SYMBOLCOMMON_NAMEaka. SYNONYMS
win.olympic_destroyer (Back to overview)

Olympic Destroyer

aka: SOURGRAPE

Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.

References
2022-08-13YoutTube (Blue Team Village)Seongsu Park
@online{park:20220813:attribution:a689611, author = {Seongsu Park}, title = {{Attribution and Bias: My terrible mistakes in threat intelligence attribution}}, date = {2022-08-13}, organization = {YoutTube (Blue Team Village)}, url = {https://www.youtube.com/watch?v=rjA0Vf75cYk}, language = {English}, urldate = {2022-09-19} } Attribution and Bias: My terrible mistakes in threat intelligence attribution
AppleJeus Olympic Destroyer
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2023-01-19} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2020-11-12YouTube (Tomorrow Unlocked)Tomorrow Unlocked
@online{unlocked:20201112:who:347d3fc, author = {Tomorrow Unlocked}, title = {{Who hacked the 2018 Winter Games?}}, date = {2020-11-12}, organization = {YouTube (Tomorrow Unlocked)}, url = {https://www.youtube.com/watch?v=1jgdMY12mI8}, language = {English}, urldate = {2020-12-03} } Who hacked the 2018 Winter Games?
Olympic Destroyer
2020-11-12YouTube (Tomorrow Unlocked)Tomorrow Unlocked
@online{unlocked:20201112:they:01e7cc2, author = {Tomorrow Unlocked}, title = {{They wanted us to point the finger in the wrong direction!}}, date = {2020-11-12}, organization = {YouTube (Tomorrow Unlocked)}, url = {https://www.youtube.com/watch?v=a4BZ3SZN-CI}, language = {English}, urldate = {2020-12-03} } They wanted us to point the finger in the wrong direction!
Olympic Destroyer
2020-11-12YouTube (Tomorrow Unlocked)Tomorrow Unlocked
@online{unlocked:20201112:those:6584b99, author = {Tomorrow Unlocked}, title = {{Those hackers wanted to be found!}}, date = {2020-11-12}, organization = {YouTube (Tomorrow Unlocked)}, url = {https://www.youtube.com/watch?v=wCv9SiSA7Sw}, language = {English}, urldate = {2020-12-03} } Those hackers wanted to be found!
Olympic Destroyer
2020-10-19WiredAndy Greenberg
@online{greenberg:20201019:us:89aec2c, author = {Andy Greenberg}, title = {{US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit}}, date = {2020-10-19}, organization = {Wired}, url = {https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/}, language = {English}, urldate = {2020-10-19} } US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit
EternalPetya Olympic Destroyer
2020-10-19Riskint BlogCurtis
@online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2019-10-17WiredAndy Greenberg
@online{greenberg:20191017:untold:c257d22, author = {Andy Greenberg}, title = {{The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History}}, date = {2019-10-17}, organization = {Wired}, url = {https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/}, language = {English}, urldate = {2020-01-13} } The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History
Olympic Destroyer
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2018-06-19Kaspersky LabsGReAT
@online{great:20180619:hades:99ff28a, author = {GReAT}, title = {{Hades, the actor behind Olympic Destroyer is still alive}}, date = {2018-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/olympic-destroyer-is-still-alive/86169/}, language = {English}, urldate = {2019-12-20} } Hades, the actor behind Olympic Destroyer is still alive
Olympic Destroyer
2018-03-28Robert Michel
@online{michel:20180328:dissecting:ee6a118, author = {Robert Michel}, title = {{Dissecting Olympic Destroyer – a walk-through}}, date = {2018-03-28}, url = {https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/}, language = {English}, urldate = {2019-12-06} } Dissecting Olympic Destroyer – a walk-through
Olympic Destroyer
2018-03-09Lastlinelastline Labs Team
@online{team:20180309:from:7820406, author = {lastline Labs Team}, title = {{From Russia(?) with Code}}, date = {2018-03-09}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/attribution-from-russia-with-code/}, language = {English}, urldate = {2020-01-07} } From Russia(?) with Code
