what was different about this
was just the sheer number of false flags and the sophistication of it. One researcher, Silas Cutler
at CrowdStrike at the time, described it to me as psychological warfare on reverse engineers.
That it was like every researcher has one clue that they look for
as the kind of tell about who is truly responsible for a piece of malware. And in this case,
you would find that thing and it would still be a lie. There were false clues planted far deeper
than anyone had ever seen before. So how do you find a real clue in a haystack of planted clues?
Kaspersky, a Russian cybersecurity firm, started looking at the file's rich headers, the part of
the file's metadata that tells you what kind of programming tools were used to make it.
And that finally got researchers on the right track. So Kaspersky tried comparing the Olympic
Destroyer header with its database of other malware samples in their headers,
and it found that there was a perfect match with North Korea's Lazarus hackers and one of their
pieces of data-wiping malware. So at first, that seemed like confirmation. This really was North
Korea. Or was it? One Kaspersky researcher, Igor Sumenkov, happened to have an expertise
in these types of rich headers,
and he took the analysis a step further. And he checked whether this header actually made sense
with the contents of the malware. And he could see pretty quickly that no, this metadata didn't
actually match the data. Someone had forged the rich header, which is kind of remarkable because it's
like hiding a fake fingerprint in the most obscure possible place in the hopes that some
extremely diligent detective is going to look in that corner and find it. And it almost worked.
What Igor Semenkov had found, though, was that this means someone was trying to make it look like North Korea.
Underneath all of these layers of false flags, he had found one false flag that was provably false,
that was clearly forged. And that was an indication that it probably was not North Korea,
because it would just be too bizarre to imagine that North Korea had forged their own rich header to implicate themselves.
In some ways, this was kind of the first clue about who might really be responsible.
Gosh, this is a mind game. North Korea has been known to do some pretty bizarre stuff,
but I think this is still a little too bizarre even for them to do.
So this made researchers believe this probably wasn't North Korea. But who was it? To figure that out, researchers would have to look beyond the malicious
file. The real unraveling of Olympic destroyers only began when an analyst named Michael Matonis,
who worked for FireEye, began to look into it. And he took a different approach still. Rather
than looking at the code
or the header or the malware at all, he looked at the kind of delivery mechanism for it. He looked
at the infected Word documents that he pulled from VirusTotal that had been used as the kind
of vehicle to initially infect the Olympic targets. It turns out that as early as November of 2017, prior to the Olympics,
months earlier, the hackers behind Olympic Destroyer were seeding out the malware. They
were doing the kind of typical thing that state-sponsored hackers do to gain a foothold,
sending out infected Word documents, attachments designed to give them some sort of code execution on a computer inside a target
network. So Matonis was able to pull one of those malware-laced Word documents from VirusTotal
and examine it. As researchers typically do, he started searching through his own archive of
malware, trying to find anything that matched it, and he couldn't find anything. There was nothing,
no kind of clear match. But he did find that there was a collection of files that kind of roughly resembled it,
that used some of the same hacking tools that seemed to be obfuscated in the same way.
And when he started to pull apart how that obfuscation worked for each of these kind of
suspicious attachments, he saw that they had been created
with the same tool called malicious macro generator. It looked like the initial infection
of the Olympic network began with a phishing email. There was a document sent to a bunch of
staffers. And if you open that document, it ran a malicious script or set of macros. Antivirus and
operating systems should have stopped the macros from
running. But these macros were created with a tool called malicious macro generator, which tricks the
computer into thinking the commands are perfectly fine and allowed and not dangerous. So Matonis
examined these phishing emails and attachments in further detail. He was able to narrow down this
big pile of attachments to just a few that all shared these characteristics. He was able to narrow down this big pile of attachments to just
a few that all shared these characteristics. Once he started to look at those documents,
they began to look rather familiar in their targeting. One seemed to target Ukrainian LGBT
activist groups. Others were targeting Ukrainian companies and Ukrainian government agencies.
That was the first real red alert moment, something very ominously familiar for him. Because I think we all know
by now that Ukraine is the favorite hacking target of Russia, that Ukraine, in fact, has been
digitally and physically abused by Russia for years now, since the beginning of the Russian
invasion in Ukraine in 2014.
