Thoughts on the Attack on the Winter Olympics:

The olympics winter games officials confirmed a cyber attack yesterday (Sunday Feb. 11). Normally, you would expect attacks to have some aim to gain, however, according to Talos, the samples they have recovered appear to only function as disruptors. The malware deletes shadow copies/event logs and moves through the environment by using legitimate methods (in this case, it appears PsExec and WMI).
It seems like a normal, fairly unimportant attack in the larger scale of things, however, this is exactly why it interests me. As noted by Cisco, this attack used a similar model to BadRabbit, except without the apparent monetary purpose. In addition, the attacker(s) had extensive knowledge of the olympics infrastructure, suggesting that either this was an inside job, or a lot of accounts had been compromised prior to the visible attack. In either of these cases, I think there is more to the story. I doubt this was an attack done “just for fun.” If there is no explicit monetary gain, no information was stolen beyond the necessary accounts to allow execution, and the orchestration really was as developed as has been speculated, then there is something more going on.
On one hand, we have to consider that only some of the malware has been found. It must be noted that most of these files change names from machine to machine, although they retain the same signature. This is not to say there aren’t any other files that have evolving capabilities, such as changing the information within them based on the chip set they register and in turn changing their “identity,” This is not far-fetched, as we have already come across malware that detects whether it is on a virtual environment or not and changes its behavior based on the fact.
On the other hand, we cannot dismiss the possibility that this is a test or a distraction. The olympics provides a large, temporary structure that will be dismantled in a short time, leaving no real fingerprint as a permanent network. If I was an attacker planning an attack on something larger, I would use the olympics as a giant network testbed. I would not create dedicated ransomware, as that would call too much attention. I would not steal information, as its later distribution could generate a trace back to myself. I would, however, test distribution speed and detection.
The error in my thoughts is that in general, well-executed attacks remain unnoticed for a long time, and this was made in a manner that called some undermined attention. Of course, that brings back my thoughts on distraction vectors. It is possible that by making a part of the attack visible, the true nature of the attack can remain hidden.