US big air athelete Kyle Mack competes at the Pyeongchang 2018 Winter Olympic Games. Photo Franck Fife/AFP via Getty Images
Researchers at Kaspersky Lab found evidence that the Olympic Destroyer malware, which briefly downed Pyeongchang systems in advance of this year's olympics opening ceremonies, was a false flag operation trying to pin the attacks on North Korea. The security firm presented the research at its yearly conference, the Security Analyst Summit, on Thursday.
Why it matters: Attribution is a tricky business with real consequences. If the U.S. was to incorrectly attribute the attacks to North Korea, that could mean sanctions, war or a host of undesirable outcomes.
The details: Olympic Destroyer contained coding similarities with a group tied to two attacks the United States government attributed to North Korea. The segment of the code designed to erase data was extremely similar. However, Kaspersky noted, while the North Korean attacks always used very long, secure passwords to protect the malware's operations — all longer than 30 characters — Olympic Destroyer used the less impressive password "123".
Rich headers: But the best evidence North Korea was being framed came in the curious choice to make it look like the malware was designed in out of date software.
- Olympic Destroyer contained a section known as a "Rich header" identical to North Korea's. Rich headers identify the programs used to design software. Olympic Destroyer's header claimed the malware was written using Microsoft Visual Studio 6.0, state of the art in 1998, just as North Korea did.
- Kaspersky researchers demonstrated the code was actually created in Visual Studio 10, a quantum leap from the programs North Korea used in the past.
- Tampering with Rich headers is a more elaborate form of obfuscation than attackers normally attempt.
If not North Korea, then who? No one in the private sector has made a particularly strong case yet for any specific actor, although different pieces of evidence point to everyone from Russia to China. A press release from the company suggests there is weak evidence the attackers were the Russian group Fancy Bear. But Kaspersky cautions that a group using novel techniques to frame another country could easily be framing Russia, too. It would be best, said the company, to let this play out before jumping to any conclusion.