The recent Olympic Destroyer attack seems to have been strategically timed to unleash maximum chaos, embarrassment and confusion at a time when all eyes would be watching the opening festivities.
While Olympic systems recovered relatively quickly, within about 12 hours, the truth is that’s likely only because the hackers behind the malware stopped short of unleashing their full fury: the ability to completely wipe and destroy affected computers. It appears their intent was merely to demonstrate their power and capability, to show their hand, but not to actually play the cards.
What does this mean for enterprises?
The Olympic attack should have organisations around the world on edge for two reasons. First, it’s made it abundantly clear that successful cyberattacks have a sophisticated structure and many moving parts, some that can even lie dormant, waiting for the perfect time to deploy to inflict maximum damage.
>See also: Enterprise security is a matter of policy
Evidence gathered in the Pyeongchang investigation shows that the Olympic attack had been in the works since late last year, with timestamps on the payload dated December 27, indicating the credentials required to access the system had been stolen prior to that. Who knows how long it might have been sitting on Olympic systems, just waiting for the right moment to wreak havoc?
The investigation also revealed that the malware was quite complex and stealthy, making its way across multiple international borders. In fact, the attack that caused glitches during the Opening Ceremonies was only the most obvious—another, more stealthy attack, was also at work behind the scenes, spying on information.
Investigators have traced its path through a compromised server in the Czech Republic, an IP in Singapore and connected it to North Korean spyware and even a Russian hacking group with ties to Russian intelligence. While the participants’ motivations remain unclear, these discoveries underscore the fact that malware is hardly simple and straightforward.
Second, the fact that the attacks don’t seem to have been intended to compromise or steal data, but merely to cause confusion and embarrassment, doesn’t mean that the costs are small.
As previous Olympic meddling has shown, throwing a wrench into the works can be equally damaging. In fact, a recent report by the Ponemon Institute found that the average cost of an enterprise endpoint attack is now over $5 million, with over half of the cost coming in lost productivity and system downtime — to say nothing of embarrassment and reputation damage on a global scale.
What should enterprises do?
In the wake of the Olympic attack, organisations around the world should be reassessing their own defenses. These attacks began simply enough, with a phishing attack and email spoofing that tricked hundreds of users in multiple organisations into opening an attachment, launching a malicious payload that installed spyware to steal credentials, thus giving hackers access to Olympic systems. This is clear evidence that, while more sophisticated fileless attacks are on the rise, good old social engineering is still alive and well—and extremely effective for hackers.
>See also: Security: The front row of the enterprise
As a result, companies should take the following steps to improve their defences:
1. Train employees in the anatomy of phishing attacks so that they’re aware and alert. Information is power: make sure users are informed of the latest tactics to lure them into opening attachments or entering their credentials into a suspicious site. Empower them with the knowledge that they play a critical role in protecting the organisation, which will encourage them to feel more invested and vigilant in doing so.
2. Teach users how to scrutinise hyperlinks. Show them how to hover their mouse over hyperlinks received via email to see the actual URL path to which clicking will take them. Many don’t realise that the address they see may not be the address that’s actually linked. Also, teach them how to look for the “lock” icon in the web browser address bar that indicates a site is secure before they enter any information.
3. Provide a reporting system for suspicious emails. Relying on anti-virus to block incoming email threats isn’t enough. Give employees the tools to quickly report suspicious emails and get real-time feedback right from their inbox. While reporting them to internal teams is one option, using a cybersecurity vendor with real-time threat intelligence feeds and analysis capabilities gives organisations the power of machine learning and automation for faster, more thorough analysis.
The Olympics has long been a target of meddling nation-states, hacker groups and other organisations looking to wreak havoc while the spotlight is shining brightly on their work.
Given the high-profile nature of the event, it’s probably safe to assume these attacks will likely become as predictable as the games themselves. For enterprises, there is somewhat of a silver lining: these unfortunate events do provide a valuable learning opportunity, a glimpse into the international threat landscape and an opportunity to reassess business’ own defences and make sure they are prepared.
Sourced by Choo Kim-Isgitt, CMO of EdgeWave