OlympicDestroyer
OlympicDestroyer is a destructive self-propagating Windows network worm used in the cyberattack that disrupted infrastructure associated with the 2018 Winter Olympics in Pyeongchang, South Korea. Reported effects included outages affecting Wi-Fi, display systems, the Olympics website, and ticket printing, and the malware also impacted organizations working closely with the Games, including ski resort hotels, a ski resort automation software vendor, and Atos. One attacked ski resort server reportedly controlled ski gates and ski lifts, and researchers assessed that a dedicated ski resort automation server was used as patient zero for the destructive outbreak timed shortly before the opening ceremony on 2018-02-09.
The main malware module consisted of multiple components: a legitimate PsExec tool from SysInternals, credential-stealing modules, and a wiper. It collected passwords from browsers and Windows credential storage, generated new copies of itself containing stolen and newly collected credentials, and propagated laterally to accessible local network systems using PsExec, stolen credentials, and current user privileges. Investigators also observed manual lateral movement before worm deployment using PsExec, stolen credentials, Meterpreter, and PowerShell scriptlets.
The wiper attempted to destroy files on remote network shares for about 60 minutes. It then cleared Windows event logs, reset backups, deleted shadow copies, disabled recovery options and services, and rebooted systems into an unusable state. The malware reportedly did not use persistence, included protection against recurring reinfection, did not destroy local files, and did not wipe its own components.
Associated intrusion activity included spearphishing from at least December 2017 using Winter Olympics-themed malicious Office documents with gibberish text to induce users to enable macros. When enabled, the documents launched cmd.exe and PowerShell to download additional PowerShell stages and backdoor the system. A related victim communicated with an Argentinian command-and-control server over ports 443, 4443, 8080, 8081, 8443, and 8880. Reported infrastructure details included a suspicious domain microsoft******[.]com, use of MonoVM VPS infrastructure, and management of the Argentinian server through a NordVPN exit IP in Norway.
Attribution was heavily contested. Public reporting noted apparent overlaps with NotPetya, BadRabbit, Chinese APT activity, Sofacy, and Lazarus/BlueNoroff. Kaspersky concluded that some of the strongest Lazarus-linked artifacts, including a Rich header fingerprint, were deliberately forged as false flags. Separate retrospective reporting stated the operation was somehow related to Sofacy and that follow-on activity was tracked as a separate entity called Hades, linked to the Zebrocy subset and part of the BlackEnergy/GreyEnergy/Sandworm cluster. High-confidence characterization from the provided content is that OlympicDestroyer was a sophisticated false-flag operation designed both to disrupt Olympic-related infrastructure and to complicate attribution.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The main malware module is a network worm that consists of multiple components, including a legitimate PsExec tool from SysInternals’ suite, a few credential stealer modules and a wiper.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The main malware module is a network worm that consists of multiple components, including a legitimate PsExec tool from SysInternals’ suite, a few credential stealer modules and a wiper.
The main malware module is a network worm that consists of multiple components, including a legitimate PsExec tool from SysInternals’ suite, a few credential stealer modules and a wiper.
The main malware module is a network worm that consists of multiple components, including a legitimate PsExec tool from SysInternals’ suite, a few credential stealer modules and a wiper.
In the past, we have seen sophisticated attacks such as OlympicDestroyer confusing the industry and complicating attribution.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Since December 2017 security researchers have been seeing samples of MS Office documents in spearphishing emails related to the Winter Olympics uploaded to VirusTotal. The documents contained nothing but slightly formatted gibberish ... encouraging the user to press a button to “Enable Content”.
Execution
3 techniques
Execution
When the victim “enables content”, the document starts a cmd.exe with a command line to execute a PowerShell scriptlet that, in turn, downloads and executes a second stage PowerShell scriptlet and, eventually, backdoors the system.
Stealth
4 techniques
Stealth
As standalone fileless backdoors, they were built and obfuscated using the same tool.
As standalone fileless backdoors, they were built and obfuscated using the same tool.
Credential Access
2 techniques
Credential Access
Discovery
1 technique
Discovery
Lateral Movement
3 techniques
Lateral Movement
They seemed to be moving through the network via Psexec and stolen credentials, opening a default meterpreter port (TCP 4444) and downloading and running a backdoor (meterpreter).
Command and Control
2 techniques
Command and Control
Impact
4 techniques
Impact
the purpose of the malware is to deliver and start the wiper payload which attempts to destroy files on the remote network shares over the next 60 minutes.
IOCs tracked for this family
27 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Destructive self-propagating malware used in the Pyeongchang Winter Olympics attack. It steals credentials from browsers and Windows storage, propagates laterally using PsExec and stolen credentials, delivers a wiper payload to remote systems and shares, deletes backups and shadow copies, clears event logs, disables services, and reboots systems into an unbootable state.
Destructive malware referenced as an example of a sophisticated false-flag operation complicating attribution.
Referenced as a destructive malware incident affecting the Olympic Games organization; no additional technical details provided in this content.
Destructive malware used in a sophisticated false-flag operation; later treated as a distinct activity subset (Hades) by the authors.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.