Travis Farral looks into the malicious activity around previous Olympic events, the geo-political instabilities surrounding South Korea, and the likely tactics malicious actors may take.
With the Pyeongchang Winter Olympics staged in South Korea this year, there are multiple geo-political instabilities that give cause for concern. But malicious cyber activity around previous Olympic games, event suppliers, and hacker tactics from certain nation states should also be taken into consideration. While a direct, transparent, large-scale attack on the Olympics is unlikely, disruptions have and will happen. These may include denial of service attacks, phishing lures, or the use of hotel Wi-Fi for cyber espionage.
One of the larger attack surfaces is the Olympics’ supply chain, which provides numerous targets for sophisticated espionage campaigns and opportunistic criminals alike. 2018 suppliers include Hanjin, Samsung C&T, Huawei, Hyundai Department Group, KORAI, and Incheon International Airport Corporation.
The goal of a supply chain attack is to infect software or hardware used by a secondary organisation that the primary target does business with. Hackers will likely steal sensitive information from both, which is often used for malicious activity such as spear phishing email-spoofing attacks. One high profile example is the data breach of 40 million customer debit and credit card accounts experienced by retail store Target, which originated from a heating, ventilation, and air conditioning (HVAC) company.
Suppliers of the Olympics are particularly vulnerable due to the high impact caused by attacks, which has increased thanks to substantial cloud migration and digitisation. Also, organisations are less likely to have a tight security system on their partners and connected companies. A ‘weak link’ in the chain is therefore very appealing because attackers can gain access to multiple highly secured upstream networks.
Security teams need to be aware of notable historical attacks on suppliers for the 2018 Olympics and who has been attributed to them. Understanding how suppliers have been targeted previously can help to predict how the supply chain might be vulnerable now and in the future, as well as what defences can be put in place. Especially as threat actors looking to target the Olympics may also scrutinise previous attacks to understand who might be a weak link. Previous attacks on the upcoming suppliers have included:
Huawei – November 2017
- Products were found to have rapidly propagated the “Satori botnet” (a variant of the Mirai IoT malware) through the use of a zero-day vulnerability. This was found in Huawei Home Gateway routers. A hacker called “Nexus Zeta” is believed to be behind it.
Hyundai – April 2017
- It was reported that a Hyundai application had a software vulnerability that left the vehicles susceptible to theft for three months. The application also leaked sensitive personal information about users.
Hanjin Heavy Industries and Construction Co – April 2016
- The attack left possible classified files exposed and the company’s intranet contained sensitive military information including operational manuals of naval war machines. North Korea is suspected as the culprit.
KORAIL – February 2016
- Smartphones of government officials were infected and then used to launch an attack against the rail operator. Seoul suspects it may have been related to threats from Pyongyang regarding joint military exercises.
Hanjin Group – July 2014
- The company supplies IT management services for Korean Air. North Korean attackers allegedly managed to steal files that included information on a medium unmanned surveillance drone and blueprints detailing the design for a US F-15 fighter jet.
Incheon International Airport Corporation – 2012
- Experienced a Denial of Service (DDoS) attack. The Reconnaissance General Bureau have infected games with malware deliberately to infect South Korean users. This botnet was then used to launch an attack against the airport. This activity was allegedly carried out by North Korea.
In many cases, breaches are detectable and preventable well before damage occurs. It is essential that every organisation re-evaluates its own, and its third party associates cyber security posture.
A successful supply chain security program focuses on two things, firstly knowing the risks associated with dealing with third party vendors. Secondly, thoroughly vetting all of the processes in place. Then steps can be made to focus on risks associated with each vendor, which includes defining important vendors, putting an extensive response plan in place with structured guidelines and education for all staff. As well as identifying key crisis contacts who can immediately respond and know the severity of the impact of an attack. Limiting access both into and out of supplier networks to only what is absolutely necessary is another important focus. While monitoring for attempts to gain access outside of approved systems may provide clues to potential malicious activity.
If the Winter Olympics is a target for malicious actors, it is likely that the plan will have been made already and the chosen attack vectors identified, meaning the infections could be in place, such as the phishing and malware campaign to ice hockey players. Countries like Russia and North Korea both have cause to try and disrupt the event, or embarrass the host and organisers. This highlights the need for more effective, efficient, and accurate threat detection and prevention. A robust threat intelligence platform, coupled with intelligence sharing, is undeniable and can equip businesses to find and respond to cyber threats, even identifying suspicious or malicious activity before it reaches the network.