Talos points out that Olympic Destroyer's disruptive tactics and spreading methods resemble NotPetya and BadRabbit, two pieces of Ukraine-targeting malware seen in the last year that the Ukrainian government, the CIA, and other security firms have all tied to Russian hackers.

2018/2/17(土) 午前 8:00[ ogw*og*3 ]返信する

Now security researchers at Cisco's Talos division have released an analysis of a piece of sophisticated, fast-spreading malware they're calling Olympic Destroyer, which they believe was likely the cause of that outage.

"It was effectively a worm within the Olympic infrastructure that caused a denial-of-service attack," says Talos researcher Warren Mercer.

2018/2/17(土) 午前 8:04[ ogw*og*3 ]返信する

According to a detailed blog post the Talos researchers published Monday morning, Olympic Destroyer is designed to automatically jump from machine to machine within a target network and destroy certain data on the machine, including part of its boot record, rebooting machines and then preventing them from loading. "It turns off all the services, the boot information is nuked, and the machine is disabled," says Talos research director Craig Williams.

2018/2/17(土) 午前 8:07[ ogw*og*3 ]返信する

Talos points out that Olympic Destroyer's disruptive tactics and spreading methods resemble 
NotPetya and BadRabbit, 
two pieces of Ukraine-targeting malware seen in the last year that the Ukrainian government, the CIA, and other security firms have all tied to Russian hackers.

https://www.wired.com/story/olympic-destroyer-malware-pyeongchang-opening-ceremony/

2018/2/17(土) 午前 8:10[ ogw*og*3 ]返信する

But as evidence that it did in fact target Olympics infrastructure specifically, they point to a list of 44 usernames and passwords included in the malware's code, all for accounts on PyeongChang2018.com, the Olympics' domain.

2018/2/17(土) 午前 8:16[ ogw*og*3 ]返信する

With those accounts as a starting point, the malware then spread using Windows features like PSExec and Windows Query Language—which allow one machine to connect to another—and then scoured the next target machine's browser data and system memory for more credentials. "It comes in with 44 logins, and then as it compromises machines it pumps more and more user data out of them," says Williams.

2018/2/17(土) 午前 8:17[ ogw*og*3 ]返信する

"Anything like this with harvested data, prepackaged to target those systems, is not amateur hour," says Mercer. "It’s a targeted campaign designed to accomplish very specific tasks."

2018/2/17(土) 午前 8:24[ ogw*og*3 ]返信する

It's not clear how the hackers behind Olympic Destroyer first penetrated their target, or how they obtained the credentials of 44 Olympics staff members to kickstart their attack. But the Talos researchers say that the multitude of spreading techniques and those pre-seeded credentials all point to a sophisticated adversary.

2018/2/17(土) 午前 8:24[ ogw*og*3 ]返信する

Still, the Talos researchers declined to point the finger at Russia, or any other government. Despite its sophistication and relative similarity to past operations like NotPetya and BadRabbit, they point out that it's possible other hackers may simply have adopted that earlier malware's techniques.

2018/2/17(土) 午前 8:25[ ogw*og*3 ]返信する

But the political backdrop for the attack makes Russia by far the most likely culprit, says James Lewis, the director of the Center for Strategic and International Studies' Technology and Public Policy Program.

2018/2/17(土) 午前 8:26[ ogw*og*3 ]返信する

After all, the Russian hacker group known as Fancy Bear, widely believed to be part of its military intelligence agency GRU, has been hacking Olympics-related organizations as early as September of 2016.

2018/2/17(土) 午前 8:28[ ogw*og*3 ]返信する

Those attacks, which resulted in leaks of the medical records of athletes including Serena and Venus Williams and Simone Biles, appear to be aimed at discrediting the Olympics' anti-doping programs after Russia was banned from the games for widespread and systematic use of performance-enhancing drugs among its athletes. "The Russians are the leading suspects," says Lewis.

2018/2/17(土) 午前 8:29[ ogw*og*3 ]返信する

In the weeks leading up to the Olympics, other signs have indicated a possibly North Korean hacking campaign targeting Olympics organizations and the Pyeongchang local government. Crowdstrike researchers note, disturbingly, that "several threat actors" had backdoor access to organizations "adjacent" to affected Pyeongchang victims.

2018/2/17(土) 午前 8:31[ ogw*og*3 ]返信する

But North Korea has, by all appearances, sought to use the Olympics as an opportunity to improve its diplomatic relations with South Korea and burnish its international image. In that context, Lewis argues the Kim Regime would be unlikely to want to disrupt the games. "They really don't have any incentive," he says.

2018/2/17(土) 午前 8:32[ ogw*og*3 ]返信する

Russia's government, on the other hand, has been "furious" about the doping ban, and shown itself willing to use hacking as a means of taking its revenge for that slap, Lewis says. "It's consistent with what they’ve done before. It's probably them," Lewis says. "It's another example of Russian petulance."

1Updated at 2:45PM EST to include revised information from Cisco Talos.2Updated at 12:30PM EST to include additional research from Crowdstrike.

2018/2/17(土) 午前 8:33[ ogw*og*3 ]返信する

https://www.pcwdld.com/best-free-netflow-analyzers-and-collectors-for-windows

http://packages.ntop.org/Windows/old/

2018/2/18(日) 午前 0:23[ ogw*og*3 ]返信する