Matonis was beginning to find some solid evidence that whoever was behind the Olympic attack had
targeted these Ukrainians in the months prior. And that is probably not North Korea,
and it's probably not China. Matonis was getting closer to figuring out who did this. But the clue that finally closed the case appeared when Matonis started looking at the IP addresses that these malicious Word documents used to communicate with their command and control servers.
He would check the domains that these Word documents were designed to phone home to, but then also check every IP address that domain had ever lived at to kind of create this branching forensic chart.
And a few steps down that tree of connections,
he found this one domain, accountlogandserve.com.
For Matonis, who has a kind of photographic memory,
this immediately just lit up for him like neon.
He recognized that domain immediately. Russian hacking of the 2016 campaign went a lot deeper than previously known.
That's what current and former counterintelligence officials told Congress today.
As of right now, we have evidence of 21 states,
election-related systems in 21 states that were targeted.
In 2016, Russians hacked the U.S. State Board of Elections
in a number of states, including Arizona and Illinois. The hackers accessed voter rolls for
hundreds of thousands of voters. A year later, the FBI put out an alert for this group.
The FBI was warning in this case that those same hackers were now sending out phishing emails and that the domain that they
were using was account-loginserve.com. And Matonis immediately remembered this.
And that was the moment for him when all of this came together.
Both hacks had used the same domain, account-loginserve.com. This meant that whoever
owned that domain was responsible for both the hacks
on the U.S. state boards of election and the 2018 Winter Olympics. This was the smoking gun
that tied it all together. Now we could see that the same hackers had shared infrastructure
with the attackers who had targeted the 2016 U.S. presidential election. This seemed to tip the evidence in one
direction. The Russian government was responsible for creating Olympic Destroyer. There may have
been clues implicating North Korea and China, like IP addresses routed through North Korean
servers and code and functionality linked to the Chinese hacking groups, but fingerprints that
match the targeting of Ukrainian LGBT groups
and voter rolls in the U.S. elections, this means more fingers point to Russia than any other
suspect. And if that's the case, it meant this was the same group that conducted NotPedia,
one of the most extreme cyber attacks the world has ever seen. This was the hacking group known as Sandworm.
It's quite ironic, but in this most deceptive ever piece of malware, ultimately were the clues
that not only identified the perpetrators of this attack as Russian, but also contained in them
the identity that would allow the cybersecurity community to tie everything from
NotPetya to the 2015 and 2016 blackouts in Ukraine to this one group, Sandworm. Olympic
Destroyer actually contains in it the seeds of the answer to that larger mystery. Now you can see
that in fact, this whole chain of Russian cyber attacks, cyber war, in fact,
has been tied to this one GRU unit. And that ultimately is the, you know, the best working
theory we had for a long time about who Sandworm was. And it was a good theory, because in July
2018, the U.S. Department of Justice indicted 12 Russian GRU hackers for interfering with the 2016 U.S.
elections. And in that indictment, they mentioned that there were two units within GRU that these
hacks were carried out from, Unit 26165 and Unit 74455. The first was blamed for hacking the DNC,
and the second was blamed for hacking state boards of election. And that
was the missing piece of the puzzle. Matonis had already connected that whoever hacked the state
boards of election also conducted Olympic Destroyer, but he did not know which GRU unit did
it. And right there in the Mueller report, it was the first time we learned that unit 74455
was Sandworm. And there was also a Washington Post story that Unit 74455 was sandworm.
And there was also a Washington Post story that came out,
which said that anonymous sources told them that Russia hacked the Olympics
and tried to make it look like North Korea did it,
which is just another finger pointing in that direction.
So almost two years since this happened,
still no government has said who was behind this or blamed Russia for attacking a peaceful sporting event.
This is the kind of most vexing part of this story for me.
I don't know. It's flabbergasting.
I don't understand why a group of hackers were allowed to carry out a sabotage of global peaceful events and just essentially get away with it. When it comes to
this attack on the Olympics, there has never even been a public statement from a government
saying who is responsible. So Andy wrote a follow-up piece to this story, an op-ed in
the Washington Post titled, We Need to Hold the Kremlin responsible for its 2018 cyber attack on the Olympics.
And one of the points I made in that op-ed was that if nobody condemns this, nobody shames Russia for this, then we're basically inviting them to try again in 2020.
