The Olympics have always been a geopolitical microcosm: beyond the athletic match-ups, they provide a vehicle for diplomacy and propaganda, and even, occasionally, a proxy for war.
It stands to reason, then, that in 2018 they’ve also become a nexus of hacker skullduggery. The Olympics unfolding next week in Pyeongchang may already be the most thoroughly hacked in the games’ history—with potentially more surprises to come.
More so than any previous Olympics, the run-up to Pyeongchang has been plagued by apparent state-sponsored hackers: One Russia-linked campaign has stolen and leaked embarrassing documents from Olympic organizations, while security researchers have tracked another operation, possibly North Korean, that appears to be spying on South Korean Olympics-related organizations.
Security researchers tracking those two operations say the full scope of either remains far from clear, leaving the looming question of whether they could still present new disruptions timed to unfold during the games themselves. And more broadly, the intrusions signal that the geopolitical tensions that have long underscored the Olympics now extend into the digital realm as well.
“The Olympics have always been the most politicized sporting event of them all,” says Thomas Rid, a professor of strategic studies at Johns Hopkins University’s School of Advanced International Studies. “It’s not a surprise at all that they’ve become a high-profile target for hacking.”
The far stealthier of the two known Olympics hacking operations—and perhaps the most troubling—has quietly targeted South Korean Olympics-related organizations for well over a month. Researchers for security firm McAfee discovered just this week that the campaign, which they’ve named Operation GoldDragon, has attempted to plant three distinct spyware tools on target machines that would enable hackers to deeply scour the compromised computers’ contents. McAfee identifies those malicious tools by the names GoldDragon, BravePrince, and GHOST419.
The firm’s researchers say they’ve linked those malware samples to a phishing campaign that lures victims with Korean-language emails, indicating South Korean targets. The messages, which spoof a note from South Korea’s National Counter-Terrorism Center—and, according to McAfee, were timed to actual terrorism drills in Pyeongchang—targeted a BCC’d list of more than 300 Olympics-related targets, McAfee says, with only the address “firstname.lastname@example.org” visible in its “to” line. Analyzing the email’s metadata, however, McAfee identified other intended victims, including local tourism organizations in Pyeongchang, ski resorts, transportation, and key departments of the Pyeongchang Olympics effort.
The hackers attached a Korean-language Word document to the email, crafted to run a malicious script on the target machine. If the victim clicked “enable content” after opening that tainted attachment, they would give the attacker remote access to the computer. The attackers could use that initial, temporary foothold to install their spyware for more persistent visibility into any hacked machine. McAfee notes that script is hidden in an innocent-looking image file with clever steganography and other obfuscation tactics.
McAfee traced the phishing scheme to a remote server in the Czech Republic, registered with fake credentials to a South Korean government ministry. And they found publicly accessible logs on that remote server that showed victim machines were in fact connecting to it from South Korea, a sign of actual infections. “Was this a successful campaign? The answer is yes,” says McAfee chief scientist Raj Samani. “We know that it’s had victims.”
Despite all of those findings, the origin and the ultimate aim of that relatively sophisticated malware campaign remains unclear. But based on the Korean language and targeting, Samani hints that his working theory points to a North Korean espionage operation keeping tabs on its southern neighbor.
That spying may seem to run counter to a recent thawing of diplomatic relations between the two Koreas, one that has even resulted in a combination of the two countries’ national women’s hockey teams. But North Korea likely wouldn’t call off its aggressive hacking over a momentary olive branch. “I would guess it’s a ‘keep your friends close and your enemies closer’ approach,” Samani says.
A far louder and more explicit hacker threat has come from a notorious outfit linked with the Kremlin’s GRU military intelligence agency, known as Fancy Bear, or APT28—according to many security researchers, almost certainly the same Fancy Bear that hacked the Democratic National Committee and Clinton campaign in the midst of the 2016 election.
