Skip to content

S0365 Olympic Destroyer

Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.12

Item Value
ID S0365
Associated Names
Type MALWARE
Version 2.0
Created 25 March 2019
Last Modified 23 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.1
enterprise T1485 Data Destruction Olympic Destroyer overwrites files locally and on remote shares.12
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs Olympic Destroyer will attempt to clear the System and Security event logs using wevtutil.1
enterprise T1490 Inhibit System Recovery Olympic Destroyer uses the native Windows utilities vssadmin, wbadmin, and bcdedit to delete and disable operating system recovery features such as the Windows backup catalog and Windows Automatic Repair.1
enterprise T1570 Lateral Tool Transfer Olympic Destroyer attempts to copy itself to remote machines on the network.1
enterprise T1135 Network Share Discovery Olympic Destroyer will attempt to enumerate mapped network shares to later attempt to wipe all files on those shares.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Olympic Destroyer uses PsExec to interact with the ADMIN$ network share to execute commands on remote systems.13
enterprise T1018 Remote System Discovery Olympic Destroyer uses Windows Management Instrumentation to enumerate all systems in the network.1
enterprise T1489 Service Stop Olympic Destroyer uses the API call ChangeServiceConfigW to disable all services on the affected system.1
enterprise T1016 System Network Configuration Discovery Olympic Destroyer uses API calls to enumerate the infected system’s ARP table.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Olympic Destroyer utilizes PsExec to help propagate itself across a network.1
enterprise T1529 System Shutdown/Reboot Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.12
enterprise T1047 Windows Management Instrumentation Olympic Destroyer uses WMI to help propagate itself across a network.1

Groups That Use This Software

ID Name References
G0034 Sandworm Team 45267

References

  1. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. 

  2. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  3. Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015. 

  4. CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020. 

  5. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. 

  6. UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.