OlympicDestroyer

OlympicDestroyer is a destructive self-propagating Windows network worm and wiper used in the 2018 Winter Olympics attack in Pyeongchang, South Korea. During the opening ceremony period, it disrupted Olympic-related IT systems including ticketing systems, wireless networks, internet connectivity, display systems, the Olympics website, and other operational services; reporting in the provided content also states it affected broadcast drone operations, compromised more than 300 systems, and required roughly 12 hours to restore affected systems. The malware also impacted organizations closely tied to the Games, including ski resort hotels, a ski resort automation software vendor, and Atos, with one ski resort automation server assessed as patient zero for the destructive outbreak timed shortly before the opening ceremony.

The main malware module is described as a network worm composed of multiple components: a legitimate PsExec tool from SysInternals, credential-stealing modules, and a wiper. It collected passwords from browsers and Windows credential storage, generated new copies of itself containing stolen credentials, and propagated laterally to accessible local network computers using PsExec, stolen credentials, and current user privileges. Investigators also observed manual lateral movement before worm deployment using PsExec, stolen credentials, Meterpreter, and PowerShell scriptlets.

Its destructive behavior focused on remote systems and shares. The wiper attempted to destroy files on remote network shares for about 60 minutes, then cleared Windows event logs, reset backups, deleted shadow copies, disabled recovery options and services, and rebooted systems into an unusable state. The malware reportedly did not use persistence, included protection against recurring reinfection, did not destroy local files, and did not wipe its own components.

The infection chain described in the content includes spearphishing activity observed from December 2017 onward using Winter Olympics-themed malicious Office documents. These documents used gibberish text to induce users to enable macros; when enabled, they launched cmd.exe and PowerShell to download additional PowerShell stages and backdoor victim systems. The spearphishing campaign targeted Olympic partner networks across government, enterprise, energy, semiconductor, transport, hospital, media, advertising, and resort sectors.

The content describes command-and-control and infrastructure linked to the operation, including an affected server in Pyeongchang communicating with an Argentinian C2 server over ports 443, 4443, 8080, 8081, 8443, and 8880; a suspicious domain microsoft******[.]com; and attacker management of infrastructure through a NordVPN exit IP in Norway. A weaponized Word document reportedly contained readable references to a NordVPN OpenVPN configuration file.

Attribution in the provided material is presented as contested and deliberately complicated by false-flag tradecraft. The malware is repeatedly characterized as a highly sophisticated false-flag operation designed to confuse attribution. The content notes conflicting apparent overlaps with NotPetya, BadRabbit, Chinese APTs, Sofacy, Lazarus/BlueNoroff, and Sandworm. Kaspersky is cited as concluding that Lazarus-linked artifacts, including a Rich header fingerprint, were deliberately forged. Other provided content states the operation was related to Sofacy, while another report attributes OlympicDestroyer to Sandworm. High-confidence characterization from the content is therefore that OlympicDestroyer was designed both to disrupt Olympic infrastructure and to complicate attribution.