Attribution is hard: the incredible skullduggery used to try to blame the 2018 Olympic cyberattack on North Korea

Wired has published another long excerpt from Sandworm, reporter Andy Greenberg's (previously) forthcoming book on the advanced Russian hacking team who took the US-Israeli Stuxnet program to the next level, attacking Ukrainian power infrastructure, literally blowing up key components of the country's power grid by attacking the embedded code in their microcontrollers.


Earlier installments focused on the escaped Notpetya worm, which jumped from its Ukrainian targets and shut down major parts of the world's logistics, doing $10b in damage, and the attacks on Ukraine.


The latest installment drills down into the devastating cyberattack on the South Korean Olympic games in 2018, which shut down whole swathes of Korean tech infrastructure and compromised the ability to carry out the games.


But the real fun started after the attacks, when the forensic specialists went to work on the malware that had been used to carry them out. These remnants were weird, tangled and obviously intentionally deceptive, designed to make a specialist believe that they had been carried out by North Korean operatives who had failed in a bid to pin the blame on others. But after intense, global effort by a variety of experts who'd been on the trail of "Sandworm" — the Russian attackers behind the Ukraine attacks — a consensus emerged that put the blame on the Kremlin, humiliated and furious at being excluded from the games for cheating.

Over the next two days, Matonis searched for patterns in that obfuscation that might serve as a clue. When he wasn't at his laptop, he'd turn the puzzle over in his mind, in the shower or lying on the floor of his apartment, staring up at the ceiling. Finally, he found a telling pattern in the malware specimens' encoding. Matonis declined to share with me the details of this discovery for fear of tipping off the hackers to their tell. But he could see that, like teenage punks who all pin just the right obscure band's buttons to their jackets and style their hair in the same shapes, the attempt to make the encoded files look unique had instead made one set of them a distinctly recognizable group. He soon deduced that the source of that signal in the noise was a common tool used to create each one of the booby-trapped documents. It was an open source program, easily found online, called Malicious Macro Generator.

Matonis speculated that the hackers had chosen the program in order to blend in with a crowd of other malware authors, but it had ultimately had the opposite effect, setting them apart as a distinct set. Beyond their shared tools, the malware group was also tied together by the author names Matonis pulled from the files' metadata: Almost all had been written by someone named either “AV,” “BD,” or “john.” When he looked at the command and control servers that the malware connected back to—the strings that would control the puppetry of any successful infections—all but a few of the IP addresses of those machines overlapped too. The fingerprints were hardly exact. But over the next days, he assembled a loose mesh of clues that added up to a solid net, tying the fake Word documents together.

Only after he had established those hidden connections did Matonis go back to the Word documents that had served as the vehicles for each malware sample and begin to Google-translate their contents, some written in Cyrillic. Among the files he'd tied to the Olympic Destroyer bait, Matonis found two other bait documents from the collection that dated back to 2017 and seemed to target Ukrainian LGBT activist groups, using infected files that pretended to be a gay rights organization's strategy document and a map of a Kiev Pride parade. Others targeted Ukrainian companies and government agencies with a tainted copy of draft legislation.

The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History [Andy Greenberg/Wired]


(Image: Joan Wong/Wired)