Attempts to attribute the Olympic Destroyer cyberattack in Pyeongchang, South Korea, implicated a wide range of...
possible threat actors, but new reports claim the evidence in the code was a false flag designed to wrongly incriminate North Korea.
Various research groups had attributed Olympic Destroyer to the usual suspects -- Russia, Iran, China and North Korea. Ultimately, the consensus seemed to fall on it being the work of the North Korea-backed Lazarus Group, though there was some disagreement. Now Kaspersky Lab is claiming it was a false flag cyberattack designed to mimic Lazarus.
Kaspersky Lab wrote in a blog post that "a combination of certain code development environment features stored in executable files ... gave a 100% match with previously known Lazarus malware components and zero overlap with any other clean or malicious file known to date to Kaspersky Lab."
However, the antivirus vendor said inconsistencies in the passwords contained in Olympic Destroyer, compared with those used in previous Lazarus efforts, led them to suspect a false flag cyberattack.
"The motives and other inconsistencies with Lazarus [tactics, techniques and procedures] made some of our researchers skeptically revisit that rare artefact. With another careful look into these [sic] evidence and manual verification of each feature we discovered that the set of features doesn't match the actual code. At that moment it became clear that the set of features was simply forged to perfectly match the fingerprint used by Lazarus," Kaspersky Lab researchers wrote. "Considering all of the above it now looks like a very sophisticated false flag which was placed inside the malware intentionally in order to give threat hunter impression that they found a smoking gun evidence, knocking them of [sic] the trail to the accurate attribution."
Reports of Olympic Destroyer being a false flag cyberattack first emerged in media when a Washington Post article cited anonymous U.S. officials who claimed Russian military hackers framed North Korea for the hack. Kaspersky Lab's report did not attribute the attack to any particular group or nation state, but researchers did note links to Sofacy, a Russian advanced persistent threat (APT) group, which has used the same hosting domains as the Olympic Destroyer attackers.
Confirming the false flag cyberattack
Kaspersky Lab credited some of the work to Cisco's Talos research team, which had expressed skepticism of the Lazarus attribution in an analysis of Olympic Destroyer from late February.
Craig Williamsdirector of Cisco Talos outreach
At the time, Talos researchers didn't directly claim it was a false flag cyberattack, but noted the "actual culprits could have added the file name check, and mimicked the wiper function simply in order to implicate the Lazarus group and potentially distract from their true identity."
Talos went on to describe similarities in the Olympic Destroyer code with that of other APTs, as well as connections to the NotPetya ransomware.
Craig Williams, director of Cisco Talos outreach, confirmed Kaspersky's claims and said, "There were several false flags that appear to have been intentionally implanted in Olympic destroyer."
"It's likely these were planted by our adversary to confuse and mislead the security community," Williams told SearchSecurity. "Identifying a false flag can be very tedious and time-consuming due to how common code reuse is. This must force one to question attribution based solely off a malware sample going forward. We recommend sticking to information that can be backed by research and steer clear of speculation."
Kaspersky researchers agreed attribution efforts need to be more careful considering the potential for a false flag cyberattack because of the scope of impact these attacks can have.
"While it didn't fully sabotage the Winter Olympic games in Pyeongchang, its effects were noticed not only in South Korea, but also in Europe. Most importantly, it brings with it a potential threat to the attribution process, undermining trust in intel research findings," researchers wrote in the blog post. "There's a lesson to be taken from this attack that's useful for all of us in threat intelligence -- don't rush with attribution. This is a very delicate subject that should be handled with great care. We as an industry shouldn't sacrifice the accuracy of our research to opportunistically promote business."