Olympic Destroyer

Olympic Destroyer is malware that was first seen infecting computer systems at the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware appears to be to cause destructive impact to the affected systems. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. The malware has worm-like features to spread itself across a computer network in order to maximize its destructive impact.[1]

ID: S0365
Type: MALWARE
Platforms: Windows
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1003 Credential Dumping

Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.[1]

Enterprise T1081 Credentials in Files

Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.[1]

Enterprise T1485 Data Destruction

Olympic Destroyer overwrites files locally and on remote shares. [1]

Enterprise T1070 Indicator Removal on Host

Olympic Destroyer will attempt to clear the System and Security event logs using wevtutil.[1]

Enterprise T1490 Inhibit System Recovery

Olympic Destroyer uses the native Windows utilities vssadmin, wbadmin, and bcdedit to delete and disable operating system recovery features such as the Windows backup catalog and Windows Automatic Repair.[1]

Enterprise T1135 Network Share Discovery

Olympic Destroyer will attempt to enumerate mapped network shares to later attempt to wipe all files on those shares.[1]

Enterprise T1105 Remote File Copy

Olympic Destroyer attempts to copy itself to remote machines on the network.[1]

Enterprise T1018 Remote System Discovery

Olympic Destroyer uses Windows Management Instrumentation to enumerate all systems in the network.[1]

Enterprise T1035 Service Execution

Olympic Destroyer utilizes PsExec to help propagate itself across a network.[1]

Enterprise T1489 Service Stop

Olympic Destroyer uses the API call ChangeServiceConfigW to disable all services on the affected system.[1]

Enterprise T1016 System Network Configuration Discovery

Olympic Destroyer uses API calls to enumerate the infected system's ARP table.[1]

Enterprise T1529 System Shutdown/Reboot

Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.[1]

Enterprise T1077 Windows Admin Shares

Olympic Destroyer uses PsExec to interact with the ADMIN$ network share to execute commands on remote systems.[1][2]

Enterprise T1047 Windows Management Instrumentation

Olympic Destroyer uses WMI to help propagate itself across a network.[1]

References