Olympic Destroyer

the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).

The GRU’s malign cyber activities include deployment of the NotPetya and Olympic Destroyer malware; intrusions targeting the Organization for the Prohibition of Chemical Weapons and the World Anti-Doping Agency

Olympic Destroyer uses WMI to help propagate itself across a network.

Olympic Destroyer utilizes PsExec to help propagate itself across a network.

the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).

During malware development, adversaries may intentionally include indicators aligned with other known actors in order to mislead attribution by defenders.

Olympic Destroyer will attempt to clear the System and Security event logs using wevtutil.

Multiple actors and tools are described as using Mimikatz/Windows Credential Editor/LaZagne/ProcDump to “dump credentials,” often by targeting LSASS memory (e.g., “used Mimikatz to capture and use legitimate credentials,” “dumped the LSASS process memory using the MiniDump function,” “injecting itself into lsass.exe”).

Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.

Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

Olympic Destroyer uses Windows Management Instrumentation to enumerate all systems in the network.

Olympic Destroyer will attempt to enumerate mapped network shares to later attempt to wipe all files on those shares.

Olympic Destroyer uses PsExec to interact with the ADMIN$ network share to execute commands on remote systems.

Examples include 'Aquatic Panda used WMI for lateral movement in victim environments,' 'Deep Panda group is known to utilize WMI for lateral movement,' and 'Cinnamon Tempest has used Impacket for lateral movement via WMI.'

Olympic Destroyer attempts to copy itself to remote machines on the network.

On March 11, 2026, the MOIS-affiliated Handala Hack Team (also tracked as Void Manticore) executed a destructive wiper attack against U.S. medical technology company Stryker, abusing the company’s own Microsoft Intune MDM platform to push the payload.

Olympic Destroyer uses the API call ChangeServiceConfigW to disable all services on the affected system.

Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.

The Olympic Destroyer malware caused issues during the Opening Ceremony, including taking down Wi-Fi networks, ticketing systems, and contributing to flickering broadcast infrastructure.

The Olympic Destroyer malware caused issues during the Opening Ceremony, including taking down Wi-Fi networks, ticketing systems, and contributing to flickering broadcast infrastructure.

Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.

Malware had repeatedly wiped the domain controllers rendering a lot of the network unusable.