The Olympics and 4,000 Government Websites Got Owned

Two recent discoveries in the world of cybersecurity – from the Olympics and via cryptojacking – highlight potential trends we can expect to see more of. High profile and brash, they portend an alarming extension of hacker activity.

Olympic Destroyer
One was a malware attack called “Olympic Destroyer” that targeted the opening ceremonies of the Winter Olympics in Pyeongchang, South Korea. According to reports, the attack resulted in 12 hours of downtime on the official Winter Games website, the break down of wifi in the Pyeongchang Olympic stadium, and a complete disruption of of televisions and internet at the main press center, leaving attendees unable to print their tickets for events or get venue information. The intent, it seems, was purely to embarrass the country of South Korea and not done for financial gain.

In the grand scheme of world order, this is small potatoes, but it’s malicious and disruptive, and further supports the modus operandi of hackers seeking exposure through the media. According to NBC, 28 million people watched the ceremonies, and according to Nielsen, the primetime telecast of the Parade of Nations ceremony grabbed a 16.9 household rating and 29 share. While the digital chaos in the background didn’t appear to thwart the event for viewers, the idea that the biggest media event on the world stage (and one that is so thoroughly dependent upon a technology infrastructure) could be that vulnerable should make security teams take notice. Clearly, a major mishap during the biggest televised and reported event of the weekend would have received major attention had it achieved it total goals.

Analysis of the malware variant indicates that it dropped browser and system credential stealers to obtain authentic log-in details which were then spread to other, connected systems. As we see in almost all attacks of this nature, once inside, the malware clearly wasn’t detected which means no incident response or rapid isolation policies went into effect. What’s especially frightening about Olympic Destroyer is that once installed, the malware immediately deletes shadow copies of files and Windows backup catalogs, turns off recovery mode, and deletes system logs to remain fairly invisible.

Government websites used to mine cryptocurrencies
Hackers are injecting scripts into government websites across the globe to mine cryptocurrencies. The script was discovered in more than 4,000 government websites, including those of the UK’s National Health Service (NHS), the Student Loan Company, and data protection watchdog Information Commissioner’s Office (ICO), Queensland legislation, as well as the US government’s court system.

The script was delivered through a compromised version of a popular website plugin called “Browsealoud”, which is used by websites to provide visually impaired site visitors access to sites by converting text to audio. This version belonged to CoinHive, a mining service that provides website owners revenue by utilizing the CPU resources of site. Users of these government sites had their computers processing power hijacked (or “cryptojacked” as the activity is now being known) and immediately put to use mining in their computing infrastructure without their knowledge.

A full list of websites affected by the attack has been provided by PublicWWW.

Whether the effort was simply brazen, or if it targeted sites known to have loose security controls is not yet known. Whether the effort was simply brazen, or if it targeted sites known to have loose security controls is not yet known. It does, however, highlight the need for IT teams to be vigilant about every element of their infrastructure and employ automated and continuous security as well as rapid incident response practices. With 4,000+ sites affected, it may be awhile before we fully understand the magnitude of this particular attack, as well as the potential for more cryptojacking across government and commercial websites.