Olympic Destroyer
Olympic Destroyer is a destructive Windows malware/wiper used in the February 9, 2018 attack against IT systems supporting the 2018 PyeongChang Winter Olympic Games. The operation followed intrusions from December 2017 through February 2018 and disrupted the opening ceremony, including Wi-Fi, the Olympics website, ticketing, and broadcast drones; reporting in the provided content states that more than 300 systems were compromised and that domain controllers were repeatedly wiped, rendering much of the network unusable. Multiple cited sources in the content attribute the malware to Sandworm / GRU Unit 74455 (also referenced as Razing Ursa in one mention context), and U.S. government materials cited in the content describe official acknowledgement of Sandworm responsibility.
Capabilities directly described in the content include credential theft, lateral movement, discovery, anti-recovery actions, log clearing, service disruption, and destructive wiping. Olympic Destroyer contains modules that attempt to obtain stored credentials from web browsers and credentials from LSASS memory. It uses stolen credentials with PsExec and Windows Management Instrumentation (WMI) to propagate across a network, attempts to copy itself to remote machines, uses PsExec to interact with the ADMIN$ share and execute commands remotely, and uses WMI to enumerate systems across the network. It also enumerates mapped network shares and ARP table information. For impact, it overwrites files locally and on remote shares, disables services via ChangeServiceConfigW, clears Windows System and Security event logs with wevtutil, uses native Windows utilities vssadmin, wbadmin, and bcdedit to delete or disable recovery features including the Windows backup catalog and Windows Automatic Repair, and shuts down compromised systems after modifying configuration settings.
The content also notes that Olympic Destroyer is cited as an example of malware containing misleading attribution indicators intended to confuse defenders.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Pyeongchang Winter Olympics 2018 Olympic Destroyer wiper; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) ... Wi-Fi at opening ceremony, Olympics website, ticketing, broadcast drones disabled. 300+ systems compromised.
Pyeongchang Winter Olympics 2018 Olympic Destroyer wiper; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) ... Wi-Fi at opening ceremony, Olympics website, ticketing, broadcast drones disabled. 300+ systems compromised.
The GRU’s malign cyber activities include deployment of the NotPetya and Olympic Destroyer malware; intrusions targeting the Organization for the Prohibition of Chemical Weapons and the World Anti-Doping Agency; cyber attacks on government systems and critical infrastructure in Ukraine and the state of Georgia; and hack-and-leak operations targeting elections in the United States and France.
"...false flags were planted in the case of the Olympic Destroyer malware that was employed by the Russian-attributed Sandworm Advanced Persistent Threat (APT) group against the 2018 Winter Olympics in Pyeongchang, South Korea..."
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesthe defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).
The GRU’s malign cyber activities include deployment of the NotPetya and Olympic Destroyer malware; intrusions targeting the Organization for the Prohibition of Chemical Weapons and the World Anti-Doping Agency
Execution
2 techniquesPersistence
1 techniqueStealth
2 techniquesDuring malware development, adversaries may intentionally include indicators aligned with other known actors in order to mislead attribution by defenders.
Olympic Destroyer will attempt to clear the System and Security event logs using wevtutil.
Credential Access
4 techniquesMultiple actors and tools are described as using Mimikatz/Windows Credential Editor/LaZagne/ProcDump to “dump credentials,” often by targeting LSASS memory (e.g., “used Mimikatz to capture and use legitimate credentials,” “dumped the LSASS process memory using the MiniDump function,” “injecting itself into lsass.exe”).
Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.
Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
Discovery
3 techniquesOlympic Destroyer uses API calls to enumerate the infected system's ARP table.
Olympic Destroyer uses Windows Management Instrumentation to enumerate all systems in the network.
Olympic Destroyer will attempt to enumerate mapped network shares to later attempt to wipe all files on those shares.
Lateral Movement
3 techniquesOlympic Destroyer uses PsExec to interact with the ADMIN$ network share to execute commands on remote systems.
Examples include 'Aquatic Panda used WMI for lateral movement in victim environments,' 'Deep Panda group is known to utilize WMI for lateral movement,' and 'Cinnamon Tempest has used Impacket for lateral movement via WMI.'
Olympic Destroyer attempts to copy itself to remote machines on the network.
Impact
7 techniquesThe Handala Hack Team, assessed by the U.S. Federal Bureau of Investigation (FBI) and multiple commercial threat intelligence firms to be a front for Iran's Ministry of Intelligence and Security (MOIS), executed significant wiper attacks in early 2026.
Olympic Destroyer uses the API call ChangeServiceConfigW to disable all services on the affected system.
Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.
The Olympic Destroyer malware caused issues during the Opening Ceremony, including taking down Wi-Fi networks, ticketing systems, and contributing to flickering broadcast infrastructure.
The Olympic Destroyer malware caused issues during the Opening Ceremony, including taking down Wi-Fi networks, ticketing systems, and contributing to flickering broadcast infrastructure.
Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.
Malware had repeatedly wiped the domain controllers rendering a lot of the network unusable.
Recent activity
54 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Destructive wiper malware used during the 2018 Pyeongchang Winter Olympics to disrupt Wi-Fi, ticketing, websites, and other event systems.
Destructive malware used to disrupt IT systems supporting the PyeongChang Winter Olympics.
Destructive malware referenced as a case study showing attackers can steal credentials and maintain footholds for months before activating operations during a major event.
Destructive malware used to disrupt Olympic operations, including Wi-Fi, ticketing systems, and broadcast-related infrastructure during the Pyeongchang 2018 Winter Olympics.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.