Olympic Destroyer
2018-03-08Kaspersky LabsGReAT
@online{great:20180308:olympicdestroyer:79780c9, author = {GReAT}, title = {{OlympicDestroyer is here to trick the industry}}, date = {2018-03-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/}, language = {English}, urldate = {2019-12-20} } OlympicDestroyer is here to trick the industry
Olympic Destroyer
2018-03-08Kaspersky LabsGReAT
@online{great:20180308:devils:3373375, author = {GReAT}, title = {{The devil’s in the Rich header}}, date = {2018-03-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-devils-in-the-rich-header/84348/}, language = {English}, urldate = {2019-12-20} } The devil’s in the Rich header
Olympic Destroyer
2018-02-26Cisco TalosPaul Rascagnères, Martin Lee
@online{rascagnres:20180226:who:095ce83, author = {Paul Rascagnères and Martin Lee}, title = {{Who Wasn’t Responsible for Olympic Destroyer?}}, date = {2018-02-26}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html}, language = {English}, urldate = {2020-01-06} } Who Wasn’t Responsible for Olympic Destroyer?
Olympic Destroyer
2018-02-21LastlineAlexander Sevtsov, Stefano Ortolani
@online{sevtsov:20180221:olympic:6584ecb, author = {Alexander Sevtsov and Stefano Ortolani}, title = {{Olympic Destroyer: A new Candidate in South Korea}}, date = {2018-02-21}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/olympic-destroyer-south-korea/}, language = {English}, urldate = {2019-10-23} } Olympic Destroyer: A new Candidate in South Korea
Olympic Destroyer
2018-02-15MBSDTakashi Yoshikawa, Satoshi Sugawara
@online{yoshikawa:20180215:olympic:a36f959, author = {Takashi Yoshikawa and Satoshi Sugawara}, title = {{Olympic Destroyer}}, date = {2018-02-15}, organization = {MBSD}, url = {https://www.mbsd.jp/blog/20180215.html}, language = {Japanese}, urldate = {2019-12-10} } Olympic Destroyer
Olympic Destroyer
2018-02-13EndgameDevon Kerr
@online{kerr:20180213:stopping:14ebecf, author = {Devon Kerr}, title = {{Stopping Olympic Destroyer: New Process Injection Insights}}, date = {2018-02-13}, organization = {Endgame}, url = {https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights}, language = {English}, urldate = {2020-01-08} } Stopping Olympic Destroyer: New Process Injection Insights
Olympic Destroyer
2018-02-12CiscoWarren Mercer, Paul Rascagnères, Ben Baker, Matthew Molyett
@online{mercer:20180212:olympic:f3f8f87, author = {Warren Mercer and Paul Rascagnères and Ben Baker and Matthew Molyett}, title = {{Olympic Destroyer Takes Aim At Winter Olympics}}, date = {2018-02-12}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2018/02/olympic-destroyer.html}, language = {English}, urldate = {2019-11-20} } Olympic Destroyer Takes Aim At Winter Olympics
Olympic Destroyer
2018Virus BulletinPaul Rascagnères, Warren Mercer
@online{rascagnres:2018:vb2018:121b1de, author = {Paul Rascagnères and Warren Mercer}, title = {{VB2018 paper: Who wasn’t responsible for Olympic Destroyer}}, date = {2018}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/}, language = {English}, urldate = {2020-01-09} } VB2018 paper: Who wasn’t responsible for Olympic Destroyer
Olympic Destroyer
2017-05-31MITREMITRE ATT&CK
@online{attck:20170531:sandworm:1a9a446, author = {MITRE ATT&CK}, title = {{Sandworm Team}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0034}, language = {English}, urldate = {2022-08-25} } Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm
Yara Rules
[TLP:WHITE] win_olympic_destroyer_auto (20230125 | Detects win.olympic_destroyer.)
rule win_olympic_destroyer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.olympic_destroyer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 33c0 89542414 57 }
            // n = 4, score = 200
            //   56                   | push                esi
            //   33c0                 | xor                 eax, eax
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   57                   | push                edi