Well, as you know, 2020 had different plans for all of us.
The Olympics were canceled due to coronavirus.
And even if they had been held, Russia was not allowed to compete because they were still banned for doping and sochi.
So now that we've gone through all the technical stuff and figured out who did this, I'm still not sure if I fully understand why they did it.
They tried to cover their tracks. They weren't even trying to send a message. They were trying to make sure that a message was not sent, that nobody could trace
this back to them. Yeah, because if you're going to conduct something like this, all you're doing
is making a statement. You're essentially saying, we don't like that you banned us. But then you try
to hide the fact that you made this statement. So, you know, was it really just as petty as it seems?
Like, I can't think of another instance myself when a country has carried out destructive cyber
attack like this with real global impact just out of a pure toddler emotion. Toddler emotion?
Is that too strong a way to put it? I thought so. Yeah, maybe. But then some major news broke last week.
Good afternoon. Today we announced criminal charges against the conspiracy of Russian
military intelligence officers who stand accused of conducting the most disruptive
and destructive series of computer attacks ever attributed to a single
group. This announcement was delivered by John Demers, the Assistant Attorney General of the
United States, an FBI director, a U.S. attorney, and an FBI special agent. The defendants in this
case were all members of the Military Unit 74455 of the Russian Main Intelligence Directorate, known as the GRU. Six current and
former officers in Unit 74455 are accused of the following disruptive and destructive attacks
alleged in the indictment. In December of 2015 and 2016, the conspirators launched destructive
malware attacks against the electric power grid in the Ukraine. From there, the conspirators' destructive path widened to encompass virtually the whole world. In what is
commonly referred to as the most destructive and costly cyber attack ever, the conspirators
unleashed the NotPetya malware. Rather than express remorse for the damage they inflicted
against victims worldwide, the conspirators callously celebrated their success.
Next, the conspirators turned their sights on the Winter Olympics. The conspirators, feeling the
embarrassment of international penalties related to Russia's state-sponsored doping program, that is
cheating, took it upon themselves to undermine the games. Their cyber attack combined the emotional maturity of a petulant child
with the resources of a nation state.
Oh, dang.
The DOJ whipping out some name calling.
And I thought it was harsh when Andy called this an emotional response of a toddler.
Now the assistant attorney general says that Sandworm has the emotional maturity of a petulant child?
Oh, wow.
But it's true.
I mean, I'm desperately trying to think of another way to view this, but I can't.
Because of all the planning that had to happen here.
An attack like this wasn't just some snap decision, flick of a switch, knee-jerk reaction.
No, there were meetings
to discuss whether or not to do this, because I'm sure Sandworm is very busy and has lots of other
work to do. So they had to prioritize this over all other stuff that had to be done. And then they
assigned a team of people to conduct this. And that team spent lots of time creating phishing
emails and identifying targets and constructing the malware.
And while the technical capabilities of this malware wasn't all that sophisticated, it was very sophisticated in all the false flags that were in it.
Extracting bits of code from different nations' malware and putting in all these fake footsteps that lead in all these different directions.
This took months of preparation and cost a significant amount of resources. All for what? Just to get back at the Olympics?
I mean, if you put this into another context, it would absolutely seem crazy. Imagine someone got
banned from your local restaurant for stealing food. And then after they were kicked out,
they spent months exacting revenge, trying to make that restaurant fail.
We wouldn't think that person is okay mentally, right?
I want to give Russia the benefit of the doubt that this wasn't a totally insane thing to do.
But I can't find a good reason to believe otherwise.
So, Andy, what was your reaction when you saw this news?
Well, it was kind of bizarre, kind of gratifying.
I mean, it's a kind of closure in a way.
This is not only a kind of first real accountability
that any government has tried to create for Russia after carrying out this
attack on the Olympics. It's the first time that we've seen most of these faces of a group of
hackers. Sandworm, sort of main characters of my book, have been tracking for five or six years. So
you know, it's the kind of coda to the story for me in some ways.
Yeah, so this indictment lists the names and photos of six of the people who carried out this attack.
And that's really wild to see pictures
of the people who did this.
