Details of the Olympic Destroyer APT

Interesting details on Olympic Destroyer, the nation-state cyberattack against the 2018 Winter Olympic Games in South Korea. Wired's Andy Greenberg presents evidence that the perpetrator was Russia, and not North Korea or China.

EDITED TO ADD (11/13): Attribution to Russia is not new.

Posted on October 21, 2019 at 6:23 AM • 22 Comments

Comments

Dana PriestOctober 21, 2019 10:08 AM

"The Most Deceptive Hack in History"

Already the author has employed ridiculous and subjective hyperbole. It brings into question everything else that follows under the guise of luring eyeballs for ad $$$

Andy Greenberg has no shame

JackOctober 21, 2019 12:12 PM

I stopped reading at "..create a secure network".
I'm certain Putin can break Twofish while he sleeps.

Clive RobinsonOctober 21, 2019 3:40 PM

The problem is still twofold,

1, The mainly US Corporate produced software is way to easy to hack.

2, Attribution is still way too difficult, and does not provide evidence you can take to court.

As for the rest well some people on this blog have been warning about the relative easy that mounting a "false flag" attack is. Whilst also warning about how hard OpSec can be for those not sufficiently versed in all it's levels.

If you read the piece carefully and accept that what you are being told is accurate (which it might not be). Then the Russian's got caught because of lack of segregation at the lowest levels. They made the classic mistake of "re-use".

One way to avoide this as @Nick P would almost certainly have pointed out would be "clean room" / "Chinese Wall" techniques. It appears that the Russians did use such techniques at higher levels, but then failed at the lower layers.

I suspect as with quite a few such failings by criminals, governments, and corporations alike it's the "bean counter" mentality.

That is why throw away what you have used in one operation and have to make the same expenditure again, when it's cheaper to "reuse"...

Some may know about a previous Russian failure in this regard that gave rise to the US/UK over a third of a century investigation publically called VENONA,

https://en.wikipedia.org/wiki/Venona_project

The lessons are out there to learn from, but for some reason, those in the ICTSec field of endevor, apparently don't learn from previous mistakes, no matter how dearly they cost the first, second or even third time around...

IkeOctober 21, 2019 4:24 PM

I expect someone of Bruce's caliber in cyber security to not encourage this anti-Russian feeling / movement. Anyone with some background in network forensics should know by now that attribution in cyber space is almost impossible. Anyone with access to stolen certificates embedded in executable or with access to adversary source & infrastructure can make attribution obsolete. In fact if an attack is obviously pointing to some nation state backed then this is a sign that should make us skeptic. A professional attacker can make an attack be attributable to anyone he wants.

SpaceLifeFormOctober 21, 2019 6:11 PM

"A professional attacker can make an attack be attributable to anyone he wants."

This.

I keep telling people this for many years, but it keeps falling on deaf ears. Especially folk that have worked for us gubmint.

The just do not want to think about the implications.

They do not want to comprehend the 'attribution is hard' angle, because they do not want want to acknowledge that what they think/learned is false.

Clive RobinsonOctober 21, 2019 7:26 PM

@ SpaceLifeForm,

The just do not want to think about the implications.

Like you, it's a point I have made, that appears to have fallen on deaf ears.

But then I remember the old saw about,

    It is hard to make a man acknowledge that, which his salary depends on him not acknowledging.

Or similar phrasing.

We know due to --supposadly-- accidental "loss" that US IC tools for creating "false flag" attacks exist and obviously had done for quite some time before the "accidental loss". Likewise there was the UK GCHQ "fairy cake recipe" incident some time before that.

Thus the two senior partners in the Five-Eyes arrangement had both indicated fairly clearly they were both more than cognizant of "False Flag" attacks. But more importantly they themselves had been carryong them out for quite some time.

Thus they brought their own agencies into disrepute and actively encoraged hypocrisy in their own Government political statments and actions (think about the "going kinetic" statments).

The Result is that any attribution by the US Gov during the Obama administration if not earlier and through to today is entirely suspect a point I've repeatedly made about lack of supporting evidence behind such claims (even the Robert Mueller nonsense provides zero actual evidence, it does not even qualify as "hearsay" and frankly is plain embarrassing).

