A campaign targeting the Pyeongchang Olympics began at the end of December 2017. The attack sent emails to organizations that were both associated with the Olympics and based in South Korea, persuading targets to open attached documents from what seemed to be a reliable source—South Korea’s National Counter-Terrorism Center (NCTC). These emails were intentionally timed: As they were received, the NCTC was undertaking physical antiterror drills to prepare for the Olympic Games.
The tactics of intentional timing and email spoofing as a subconscious lever to invoke interaction are tried and tested methodologies. The attackers were detailed, and strategic, even scheduling the execution of the implant to begin at 2 a.m., in the hope that users would neither be active nor notice what was happening. However, there is one more telling piece of information from this campaign that sets it apart from the barrage of malicious emails impacting our everyday lives. On December 20, the new tool Invoke-PSImage was released to the public. This tool supports the insertion of a “PowerShell script and embeds the bytes of the script into the pixels of a PNG image,” otherwise known as steganography. This approach allows the attackers to embed malicious content into image files to better hide their activities.
We often talk about the elusive zero-day attack, the exploitation of vulnerabilities that are not public. However, the reality is this campaign and others demonstrate there is no need to use a zero day, because cybercriminals now develop and apply hacking tools much more quickly. Invoke-PSImage had been published only one week prior to the launch of the attack against Olympics support organizations. The actors applied the new tool to their campaign, developing custom malware solely to infiltrate systems associated with the upcoming Olympics.
When looking at new attacks and campaigns, it is easy to focus attention on who could be behind them. However, it is important to not fall into the trap of focusing entirely on attribution. Although speculation will always be rife, and likely focus on one or two nations, proper attribution typically requires much more than just technical analysis. It carries the burden of proving cause and effect. Sophisticated actors can use a number of methods to ensure attacks cannot easily be mapped to them. Also, groups likely backed by nation-states now actively track findings within the information security community to fuel their attacks. This provides attackers full transparency into the work done by the security community—while they clearly offer nothing in return.
All of these factors make it essential that when insight into attackers techniques is available, we must not miss the opportunity to learn from it. Focusing our attention on understanding the methodology and techniques behind attacks will enable us to better defend ourselves against them in the future.