Since as early as September of that year, those brazen hackers have repeatedly targeted athletic organizations, with the intent of exposing evidence of what they claim is widespread doping in Western countries, an apparent retaliation for the ban of Russian athletes from the 2016 and 2018 games for the same charge. “We will start with the US team which has disgraced its name by tainted victories,” the hackers wrote in a message on their website when they first began leaking documents from the World Anti-Doping Association in September of 2016. “Wait for sensational proof of famous athletes taking doping substances any time soon.”
At the time, the Fancy Bear hackers released the private medical records of star US athletes Serena Williams, Venus Williams, and Simone Biles, touting permissions they had received to use potentially performance-enhancing drugs to treat attention deficit disorder and muscle inflammation.
This year, Fancy Bear planned its Olympic-hacking far more proactively. Starting in early January, they published two collections of hacked documents from Olympics-related agencies: One set revealed political tensions between officials at the International Olympic Committee and the WADA officials tasked with policing the games’ athletes. A second release later in the month again pointed to special permissions given to certain athletes—a member of the Swedish luge team takes asthma medication, for instance—and an Italian athlete who had at one point missed a drug test. And a third leak on Wednesday pointed to the case of Shawn Barber, a Canadian pole vaulter allowed to compete in the 2016 games despite at one point testing positive for cocaine.
None of Fancy Bear’s recent releases has proven any clear wrongdoing—at least, nothing remotely comparable to Russia’s systematic doping program for thousands of athletes—and all have generally been ignored by the sporting world and the Western media. But Russian state news outlets have nonetheless faithfully rehashed the leaks. And Johns Hopkins’ Rid says the hacks, like the attacks on the DNC and Clinton campaign in 2016, have an effect that’s not easily measured or dismissed.
Rid compares the operation to the KGB’s tactics in 1984, after Russia was banned from the Summer Olympics in Los Angeles. The spy agency responded by mailing forged KKK pamphlets threatening race-based attacks to members of 20 visiting Asian and African teams. “There’s no great goal they want to achieve,” Rid says. “It’s more one of throwing wrenches and sand into the gears of a machine, to make life more difficult for your adversary, engender debate and internal conflict among allies to distract from the confrontation that’s harming you.”
Fancy Bear may yet have more leaks in store. Security firms Trend Micro and ThreatConnect have linked the group’s propaganda campaign with collections of spoofed domains they’ve discovered, likely used in the group’s well-honed phishing attacks. Many of those fake domains haven’t yet resulted in leaks, but may have nonetheless led to compromises of Olympics-related organizations. They’ve spotted registrations for spoofed domains designed to mimic the US Anti-Doping Agency, British counterpart UK Anti-Doping, the Olympic Council of Asia, European Ice Hockey Federation, the International Ski Federation, the International Biathlon Union, the International Bobsleigh and the Skeleton Federation.
Security firms, to be clear, have no evidence that those organizations have been compromised. But they point out that the same group that’s registered fake domains that seem to have been used in earlier Fancy Bear phishing and leaking operations registered fake domains for those targets, too. Any one of them might be a source of new, disruptive secret-spilling before or during the games. “In the run-up to the Olympics, we’d expect to see continuing activity from Fancy Bear and other APTs,” says ThreatConnect researcher Kyle Ehmke, using the abbreviation for “Advanced Persistent Threat,” an industry term for sophisticated state-sponsored hackers. “There’s no reason to think they’ll conclude operations just because of what’s already been released.”
In the parallel case of the likely North Korean espionage campaign, McAfee’s chief scientist Samani notes that hacking operation could also get worse before it gets better. If the hackers behind that campaign change their motivation, nothing prevents them from using machines they’ve compromised on target networks to launch attacks that go beyond espionage, such as destroying data or disrupting networks.
“We do know that other campaigns have gone down the intelligence path and then used it as a vehicle to cause destruction,” Samani says, noting that there’s no indication of the hackers’ motivation beyond mere spying one way or another in this case. “We have no idea what may follow.”
All of those indicators of digital meddling, from leaks to espionage campaigns, don’t quite add up to a cyberdoomsday scenario. But for the Olympics’ organizers—or the athletes waiting for their once-in-a-lifetime spotlight—the notion of multiple, determined hacker teams targeting the world’s biggest sporting event should provide enough anxieties to last until the closing ceremony.