The problem we are left with is the old "Chicken and egg" argumment in effect about who started it. As presented so far it appears the US did by several years. Thus the US may well have actually created "China APT" attacks against it's own citizens and corporations.

For some reason it's a conversation many want to "skate around", or if you prefer "fail to acknowledge".

Personally I think to quote a saw @Bruce once used "Sunlight is the best antiseptic", that is the best option is to drag it all into the light of day. Because I would rather a "verbal slagging match" between diplomats in private and occasionally politicians in public, than "lock load, aim and fire at will". Which could easily escalate into another near pyrrhic victory proxy war or from there into the equivalent of a third world war...

WinterOctober 22, 2019 5:05 AM

"A professional attacker can make an attack be attributable to anyone he wants."

That holds for all crimes in one way or another. The courts do have procedures for dealing with that.

But for false flag operations holds what we are told time and again:
Security is hard, very hard.

A nice quote from an old TV show (Columbo):
Everybody makes mistakes. That's why the jails are all filled up.

DanOctober 22, 2019 6:12 AM

As Dana Priest said in the first comment of this blog, the writer, Andy Greenberg, has no shame.

A lot of hyperbole and exaggeration. Nothing in his reporting is new. It's just FUD for the sake of selling his latest book.

Here's just one of the many 2018 reports on the matter, which explained it pretty clearly at the time that this was Russia: https://www.theregister.co.uk/2018/03/08/analysis_suggests_north_korea_not_behind_olympic_destroyer_malware_attack/

Greenberg and Wired have recently devolved into a website that exaggerates every topic they cover. They ignore previous reports and try to pass everything as their own investigations, often ignoring more authoritative sources just for the sake of clicks.

gordoOctober 22, 2019 6:45 AM

@ Clive Robinson,

The problem we are left with is the old "Chicken and egg" argumment in effect about who started it.

Yes, the "sources and methods must be protected" line opens up to attribution claims with little-to-no hard evidence and in low-to-zero-trust environments lends itself to brinksmanship, circular reasoning, pissing contests and herd mentalities, that is, in the current American mellieu, memetically speaking, "the Russians did it" casts its pall on all things rendered even remotely political suspect.

Petre Peter October 22, 2019 6:53 AM

Front facing camera should make attribution easier in the future--just look into the camera every time you click submit. Nation-states attacking Olympic games...it was done before.

Clive RobinsonOctober 22, 2019 9:25 AM

@ Petre Peter,

Front facing camera should make attribution easier in the future

It did work for the Dutch and Israli SigInt agencies, andvwas just about thr closest thing possible to "Getting HumInt across the wire".

@ ALL,

We know this because US politicians and their side kicks flapped their gums to any journalist who would listen and "burnt" the method of the Dutch and Israeli "methods and sources".

This was by no means the first time the US political structure and it's hangers on have "burnt" other allied nations "methods" and I very much doubt it will be the last time.

There are two points to note from this,

1, How long befor US allies decide that the US is nolonger realy a trustworthy entity with secrets?

2, Why the US politicos think it's OK for it to spill secrets to journalists with impunity but not for any one else?

I guess the old "Jacob Marley" spector arises and will Uncle Scrooge take the hint of the third spirit and mend his ways?

ThinkOctober 22, 2019 6:33 PM

Attribution is going to be a very large topic of discussion with Deepfakes as ML and A/I come into maturity. You could be placed in any place at anytime right smack in the middle of a crime or civil disobedience that would take a lot of time and effort to dispute on your part.

On the surface, one might think that Sousveillance would be a solution - but even that will be something you or others will be able to fake yourself on near future computers and software. TikTok anyone?

https://futurism.com/the-byte/tiktok-facial-recognition

Those not familiar with Sousvelliance taken to extremes can see this man’s story here:

https://en.m.wikipedia.org/wiki/Hasan_M._Elahi

Will the future require us to use a mirrored mask or transparent lcd like cuttlefish ‘skin’ to protect our identities? One day you’ll be able to dial a face that you want every day something different.

A little squid blogging here:

http://www.chemistryislife.com/the-chemistry-of-biological-camouflage

Nature has shown that this type of defense is very effective against stronger or more powerful predators. Something to learn here?

