Anatomy of a Breach

Anatomy of a Breach: Olympic Destroyer — Russia Attacks the Winter Olympics and Blames Everyone Else

> series: anatomy_of_a_breach —— part: 110 —— target: pyeongchang_winter_olympics —— attacker: russian_gru —— disguise: false_flags<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2018 12 min read
olympic-destroyer pyeongchang russia gru false-flag olympics destructive-attack series
Breach #110

The opening ceremony. The website down. The Wi-Fi dead. And the malware was designed to frame someone else.

During the opening ceremony of the 2018 Pyeongchang Winter Olympics on 9 February, the Games' IT infrastructure suffered a coordinated cyber attack. The official Olympics website went down — preventing spectators from printing tickets. The Wi-Fi network in the PyeongChang Olympic Stadium failed. Internet-connected televisions in the main press centre stopped working. The Olympic Destroyer malware had spread through the Games' network, destroying data on Windows systems by overwriting boot records and deleting backup catalogues.

Initial analysis of the malware revealed code similarities with North Korean and Chinese threat actors — but Kaspersky researchers discovered that these similarities were deliberately planted false flags. The malware's metadata, code reuse patterns, and compilation artefacts had been carefully crafted to mislead attribution. The attack was ultimately attributed to Russia's GRU (specifically the Sandworm team), with the false flag operation interpreted as retaliation for the IOC's ban of Russia from the Games over its state-sponsored doping programme.

False Flag Operations
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Cyber attribution is harder than it looks.

Deliberate Misdirection
Olympic Destroyer contained code sections copied from North Korean (Lazarus Group) and Chinese threat actors, compilation timestamps set to Chinese time zones, and metadata designed to mislead analysts. This was the most sophisticated false flag operation documented in a cyber attack and demonstrated that attribution based on code analysis alone is unreliable. <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence's threat intelligence</a> provides multi-source attribution analysis.
International Events as Targets
The Olympics — a global sporting event intended to promote international cooperation — was attacked by a nation-state as political retaliation. For UK organisations hosting or supporting major international events, the Olympic Destroyer precedent means event-related IT infrastructure requires heightened security. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> includes event security assessments.
Destructive, Not Espionage
Like <a href="/blog/anatomy-of-a-breach-saudi-aramco-shamoon">Shamoon</a> and <a href="/blog/anatomy-of-a-breach-notpetya">NotPetya</a>, Olympic Destroyer was designed to destroy, not steal. The trend of nation-state destructive attacks — from Shamoon (2012) through NotPetya (2017) to Olympic Destroyer (2018) — demonstrates an escalating willingness to use cyber weapons for sabotage. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates backup and recovery resilience.
Rapid Recovery
The Pyeongchang organising committee recovered from the attack within 12 hours — restoring the website and most services before the second day of competition. This rapid recovery was possible because of prepared incident response plans and tested backup procedures. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides the incident response planning that enables rapid recovery from destructive attacks.
Lessons

Nation-states attack sports. And they lie about who did it.

Olympic Destroyer established two critical principles: first, international events are legitimate targets for nation-state cyber operations motivated by political grievances. Second, cyber attribution is not straightforward — sophisticated adversaries deliberately plant false evidence to mislead investigators and create diplomatic ambiguity. For UK organisations, this means that threat intelligence must be multi-sourced and analytically rigorous, and that event-related infrastructure requires proportionate security.

Infrastructure testing assesses event IT security and recovery procedures. Cyber Essentials establishes baseline controls. SOC in a Box provides 24/7 monitoring during events and high-threat periods. And UK Cyber Defence's threat intelligence provides the attribution analysis that cuts through false flags.

Event Security

Russia attacked the Olympics and blamed North Korea. Is your event infrastructure defended?

<a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses event security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors during high-threat periods. <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence</a> provides threat intelligence.

Commission a Security Assessment Next: Cambridge Analytica
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 June 2017

Anatomy of a Breach: NotPetya — The $10 Billion Attack That Masqueraded as Ransomware

Breach #102. On 27 June 2017 — just 46 days after WannaCry — NotPetya struck. Disguised as ransomware but designed for destruction, NotPetya used the same EternalBlue exploit to spread, but also propagated through a poisoned update to M.E.Doc, a Ukrainian accounting software used by every company doing business in Ukraine. NotPetya caused over $10 billion in total global damage. Maersk lost 49,000 laptops, 4,000 servers, and its entire IT infrastructure. Merck's pharmaceutical manufacturing was halted. Reckitt Benckiser, Mondelēz, FedEx/TNT, and Saint-Gobain all suffered catastrophic damage. NotPetya was not ransomware — it was a Russian cyber weapon targeting Ukraine that escaped and devastated the global economy.

notpetya destructive-attack
16 min read
Anatomy of a Breach 31 January 2024

Anatomy of a Breach: Microsoft — Russia's Midnight Blizzard Reads Executives' Email Through a Legacy OAuth App

Breach #181. In January 2024, Microsoft disclosed that Midnight Blizzard (Nobelium/APT29, Russia's SVR foreign intelligence service — the same group behind SolarWinds) had accessed the email accounts of Microsoft's senior leadership, cybersecurity staff, and legal teams. The attack began in November 2023 via password spraying against a legacy test tenant account that lacked MFA. The compromised account had permissions to a legacy OAuth application, which the attackers used to gain access to Microsoft's corporate email. The world's largest technology company — maker of the software that runs most of the world's businesses — was compromised through a test account with no MFA.

microsoft midnight-blizzard
14 min read
Anatomy of a Breach 28 February 2022

Anatomy of a Breach: Russia-Ukraine — Cyber Warfare as a Component of Kinetic War

Breach #158. On 24 February 2022, Russia invaded Ukraine — and the invasion was accompanied by a sustained cyber offensive that had begun weeks earlier. Hours before the first missiles struck, a cyber attack on Viasat's KA-SAT satellite network disrupted communications across Ukraine and knocked out thousands of wind turbines in Germany. Wiper malware variants — HermeticWiper, IsaacWiper, CaddyWiper — were deployed against Ukrainian government agencies and organisations. The conflict represented the first large-scale integration of cyber operations into conventional warfare, confirming every theoretical scenario about cyber war that security professionals had warned about since Stuxnet.

russia ukraine
15 min read
All Posts Get in Touch