![](\"https:\/\/media.wired.com\/photos\/5b2833c5ba2c1651eb8928cf\/master\/pass\/OlympicDestroyer-Security-AP_17275678626600.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Tue, 19 Jun 2018 10:00:00 +0000<\/strong><\/p>\n This past winter, <\/span>malware ripped through the Pyeongchang Olympics, disrupting Wi-Fi, shutting down the Olympics website, and causing generalized digital havoc. The so-called Olympic Destroyer attack<\/a> gained infamy, too, for using a number of false flags<\/a> to muddy attribution. Now, researchers at Kaspersky Lab say the group behind those February attacks has returned, with a new target: organizations that respond to and protect against biological and chemical threats.<\/p>\n While the activity Kaspersky has seen has not turned destructive, researchers there say that hackers have taken steps that echo the early groundwork laid by the Olympic Destroyer group. Using a sophisticated spearphishing technique, the group has attempted to gain access to computers in France, Germany, Switzerland, Russia, and Ukraine. The concern: That these early intrusions will escalate in the same destructive way Olympic Destroyer did.<\/p>\n \u201cWe\u2019re pretty confident this is the same group,\u201d says Kaspersky security researcher Kurt Baumgartner. \u201cWe\u2019re seeing the same sort of tactics. We\u2019re seeing targeting that may line up with the previous group. We\u2019re seeing multiple places where there may be crossover.\u201d<\/p>\n Those tactics, so far, involve spearphishing emails that present themselves as coming from an acquaintance, with a decoy document attached. The execution, Baumgartner says, is remarkably similar to how Olympic Destroyer began: Emails target a group of people affiliated with a specific event; if they open the document they trigger a malicious macro, which allows multiple scripts that enable access to the target computer to run in the background.<\/p>\n While the hacker group excels at avoiding detection, its activity has enough hallmarks that Kaspersky has high confidence that it\u2019s a repeat performance. \u201cWhen you look at the obfuscation that they\u2019re using in the spearphishing macros, this is a very specific set of macros,\u201d says Baumgartner. \u201cNo one else is using this stuff.\u201d<\/p>\n In the case of Olympic Destroyer, that early access was eventually used in Pyeongchang to deploy malware designed to destroy data on victim machines. Kaspersky says it chose to go public with its findings because if these latest attacks follow the same timeline they may be about to escalate in a similar fashion.<\/p>\n 'No one else is using this stuff.'<\/p>\n Kurt Baumgartner, Kaspersky Lab<\/p>\n The hackers appear to be primarily targeting people affiliated with an upcoming biochemical threat conference, called Spiez Convergence. That event is organized by Spiez Laboratory\u2014a testing outfit that was tangentially involved in the investigation into the poisoning of former Russian double agent Sergei Skripal, and his daughter Yulia, in Salisbury, England in March. The UK and the US both attributed<\/a> the attempted murders to Russia, and expelled dozens of Russian diplomats each.<\/p>\n One of the decoy documents Kaspersky observed looks like a press release for Spiez Convergence. Another appears to be a news report about the nerve agent used in the Salisbury attack. The hackers also appear to have Russian language proficiency. Kaspersky, itself a Russian company embroiled in controversy<\/a> in the US over its purported ties to the Russian government, did not suggest attribution for the Olympic Destroyer group. But it does seem worth noting that both the Pyeongchang Olympics\u2014from which Russia was banned\u2014and European biochemical protection agencies\u2014which did not absolve Russia of what appears to be a high-profile international assassination attempt\u2014arguably share a common bond of Russian provocation. Not to mention that US intelligence officials already reportedly decided<\/a> months ago that Russia was behind the Olympics hack after all.<\/p>\n Still, the group behind Olympic Destroyer very effectively covers its tracks. It has also separately targeted Russian financial institutions in this latest round of attacks, which Kaspersky chalks up to the same malware being used by groups with different interests\u2014or possibly as yet another false flag by a hacker team that revels in the practice.<\/p>\n Whoever is ultimately behind the attacks, Kaspersky advises hypervigilance on the part of biological and chemical threat research entities for the time being. While the hackers haven\u2019t yet successful moved past its reconnaissance phase, the impact could be severe if and when it does.<\/p>\n \u201cWe want to get the warning out that this group is active again, because they are destructive,\u201d says Baumgartner. \u201cIt looks like they\u2019re failing, but give them another few weeks. We\u2019ll know for certain.\u201d<\/p>\n