Low tech solutions available to help thwart facial recognition.

https://thenextweb.com/artificial-intelligence/2016/11/02/facial-recognition-still-cant-beat-a-22-cent-pair-of-sunglasses/

https://www.hackread.com/meet-irpair-anti-facial-recognition-glasses/

One can’t be so conspicuous at hiding one’s face as this, can one? You are immediately thought of as evil.

http://vignette2.wikia.nocookie.net/villainstournament/images/1/1b/Anubis1.jpg/revision/latest?cb=20150104041928

Humorous aside - Biology has solved the chicken / egg conundrum millions of years ago. There were eggs long before chickens.

Clive RobinsonOctober 23, 2019 7:06 AM

@ Think,

... but even that will be something you or others will be able to fake yourself on near future computers and software.

Whilst technology is agnostic to use, it being the directing mind that controls it and the minds of the observers that decide "good or bad" there is a cost/time element.

When a new technology is developed very few have access to it, basically just the researchers/developers. Thus the proof of concept device has a very high resource cost in terms of cost/time. Obviously this halves with the second prototype etc.

In theory[1] the cost will drop to a point where production is optomised at a minimum point and thus eventually every one will be able to aquire the technology if they so wish.

But this does not happen over night even when there are no incentives to keep the price artificially high (of which there are many). Thus a technology will take time to become anything but niche.

Thus the advantage of new technology especially in surveillance is it starts with those who can do most harm and only after a considerable time period can others get access to "rebalance the field". For some at the bottom end of the socioeconomic curve they will never be able to aford to rebalance the field.

It is apparent in many places that have higher than average incarceration rates, that it is those on the bottom of the socioeconomic curve that significantly disproportionately bare the burden of such systems.

Whilst many would argue other reasons for this imbalance in justice, the point remains that law enforcment and the judiciary are repeatedly found to be biased in increasing this imbalance.

Giving them leading edge technology obviously will cause further imbalance in the direction of being prejudicialy used against those who can not aford to employ similar trchnology to defend themselves.

[1] I dislike using the term theory with economic related activities "general observation trends" might be better. But the idea is that in an open/free market cost of production will get driven down to meet the price/demand observation. Anyone who has had anything to do with markets know that they are basically not open/free and a lot of things have been "assumed away". So treat with caution ;-)

A Nonny BunnyOctober 25, 2019 2:33 PM

@Winter

A nice quote from an old TV show (Columbo):
Everybody makes mistakes. That's why the jails are all filled up.
So true. In both ways of reading it.

@Ike

A professional attacker can make an attack be attributable to anyone he wants.
professional != flawless

@SpaceLifeForm

They do not want to comprehend the 'attribution is hard' angle [..]
hard != impossible

@self
inequality != argument
:p

Clive RobinsonOctober 25, 2019 5:48 PM

@ A Nonny Bunny,

hard != impossible

But can it pass the burden of proof "beyond reasonable doubt"?

Not in most cases, and that's the problem.

The US might hand down indictments against foreign nationals, but actually they are little more than publicity stunts to support a political position. It might be a crowd pleaser for some in the US but else where it's seen for the hypocrisy it is.

Look at it this way, to get proof positive you would have to see every point along the way between the alleged attacker and the victim whilst also proving the traffic did not come in from anyother point or method.

To get this proof you would have to have "god mode" on every machine and node from the attacker to the victim.

If you have "god mode" on every machine and node you have already committed a multitude of crimes, thus the "fruit of the poisoned vine" comes into play.

Further you would have to prove the near impossible of not only nothing being hidden from you on every machine and node but also that you did not hide anything on any machine or node. Further you would also have to admit to tampering with evidence.

Realistically it's not a game you would want to play in court as a prosecutor for several reasons. Firstly it starts with a prosecution witness admiting they were engaged in a criminal activity, potentially a war crime, then it goes down hill from there with the admission of tampering with evidence, then further as the defence start pushing for "methods and sources" which you would not want to revile...

But at the end of the day of all the experts I know, not one of them would stand up in a court and say there was no possibility a third party was not involved. Thus the burden of proof "beyond reasonable doubt" can not be met, because there is "reasonable doubt".

