Protecting Against Data Destruction Attacks

Olympic Destroyer

Recently, a string of cyber attacks disrupted services and caused a multitude of IT-related issues at the Winter Olympics in PyeongChang.  While who is behind the attacks and the method of compromise are currently unknown the intention of the malware, known as ‘Olympic Destroyer’, appears to be focused solely on data destruction.  Talos Security researchers have pointed out that the malware samples analyzed thus far “appear to perform only destructive functionality”, with no signs that any data exfiltration has taken place.  Olympic Destroyer attempts to render the target machines unusable by deleting critical system files and using specific processes to pivot through the attack environment.  For a detailed technical analysis, please refer to the Vulnerability Analysis here.  High-profile events are often targeted because they provide a chance for attackers to broadcast their message on a global scale and the Olympics represent the perfect opportunity.  It was reported that during the 2012 London Olympics BT (holders of BT Telecommunications) staved off considerable cyber threats to ensure there were no disruptions during the games.  According to past Olympic CIO Gary Pennell, “some 165 million individual security-related events were identified” over the course of the games, mostly consisting of password challenges and DDoS attacks.

Evolving Threats

As cyber threats continue to evolve it is becoming more difficult to protect systems and predict the channels through which attacks will occur.  In their 2017 Midyear Cybersecurity Report, Cisco pointed out that based on recent observations many analysts believe that a new type of attack currently being referred to as Destruction of Service (DeOS) may be in the early stages of development.  Similar to how Olympic Destroyer operates, the purpose of DeOS attacks would be to target data, destroy or corrupt it, and prevent data restoration and recovery.  This represents a shift from traditional DDoS attacks which are typically used to deny service for relatively short periods of time and don’t usually cause any permanent damage.  Such an evolution in attacker behavior would also require that security planning and best practices be updated accordingly to defend against any such threats.  Destruction of critical data such as sensitive information within the financial sector could in turn have dire consequences affecting not only the banking institutions but also the millions of customers they serve.

How Best Practices Apply

Refocusing on the recent Olympic attacks that occurred in PyeongChang, while the data targeted was not particularly sensitive the effects of any loss had there been a bigger “hit” could have been quite exstensive.  Causing a large scale disruption at an event as widely viewed as the Olympics would send a dark message to the rest of the world and could even induce some level of panic.  Best practices revolving around system hardening are especially relevant to this particular scenario, given that the malware was able to mutate when moving from from system to system while taking advantage of stolen credentials.  Had proper system hardening measures been applied extensively and devices been configured to maximize security throughout the Olympic network its possible that the impact of the attack could have been lessened significantly.  In the case of the Olympics where planning and execution are such monumental tasks having foundational security best practices in place is imperative.  The ability to defend against new types of malware that target data for destruction is improved when you have ability to “lock” systems down via secure configurations.

Resources for System Hardening

National Checklist Program (NCP) Repository – This U.S. Government resource contains roughly 500 records consisting of security checklists or benchmarks, providing guidance on security configurations that can be applied to different applications, operating systems, and devices.

Center for Internet Security (CIS) Benchmarks – Global community resource with 100+ guidelines for various applications and operating systems.  This provides configuration guidelines to help safeguard systems against cyber threats.

Secure Technical Implementation Guides (STIGS) – These are configuration standards geared towards the DoD and IA enabled systems and devices that provide detailed instructions on how to maximize device and system security.

While not a bullet proof solution using standardized security practices such as configuration checklists, benchmarks, and guidelines goes a long way in preventing cyber attacks from getting out of hand.

SOURCES:
Talos Security, http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
BBC, http://www.bbc.com/news/technology-43030673
Computing, https://www.computing.co.uk/ctg/news/2252841/how-the-london-olympics-dealt-with-six-major-cyber-attacks
Cisco, https://blogs.cisco.com/security/adversaries-new-strategy-cyber-attacks-designed-for-destruction-not-just-disruption
NIST, https://nvd.nist.gov/ncp/repository
CIS, https://www.cisecurity.org/cis-benchmarks/
DISA, https://iase.disa.mil/stigs/Pages/index.aspx
NBC, https://www.nbcolympics.com