        $sequence_1 = { 50 6801010000 6a00 68???????? 6801000080 83ceff }
            // n = 6, score = 100
            //   50                   | push                eax
            //   6801010000           | push                0x101
            //   6a00                 | push                0
            //   68????????           |                     
            //   6801000080           | push                0x80000001
            //   83ceff               | or                  esi, 0xffffffff

        $sequence_2 = { 898d7cf9ffff 8dbd80f9ffff ab ff15???????? }
            // n = 4, score = 100
            //   898d7cf9ffff         | mov                 dword ptr [ebp - 0x684], ecx
            //   8dbd80f9ffff         | lea                 edi, [ebp - 0x680]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ff15????????         |                     

        $sequence_3 = { 50 6800010000 e8???????? 83c408 85c0 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   6800010000           | push                0x100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax

        $sequence_4 = { 8974241c 8b07 89742424 33f6 89442420 }
            // n = 5, score = 100
            //   8974241c             | mov                 dword ptr [esp + 0x1c], esi
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   89742424             | mov                 dword ptr [esp + 0x24], esi
            //   33f6                 | xor                 esi, esi
            //   89442420             | mov                 dword ptr [esp + 0x20], eax

        $sequence_5 = { 8b048560ee5500 33db 8b7508 57 8b440818 }
            // n = 5, score = 100
            //   8b048560ee5500       | mov                 eax, dword ptr [eax*4 + 0x55ee60]
            //   33db                 | xor                 ebx, ebx
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8b440818             | mov                 eax, dword ptr [eax + ecx + 0x18]

        $sequence_6 = { 50 6819000200 6a00 8d85fccfffff }
            // n = 4, score = 100
            //   50                   | push                eax
            //   6819000200           | push                0x20019
            //   6a00                 | push                0
            //   8d85fccfffff         | lea                 eax, [ebp - 0x3004]

        $sequence_7 = { 50 6805010000 ff15???????? 8d442430 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   6805010000           | push                0x105
            //   ff15????????         |                     
            //   8d442430             | lea                 eax, [esp + 0x30]

        $sequence_8 = { 83e203 83f908 7229 f3a5 ff2495804b4000 }
            // n = 5, score = 100
            //   83e203               | and                 edx, 3
            //   83f908               | cmp                 ecx, 8
            //   7229                 | jb                  0x2b
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff2495804b4000       | jmp                 dword ptr [edx*4 + 0x404b80]

        $sequence_9 = { 83f808 74b9 83f807 77c4 ff2485a1345400 8bce e8???????? }
            // n = 7, score = 100
            //   83f808               | cmp                 eax, 8
            //   74b9                 | je                  0xffffffbb
            //   83f807               | cmp                 eax, 7
            //   77c4                 | ja                  0xffffffc6
            //   ff2485a1345400       | jmp                 dword ptr [eax*4 + 0x5434a1]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_10 = { 50 660f73d80c 660f7ec0 53 ff75b0 50 8b4018 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   660f73d80c           | psrldq              xmm0, 0xc
            //   660f7ec0             | movd                eax, xmm0
            //   53                   | push                ebx
            //   ff75b0               | push                dword ptr [ebp - 0x50]
            //   50                   | push                eax
            //   8b4018               | mov                 eax, dword ptr [eax + 0x18]