If you want reasons why that is, how about Intel's "super secret ring -3 ME" and those hardware problems of Spector and Meltdown. It takes no great brains to work out that such hidden designs and the mistakes that gave us those in chip hardware faults are in reality the only ones. Thus the question arises of what you know and what somebody else knows, and you can not rule out somebody knows more than you do, at which point it's game over. Because if they know more than you do they can hide things from you and you will not know it.

You have to accept that when it comes to computers there is beyond what you can physically reach, no independent or detached observers. As Werner Heisenberg realised one cold December night whilst walking in the park an observer measures, and the process of measuring has an effect on what is being measured. We call this the "observer effect" and Heisenberg took it further to give us the "uncertainty principle". The same applies to a computer that is remote from you, the process of observing it's outputs not only can effect the computer, it can not tell you if there are any other inputs you can not see. The only way to attempt that is to climb inside the computer and use the computer to tell you it's state. Only it can not do that, because a few years after Heisenberg took his walk, Kurt Gödel realised there was a fundemental problem with logic and thus not just mathmatics but the yet to be invented computer. Put overly simply a computer can only tell you what it is told to tell you by what is in it's memory. If somebody tells the computer to tell you something else then it will, and there is nothing you can do about it. The likes of Intel's Managment Engine at ring -3 just makes it all the more obvious.

It's why HumInt not SigInt or ElInt is the way you have to go in the atribution game, just as it is with ordinary crime. And HumInt brings in a whole host of issues in it's own right...

MarkHOctober 25, 2019 7:56 PM

@A Nonny Bunny:

A most elegant comment, and also spot-on.

@Clive:

1. To my knowledge, the "reasonable doubt" standard is not upheld outside of criminal courts in certain countries. You've made it crystal clear over the years that you want -- even insist! -- that it be applied in other domains, including security relations between states.

It's never been that way, and I don't visualize a path by which states could be persuaded to accept such a standard.

2. In most countries, there's no agreed explicit standard as to what constitutes reasonable doubt in criminal proceedings. In practice, it comes down to subjective interpretation by individual jurors.

3. In the U.S. at least, the known possibility of error does NOT necessarily give rise to reasonable doubt. Jury verdicts are not proofs of theorems from Euclid's Elements. Juries sometimes convict on the basis of forensic evidence with an attested probability of error, in combination with evidence of motivation and seemingly related conduct by the defendant.

In the Real WorldTM, all decisions and actions are necessarily based on conclusions from which the possibility of error can never be eliminated.

-October 26, 2019 3:03 AM

@ Moderator,

The above from "stella leon" is at best a badly worded thinly disguised "pay to cheat on your coursework" service[1].

Which makes it unsolicited service advertising.

[1] judging by that short snipit of writing, anyone using the service would be better off just burning money instead. Atleast it would save them the time to do their coursework themselves, which is what they are probably going to have to do any way.

Clive RobinsonOctober 27, 2019 5:48 PM

@ MarkH,

To my knowledge, the "reasonable doubt" standard is not upheld outside of criminal courts in certain countries. You've made it crystal clear over the years that you want -- even insist! -- that it be applied in other domains, including security relations between states.

The reason for "beyond reasonable doubt" is an old one, and is about the killing of people.

Most religions claim that killing people is a serious sin against the teachings of that religion handed down from the deity. To go against such teachings required for no error in judgment. As unlike a persons liberty, their life once taken can not be restored.

What you and many others forget is that the US Government has claimed the right to take kinetic action against those it believes have committed cyber-crimes against the US. That is crimes if committed in person that would in no way attract the death penalty, because they are done from outside the US jurisdiction now automatically become death sentances, not just for the alledged perpetrators but any and all around them who get written off as "collateral damage".

For some reason you apparently think this is OK, even though as has been repeatedly shown attribution of cyber-crimes can be easily incorrect.

Well I think that if you are going to take anyones life you had better have a very high degree of certainty for two reasons,

1, Because taking someones life on what is almost a whim is immoral beyond belief.

2, Because such actions as history has shown over and over lead to revenge behaviour.

As we are finding out "revenge" is often indiscriminate in it's targets. Which means other inocents get killed and this is how blood feuds start which can and have gone on for centuries.

Just remember the saying about revenge,

    First dig two graves

Thus every time the US kill someone abroad, they are in effect also signing the death warrant for some US citizen in the future. You don't know who, but it's almost certain they will have family and loved ones who will want to know why...

