March 20, 2020

Article at Washington Post

View original

Suspected Russian hackers struck the last Olympics. Tokyo worries it could be next.

The Olympic flame arrived in Japan on Friday at the Matsushima Air Base in Higashimatsushima. The Summer Olympics are scheduled to begin in late July. (Eugene Hoshiko/AP)

MOSCOW — As the Opening Ceremony at the 2018 Winter Olympics in South Korea was starting, an unusually high number of empty seats remained. Many who planned to attend in PyeongChang were unable to print their tickets.

A malware infection had caused disruptions to the Internet, broadcast systems and the Olympics website — a crippling hack that remains unpunished even as the next Games approach.

The fate of the Tokyo Olympics, scheduled to begin in late July, remains in question amid the coronavirus pandemic. The Olympic flame arrived from Greece on Friday. But for cybersecurity experts, the date of the next Olympiad is less important than whether they have learned the lessons from the last one.

The main takeaway: Suspected state-backed Russian hackers could be ready for another run at the Games.


No government has made public direct digital evidence pointing to Russia for the PyeongChang hacks. Russian officials have made no public comments on the allegations.

But analysts and others assert that the PyeongChang hacks fit a pattern of revenge for Russia’s ban from the Games, including the upcoming Tokyo Olympics, because of a state-sponsored doping scandal that has left Russia on the sidelines of international competitions.

The cybersecurity firm FireEye and U.S. intelligence officials, speaking on the condition of anonymity to discuss sensitive investigations, have tied the PyeongChang cyberattacks to Russia’s military intelligence service, known as the GRU.

The group has been accused by Western intelligence agencies and others of covert acts such as hacking into Democratic National Committee emails in 2016, crashing part of Ukraine’s electrical grid in 2016 and scrambling government websites in Georgia last year.


Two years ago, the GRU was named in a U.S. indictment for alleged hacking into doping databases during the 2016 Summer Games in Rio de Janeiro.

“There's a strong chance that we're going to see the same incident again [in Tokyo],” said John Hultquist, the director of intelligence analysis at FireEye. “Russia is obviously not going to have learned their lesson because nobody even bothered to blame them.”

The Tokyo Olympics will have to safeguard 100 different systems, said Akira Saka, chief information security officer for the event. Organizers have already faced some cyberattacks. During a ticket lottery in September for Japanese citizens, 6,900 tickets were purchased through fake IDs. Those tickets have since been voided.

“There are vulnerabilities that are known, but there are also vulnerabilities that are not evident,” Saka said. “So we’ve been sharing all sorts of information on this with related parties and government offices and Olympics-related agencies and service providers.”


Attempts to hack the Olympics are not new. The 2012 London Games faced an estimated 165 million hacking attempts, the event’s chief information officer said at a cybersecurity conference in 2013, adding that most were trivial.

But cyberattacks at the past two Olympics appeared to be motivated by the International Olympic Committee’s sanctions on Russia.

According to the U.S. indictment, two Russian spies took separate trips to Rio and targeted the routers for wireless Internet access at a hotel chain where anti-doping officials were staying. The hackers used that breach to post private information about noteworthy U.S. athletes, including tennis stars Serena and Venus Williams, four-time gymnastics gold medalist Simone Biles, and women’s basketball standout Elena Delle Donne.

“A new level of despicable action,” said Travis Tygart, the chief executive of the U.S. Anti-Doping Agency, one of the groups targeted.


Tygart added that he is disappointed that the IOC has not condemned Russia for the incident. He also unsuccessfully pushed for a possible agreement: reinstatement of Russia if cyberattacks stop.

Reached for comment, the IOC responded that “maintaining secure operations is our focus, and in line with best practices for cybersecurity, we cannot comment on our policies.”

Microsoft announced in October that Russian hackers linked to the GRU again targeted at least 16 international sporting and anti-doping organizations, just before the World Anti-Doping Agency announced that Russia faced another Olympics ban for attempting to mislead its investigators.

“The pattern is repeating already in some sense,” said Andy Greenberg, author of “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.”


“These hacking and leaking operations preceded the 2018 direct sabotage of the Olympics. And maybe they're now a harbinger of a repeat of that sabotage operation, too,” he said.

Two wings of GRU hackers — Unit 26165 and Unit 74455 — have been identified by U.S. prosecutors as key branches of Moscow’s cyber corps. Unit 26165, often referred to as Fancy Bear or APT28, was tied to the hacking of the Democratic National Committee, while Unit 74455, or Sandworm, worked in a support role, creating fictitious personas online to release the stolen data, Hultquist said.

But Unit 74455 also has a reputation for large-scale disruptive attacks, including two in Ukraine that disrupted the electricity grid and caused people to lose power for hours. It is also the unit FireEye has tied to the 2018 Olympics hack.


Perhaps more sophisticated than the attack itself was the degree of deception — “false flags” planted in the code to make it look like North Korea was behind it.

Craig Williams, a senior technical leader at Cisco’s Talos threat intelligence division, believes the nature of the hack his team named “Olympic Destroyer” during the 2018 Winter Games was in part a response to Western intelligence agencies calling out Russia for the 2017 NotPetya cyberattack in Ukraine — considered one of the most costly cyberattacks in history.

The malware that hit the PyeongChang Olympics was riddled with the digital equivalent of fake signatures on a document, he said, designed so attribution would be especially difficult.

Talos stopped short of accusing Russia for “Olympic Destroyer,” but pointed out there were similarities between that hack and two others governments have already tied to the GRU.


“It's not uncommon with cyberattacks for no one to take credit for them, but this was one for which it seems like the only real point of it would be to send a message to the Olympics that if you ban us, if you continue to investigate us for doping, then you'll pay a price,” Greenberg said.

Japan is considered a top-10 country for cybersecurity, according to a recent study by British security company Comparitech. Saka, the chief information security officer for the Tokyo Games, said he has been in contact with previous Olympics organizers to improve defensive measures.

But “those organizations were under assault by a Russian intelligence service who had a lot of practice in carrying out these sorts of activities,” Hultquist said.

“I could hardly blame anybody who gets overwhelmed by them,” he added. “They’re serious actors who are very good at what they do.”