EclecticIQ Fusion Center Report: Olympic Destroyer - Various Firms Attempt to Attribute (English)
Report from EclecticIQ Fusion Center from Thursday 15 February 2018.
Key Findings:
- In addition to dropping a browser stealer, Olympic Destroyer also drops and executes a system stealer
- The system stealer attempts to obtain credentials from LSASS with a technique similar to that used by Mimikatz
- The Olympic Destroyer author(s) used wbadmin.exe to delete shadow volume copies, which is standard for ransomware to make sure users cannot restore encrypted files
- Olympic Destroyer and Malware: NotPetya, unlike Malware: WannaCry , spread via remote WMI and PsExec
- Researchers claim to have identified numerous small code fragments scattered throughout different samples of the malware in these attacks that are linked to Chinese APT groups
- The malware compromised the main IT service provider for the Winter Olympic Games, Atos, which is also suspected to have previously been compromised in December 2017
About EclecticIQ
EclecticIQ develops analyst-centric products that align our clients’ cybersecurity focus with their threat reality. The result is intelligence-led security, improved detection, prevention, and response.
EclecticIQ Fusion Center
EclecticIQ Fusion Center delivers thematic intelligence bundles providing a single curated source of relevant CTI from leading suppliers all in a single contract.
Download Report
About EclecticIQ
EclecticIQ develops analyst-centric products that align our clients’ cybersecurity focus with their threat reality. The result is intelligence-led security, improved detection, prevention, and response.
EclecticIQ Fusion Center
EclecticIQ Fusion Center delivers thematic intelligence bundles providing a single curated source of relevant CTI from leading suppliers all in a single contract.