That's why I ask for the standard set by English Criminal Courts of "Beyond Reasonable Doubt" and not "show trial justice" of venal politicians, tyrants and despots like say Stalin.

If you had not noticed the US legal system is by and large based on the English legal system, something the Founding Fathers were well practiced in. Thus the US Government even today should be more than cognizant of the reasoning even if it's nolonger taught in civics classes.

MarkHOctober 27, 2019 7:47 PM

@Clive:

I once met a very clever engineer who had worked out in great detail how much better the "mainland" of the U.S. 48 contiguous states would be, if the major mountain ranges ran East-West instead of (approximately) North-South. He explained that the climate would be far better, with greatly improved distribution of rainfall and a huge expansion of potential agricultural output.

Well, the mountain ranges are where they are. I don't know any practical way to relocate them.

One can engage in limitless mental auto-eroticism about how the world's governments should operate, yielding any number of proposals which have less than 0.1% likelihood of adoption within the next quarter century.

I have my own list of ideas for reform, which to my sorrow are probably never going to happen. I think many of them would be an easier sell than getting any state to agree that it cannot respond to what it judges to be an attack without meeting a courtroom standard.

Either it's politically feasible, or it's pie-in-the-sky fantasy.
__________________________________

Israel launched the famous "six day war" on the basis of an intelligence conclusion that its neighbors were about to launch an attack.

Was the conclusion correct? Personally, I suppose that it likely was.

Would it have met the standard of "beyond reasonable doubt?" I suppose that it perhaps would not have.

Do you think you can get any government of Israel to absolutely constrain itself from using deadly force, except in cases where the evidence would persuade an impartial jury?

If you have the power to do so, you've completely wasted your life working in technology.
__________________________________

Let's take the proposal seriously for a few minutes. As you quite properly observe, "beyond a reasonable doubt" is an artefact of the common law tradition which originated in England.

"Doubt" is a cognitive (and, I suggest, also emotional) condition which presupposes a doubter. In the common law system, the (potential) doubters are usually (if not always) members of a jury. As I pointed out above, "beyond a reasonable doubt" is, in practice, not equivalent to absolute certainty, but rather a subjective -- usually very highly subjective -- judgment.

Further, the common law principles call for a jury of composed of the peers of the accused, giving rise to the quaint UK tradition that Lords accused of crime have been able to demand that they be tried only by fellow Lords.

In the case of a state contemplating response to an attack attributed to another state, the "defendant" is that suspect state. Would its case be tried by a jury of fellow states? Who would empanel such a jury? How could their impartiality be assured? There's no such thing as a state that never before heard of any of the other states, and is presumably capable of deciding without prejudice or other bias.
__________________________________

It isn't my intention to "change your mind" about any of this.

From time to time, discussions in these comments give rise to proposals which have a realistic potential to be turned into action. Who knows, maybe ideas for feasible solutions to existing problems developed here might contribute a little to some greater good!

Clive RobinsonOctober 27, 2019 9:22 PM

@ MarkH,

Well, the mountain ranges are where they are. I don't know any practical way to relocate them.
One can engage in limitless mental auto-eroticism
Israel launched the famous "six day war" on the basis of an intelligence conclusion that its neighbors
Either it's politically feasible, or it's pie-in-the-sky fantasy.

Back to your old behaviours again.

You asked a question I answered it politly and reasonably, you however spring off into irrelevances and insults, and made argument that is factually incorrect, and easily shown as such.

This is the third time I've asked you to refrain from such behaviours, but no you insist on returning to them. What it is inside you that makes you feel the urge to do so I have know idea. Frankly I have no wish to do so, it is obviously something deeply unpleasant, and I will let others draw their own conclusions.

This conversation is due to your unreasonable behaviour closed as far as I am concerned and I suggest you take note of that.

Sancho_POctober 28, 2019 8:50 AM

@MarkH

Crying wolf without evidence is immoral.
Falling for propaganda isn’t much better.
Doubt is what keeps us curious.

So, if I find dogshit on my yard I will friendly ask my neighbor.
And I’m sure at first we’ll have a coffee together.
We both love to live in peace.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.