Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.
|Enterprise||T1555||.003||Credentials from Password Stores: Credentials from Web Browsers|
|Enterprise||T1070||.001||Indicator Removal: Clear Windows Event Logs|
|Enterprise||T1490||Inhibit System Recovery||
Olympic Destroyer uses the native Windows utilities
|Enterprise||T1570||Lateral Tool Transfer|
|Enterprise||T1135||Network Share Discovery|
|Enterprise||T1003||.001||OS Credential Dumping: LSASS Memory||
Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.
|Enterprise||T1021||.002||Remote Services: SMB/Windows Admin Shares|
|Enterprise||T1018||Remote System Discovery|
|Enterprise||T1016||System Network Configuration Discovery|
|Enterprise||T1569||.002||System Services: Service Execution|
|Enterprise||T1047||Windows Management Instrumentation|