Winter Olympics Cyber Attack Signs Point to Russia – So Why the False-Flag?

 

A cyber attack disrupted the recent opening Olympic Games ceremonies, which was confirmed by a spokesman for the Pyeongchang Organizing Committee.  The disruption took out Internet access and telecasts of non-critical machines, grounded broadcasters’ drones, shut down the Pyeongchang 2018 website, and prevented spectators from printing out reservations and attending the ceremony.

 

Per reports, the attackers gained access to approximately 300 computers, hacked routers, and distributed malware in the lead-up and during the event’s ceremonies.  Initial findings by at least one computer security company concluded that the attack had started a year in advance.  The attackers could have destroyed computers, according to the company’s researchers, but had restrained themselves, erasing only the backup files on Windows machines.  Conclusions were made that the attack was an attempt to send a political message.  As of this writing, the initial vector of attack has not been determined or at least not made public, although speculation is that prior access was gained and used to launch this attack.

 

According to one news source citing U.S. intelligence officials, Russian spies were behind the cyber attack with the purpose of retaliating for the Olympics suspension of Russia being allowed to compete in the games due to a doping scandal.  Of note, these officials believe that the attack was intended to be a “false-flag” operation as the attackers are alleged to have used North Korean IP addresses and other “tactics” to make it appear like North Korea was behind the attacks.  No evidence has been produced thus far by the government as it had done when supporting its claims of North Korea’s culpability in the Sony hack.

 

While there may very well be classified information that helps attribute this activity, motivation is largely the incriminating bit of evidence that points to Russian culpability.  Paying back the International Olympic Committee (IOC) for not allowing Russian athletes to compete under the national flag would be consistent with fervent Russian nationalism and its need to protect all aspects of its cultural identity.  Russian state or state-affiliated actors are alleged to have orchestrated previous cyber attacks against Olympic targets, notably the 2016 cyber attack against the World Anti-Doping Agency in which the attackers gained access to athlete data, including confidential medical data, and made it public.

 

If the motive is going to be the primary factor in attribution (note, malware analysis provided no clues incorporating traits of malware used by a variety of suspected state actors), at the time of the attack, only two governments were probable suspects – North Korea and Russia.  However, after tumultuous events over nuclear weapon development and missile firing, North Korea made grand diplomatic overtures to South Korea and ultimately marched with it under one flag.  It would seem improbable that it would want to detract from headway made via its Olympic diplomacy with a nuisance attack.

Still stinging from its inability to walk under its flag, Russia seems like the probable suspect behind the cyber attack, wanting to express its dissatisfaction toward the IOC.  If true, the fact that it could have and didn’t is testament that Russia wanted to register displeasure, not punish South Korea for the IOC’s decision.

 

However, what gives pause is the reason why – if reporting stands correct – that state actors of the Russian government were needed to conduct a false-flag attack to simply demonstrate its discontent with the IOC.  Simply, a false-flag operation is where an attacker tries to make their actions look as if it was the work of another known attacker.  In cyberspace such an endeavor is simple to achieve especially when the tactics, techniques, and procedures (TTP) that often include methods of operations, malware, command-and-control architecture are published for global consumption as Indicators of Compromise.  In this instance, the attack blended TTPs and the digital fingerprints of threat actors connected to North Korea, China, and Russia.

Cyber proxies such as non-state hacker groups are perfect agents for states wanting to send a signal to a government without committing its own resources.  There is a level – albeit shallow – of plausible deniability that an aggressor state can claim and still intimate to the victim of its tacit involvement in the attack.  Russia has at its disposal a capable cyber criminal underground, as well as nationalistic youth groups that could have achieved a similar effect.  This was evidenced in 2007 when one such group claimed responsibility for the cyber attacks against Estonia for the removal of a Soviet war memorial.

The use of state actors to commit a cyber equivalent of a tantrum raises eyebrows.  According to one source, the Russian state hackers behind this attack were the same that have been engaged in cyber attack against Ukraine.  Making a public statement doesn’t seem the type of operation an elite unit would be called upon to execute.

 

So why the false-flag?  There are a few possibilities.  One, Russia wanted to test using the TTPs of other nations in an operation to gauge how defenders would determine their findings.  Two, Russia may have “signaled” to nations like the United States – and those private sector companies following their alleged activities – that it would be implementing false-flags in future operations, essentially making technical indicators and digital and technical analysis for attribution, useless.  Three, maybe the Cyber attack achieved another objective in addition to expressing its anger.  Did another attack, perhaps more surreptitious, occur simultaneously against another target while all eyes were focused on this?

Russia’s cyber operations (including cyber attacks) have been described from anything from being sloppy to being among the most advanced actors in the world.  Perhaps the question that should be asked is why did Russia want a “false flag” operation to be so easily attributed?

Perhaps the answer lies with the simplest answer: that it was just the easiest path to take.  And in a world where there is no international consensus of state behavior in cyberspace, the landscape favors the attackers until the defenders figure out how to respond to them with enough conviction to alter attacker behavior.   No one looks to have that answer.

This is a guest post written by Emilio Iasiello