Olympic Destroyer Hack: How We Would’ve Stopped It

Olympic Destroyer; a cyber attack that sounds like a large naval ship sent out on the seas to take down its adversaries in one fell swoop.

Olympic Destroyer Hack; a cyber attack that sounds like a large naval ship sent out on the seas to take down its adversaries in one fell swoop. By now I’m sure most of us are keen to the details of this breach, it has seen extensive coverage and analysis by numerous outlets including Cisco’s Talos Blog and Wired.com, and we know that what happened in Pyeongchang, South Korea was motivated by a desire to disrupt the Olympic games as much as possible. Be that as it may, we aren’t really here to talk about the details of the breach in depth. We are here to talk about the methods that our product, SNAP-Defense, would use to catch and respond to this attack and others like it (BadRabbit and NotPetya), giving security individuals the opportunity to detain threats before they are able to spread laterally through a network.

You may be wondering, how exactly was the Olympic Destroyer malware able to spread laterally? Cisco’s Talos Blog goes into detail on this subject, but we’ll give you a short answer for the time being. It starts by using the ARP table and a WMI query for computer objects in Active Directory. Once this list is built, it starts the lateral spreading mechanism. Utilizing PsExec, WMI, and VBScript, it copies and launches the malware. Screenshots below show the alert dialogue boxes for SNAP-Defense detecting this hacker activity.

In the alert dialogues below, we can see the malware using PsExec (utilization of the hidden ADMIN share is a direct giveaway) and launching services.exe to start the PsExec service:

Olympic-Destroyer_1

Olympic-Destroyer_2

Here, we can see it getting ready to laterally spread onto the domain controller after the attack source was infected by another Windows host:

Olympic-Destroyer_3

Olympic-Destroyer_4

At this point, you have sufficient evidence that this is a malicious attack and you need to shut it down as quickly as possible. SNAP-Defense gives you the ability to detain the effected devices – stopping the spread in its tracks.

Olympic-Destroyer_5

Once the devices are detained, you are able to do some detailed searching to see where and how the malware entered the network – useful information for the future security of your network.

Olympic-Destroyer_6

So there you have it, a perfect example of how SNAP-Defense can be utilized to efficiently and effectively catch hacker trade craft in the earliest stages of a breach such as the Olympic Destroyer Hack and also provide an instant detain option. It is important to note that hackers sometimes breach a network and spend months just making a map of the network and planning their actions. We call this the discovery phase, and SNAP-Defense can alert on suspicious trade craft even this early in the breach.

It would be wonderful to say that there might be no need to worry about these types of hacks in the future, but unfortunately that is most definitely not the case. Cyber attacks are getting more and more sophisticated, and the only way that we can combat this is to employ a product that will provide a bird’s eye view of an entire network at all times. Please feel free to contact us if you have any questions regarding what we’ve talked about, and thank you for reading.

BlackPoint Cyber

  • Subscribe to our mailing list

    Receive our newsletter to stay on top of the latest posts.