Hackers find Olympic Winter Games in South Korea a tempting target | News & Observer

The opening of the Winter Games isn’t until next month, but one competition around the Olympics is already in full swing — hacking.

Cybersecurity researchers unveiled a fiendishly clever hacking scheme against Olympics organizations earlier this month, and a Russia-linked unit is also raising a ruckus as it seeks to avenge the ban against Russia’s team over alleged state-backed doping.

Hackers — from low-level ticket scammers to the most sophisticated digital spies — are prepping for the Winter Games in Pyeongchang Feb. 9 to 25, a tempting venue for mayhem. Some hackers might be looking to disrupt the Games for a cause, say, cyber jihad or in opposition to Korean reunification. Others may seek to hijack email accounts, disrupt television broadcasts or scalp phony tickets, the cybersecurity experts said.

“The whole world’s watching. It’s one of the largest stages you can possibly have to get a message out there,” said Ross Rustici, senior director for intelligence at Cybereason, a Boston cybersecurity firm that has monitored digital threats to the Olympics.

A security software company, McAfee, based in Santa Clara, California, said Jan. 6 that it had detected a broad campaign against Olympics-linked organizations, including an ice hockey group, and sports federations and companies providing infrastructure or offering other support to the Winter Games. All of them received emails containing a malicious Microsoft Word attachment.

Once recipients opened the attachment, which appeared to be from South Korea’s National Counter-Terrorism Center, then clicked on a link to ensure they were using the right version of Word, the host computer would link to a remote server hosting an image containing malware. That implant would allow hackers to introduce further code and hijack the computer.

“They sent the email to just over 300 organizations and we are aware that some of them did actually fall for this trick,” Raj Samani, chief scientist for McAfee, said in a telephone interview Friday from his base in London.

Samani said the campaign “was obfuscated to the nth degree” and the hackers “spent a lot of time and obviously a lot of money to hide what they were trying to do.”

The implant scheme, using a tool for hiding code in images or photographs that had only been in the public domain since Dec. 20, would have given hackers valuable insight to nearly all aspects of the upcoming Games.

“You have absolute, full visibility over all of their operations. It’s everything. My guess is that it gives you full insight into everything going on with regard to the Olympics,” Samani said. “It’s not just theft of information. Potentially it’s the modification of data as well.”

Asked if the hackers could potentially change results of sports competition, Samani said: “I don’t know. I would suspect that probably is done by another party.”

Samani stopped short of blaming North Korea for the email campaign.

“We didn’t say it was North Korea. We just said a nation state that speaks Korean,” Samani said.

Among the targets of the Dec. 28 email chain were organizations involved in ice hockey.

Barely three weeks later, North and South Korea announced a surprise rapprochement that would allow their athletes to march under one flag at the opening ceremony of the games and field a joint women’s ice hockey team.

Given North Korea’s move toward larger participation, experts said that its hackers would be less likely to disrupt the event. The same is not true for Russia, which is still inflamed by a Dec. 5 International Olympic Committee decision to bar its team in punishment for state-backed doping at the 2014 Sochi Winter Games.

Russian hackers disrupted the 2016 Rio de Janeiro Summer Games by disclosing hacked medical records of athletes, including Simone Biles, a U.S. gymnast, and Venus Williams, the veteran American tennis player.

In a series of posts on a website this month, a group calling itself Fancy Bears’ Hack Team has pounded the drum on drug testing, disclosing a stream of new, hacked Olympics-related emails to further its allegation that doping rules are unfair.

Fancy Bear is the code name researchers use for the GRU cyber unit of Russia’s military.

One posting last week alleged that Scandinavian athletes had been given widespread exemptions for use of an asthma medicine, Salbutamol, “which opens airways to and from the lungs,” and said it showed “violations of the principles of fair play.”

In a snarky sign-off, the hackers referred to “therapeutic use exemption,” or TUE, for athletes that have no clinical need for it.

“We’d like to take this opportunity to wish a speedy recovery to athletes with TUEs,” the hackers said Jan. 18 on its website, which has gone off line on occasion since then.

An array of cyber activists and criminal groups might also target the Games, he said.

“You got a lot of lower-tier guys going after these Games. It’s head-hunting, bragging rights,” Rustici said, adding that some might try to interrupt media coverage.

“If they can claim credit for bringing down the broadcast of the Olympics, that immediately gives them credibility in dark web forums,” Rustici said. “Bringing down a television network, then releasing a press release, gets your cause a lot of attention.”

He called that a “low probability, high risk scenario.”