This is one of those kind of remarkable times
when you see the extent of the, you know,
US or Five Eyes intelligence collection reach
that they're able to get inside of these people's networks to hack
the hackers, I imagine, to the degree that they're able to come up with names and get photos to know
who exactly coded what parts of the malware. You know, they really are all up in these people's
systems, it seems. So this indictment, what does it mean? How does it change anything?
Well, it's the first time that any government anywhere in the world has explicitly
called out Sandworm for this attack on the Olympics and tried to condemn them,
hold them accountable, punish them in some way. So it's huge. And it's what has been lacking for
more than two years. The indictment released last week is 50 pages long and it has interesting details about what
hacks took place and what were all the targets. The thing that really struck me was that among
Sandworm's targets that we didn't know about previously were two timekeeping partners of
the Olympics, other organizations that were responsible for the actual timekeeping partners of the Olympics, other organizations that were responsible for the actual timekeeping and Olympic events. So what that implies to me is that Sandworm was trying to
corrupt the actual results of some of these sporting events and not just the Wi-Fi Olympics
app and the ticketing systems and the display screens around the venues. They were trying to
actually mess with the results of the games,
which is kind of almost just poetic,
given how they tried to mess with the results with doping over so many years.
This is kind of the digital spoiler equivalent.
So they were banned for doping from the Olympics.
Don't you think with this indictment coming out that this
is going to lengthen that ban or make it worse for them yeah i have to imagine that's true i mean
they have suffered bans for every other kind of cheating that they have attempted and it kind of
just goes to show like how almost sort of petty and short-sighted these tactics are. Like, I've thought since I started reporting on this story,
like, this is not a smart strategy.
You know, Russia doesn't get anything out of this.
They weren't even sending a message, as I said.
So it's just a kind of like emotional knee-jerk response.
Like, let's mess up this event if we can't be part of it.
And I don't think that they're going to get what they want
out of that. Oh, and some other news came out on the same day of this press conference.
We just learned that U.S. intelligence and U.K. intelligence had been tracking attempts
for connoissance by Russian hackers who were preparing to carry out a similar sabotage of
the 2020 Olympics in Tokyo, which is what you would expect if nobody, you know, tries to hold Russia responsible or shame
them for the first one. And that cyber attack may have been avoided only because the Tokyo
Olympics were delayed because of the global pandemic.
So is calling them a petulant child enough to stop them from attacking next year's Olympics?
I hope so. Because the U.S.
can't go into Russia and arrest these people. It's just impossible. I mean, Russia doesn't
cooperate with the U.S. like that. And especially when the people are working for the Russian
government conducting official orders. But if there is an attack on next year's Olympics,
Russia will certainly be the first suspect to be investigated.
What's scary to me about the Olympic cyber attack is not just that it almost threw this,
you know, huge globally observed event into chaos, but also that it shows a kind of evolution in deception. You know, Sandworm has been evolving its disruptive capabilities, but it's also been
evolving its deceptive capabilities. And this was the moment when they were experimenting, trying out, you know, wearing
not just a mask, but layers of masks to try to make it truly impossible to forensically determine
who was behind this attack. And I think that it's just going to get worse, that we're going to see
more innovation in false flags in years to come. And it may come to a point where we are at some point truly fools and we can't get a definitive
answer about who was responsible for an attack. Imagine that. A false flag so good that a country
falls for it and blames the wrong country for the attack? And what kind of consequences would come from accusing a nation of doing
something they didn't actually do? Get ready. Our future is going to be weird.
A very big thank you to Andy Greenberg for sharing the research he's conducted on this.
But this story is actually part of a bigger story around the hacking group Sandworm.
And Andy wrote a whole book about this hacking group.
The book is called Sandworm, and the paperback version just came out this month.
I read every page, and I just couldn't put it down.
I absolutely loved it.
If you like this podcast, you will love the book Sandworm.
I'll have an affiliate link to the book in the show notes.
This show was made by me, the good rabbit, Jack Recider.
This episode was produced by Eileen Guo and Alana Strauss.
Original score and sound design by Garrett Tiedemann.
Editing help this episode by the super duper Damien.
Our theme music is by the mysterious Breakmaster Cylinder.
And even though a few hours of trial and error
will always save you a few minutes of looking at the manual,
this is Darknet Diaries. Thank you.