        $sequence_11 = { 8b5dd0 ebab c745e4a8614000 817de4ac614000 7311 8b45e4 8b00 }
            // n = 7, score = 100
            //   8b5dd0               | mov                 ebx, dword ptr [ebp - 0x30]
            //   ebab                 | jmp                 0xffffffad
            //   c745e4a8614000       | mov                 dword ptr [ebp - 0x1c], 0x4061a8
            //   817de4ac614000       | cmp                 dword ptr [ebp - 0x1c], 0x4061ac
            //   7311                 | jae                 0x13
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_12 = { ff15???????? 56 ff15???????? cc 3b0d???????? 7502 f3c3 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   cc                   | int3                
            //   3b0d????????         |                     
            //   7502                 | jne                 4
            //   f3c3                 | ret                 

        $sequence_13 = { 3db8240000 730a bb28000000 8d6bf8 eb08 bb3c000000 }
            // n = 6, score = 100
            //   3db8240000           | cmp                 eax, 0x24b8
            //   730a                 | jae                 0xc
            //   bb28000000           | mov                 ebx, 0x28
            //   8d6bf8               | lea                 ebp, [ebx - 8]
            //   eb08                 | jmp                 0xa
            //   bb3c000000           | mov                 ebx, 0x3c

        $sequence_14 = { 59 59 031cb560ee5500 f6432880 }
            // n = 4, score = 100
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   031cb560ee5500       | add                 ebx, dword ptr [esi*4 + 0x55ee60]
            //   f6432880             | test                byte ptr [ebx + 0x28], 0x80

        $sequence_15 = { e8???????? c9 c3 55 8bec b82c100000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   b82c100000           | mov                 eax, 0x102c

        $sequence_16 = { 50 6805010000 8d85ecfdffff 50 68???????? }
            // n = 5, score = 100
            //   50                   | push                eax
            //   6805010000           | push                0x105
            //   8d85ecfdffff         | lea                 eax, [ebp - 0x214]
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_17 = { 50 ffd3 8d85c0f9ffff 50 ffb590f9ffff ffd3 f68594f9ffff10 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   8d85c0f9ffff         | lea                 eax, [ebp - 0x640]
            //   50                   | push                eax
            //   ffb590f9ffff         | push                dword ptr [ebp - 0x670]
            //   ffd3                 | call                ebx
            //   f68594f9ffff10       | test                byte ptr [ebp - 0x66c], 0x10

        $sequence_18 = { ff15???????? 56 8d85f8efffff 50 6800100000 8d85fcefffff 50 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   56                   | push                esi
            //   8d85f8efffff         | lea                 eax, [ebp - 0x1008]
            //   50                   | push                eax
            //   6800100000           | push                0x1000
            //   8d85fcefffff         | lea                 eax, [ebp - 0x1004]
            //   50                   | push                eax

        $sequence_19 = { 746a 83e805 7456 83e801 0f859b010000 c745e0c89c5500 }
            // n = 6, score = 100
            //   746a                 | je                  0x6c
            //   83e805               | sub                 eax, 5
            //   7456                 | je                  0x58
            //   83e801               | sub                 eax, 1
            //   0f859b010000         | jne                 0x1a1
            //   c745e0c89c5500       | mov                 dword ptr [ebp - 0x20], 0x559cc8

        $sequence_20 = { 50 6800080000 53 8bcf 660f134580 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   6800080000           | push                0x800
            //   53                   | push                ebx
            //   8bcf                 | mov                 ecx, edi
            //   660f134580           | movlpd              qword ptr [ebp - 0x80], xmm0

        $sequence_21 = { 33f6 56 ff15???????? 8945e0 3bc6 }
            // n = 5, score = 100
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   3bc6                 | cmp                 eax, esi

        $sequence_22 = { 8d4c2414 6a04 89442420 c7442418bcf25500 e8???????? 83c404 a3???????? }
            // n = 7, score = 100
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   6a04                 | push                4
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   c7442418bcf25500     | mov                 dword ptr [esp + 0x18], 0x55f2bc
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   a3????????           |                     

    condition:
        7 of them and filesize < 1392640
}
Download all Yara Rules