A sign with information about the Winter Olympic Games 2018 in Pyeongchang where the world's first 5G mobile internet will be launched. (Photo: Scharfsinn/

Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

Imagine you’re at the 2018 Pyeongchang Olympics in South Korea, at a stadium with thousands of other people. You want to log onto social media to share the exciting experience with your friends at home, so you go to connect to the stadium’s WiFi. You see two public WiFi options with the same name—one with a strong signal and another with a weaker signal. There’s a good chance you’d prefer to use the stronger signal available. But this is what cybercriminals will be depending on in the coming weeks, as large crowds of potential victims, bringing thousands of mobile and internet of things (IoT) devices along with them, flock to this year’s Winter Games.

Large events such as the Olympics give hackers a good opportunity to set up rogue access points and gain access to hundreds or thousands of unsecured devices, as the sheer volume of the stadium’s traffic weighs down and slows the genuine networks available. But this is just one example of the many potential attacks that could strike in Pyeongchang in the coming weeks. Anticipated threats range from financially-motivated data stealing to politically-motivated hacktivism, as all eyes are on South Korea amidst a menagerie of political tensions.

Big Crowds Bring Crimes of Opportunity

Rogue internet access points are one example of an attack technique that could be used to take advantage of the large crowds coming to Pyeongchang for the 2018 Olympic Games. (Credit: Radware)

The scenario described in the opening paragraph is just one possible cybersecurity risk identified by Radware’s Emergency Response Team (ERT) and Threat Research team in an alert last week, ahead of tomorrow’s opening ceremony.

“The first thing that we’re going to see at the Olympics this year is the first broad-scale deploy of the 5G network, and along with all these networks come new IoT devices, routers—devices that can be easily compromised,” explained Daniel Smith, security researcher at Radware, in an interview with Forensic Magazine. As Smith explains in his blog post about the Olympic threats, this more advanced network will better enable new audience experiences like augmented reality, streaming and the use of wearables—but will also allow hackers to take advantage of large numbers of unsecured IoT devices, and additional risks that come with a many users all using the same network.

“(Hackers) can run man-in-the-middle attacks where they can intercept information from the users on that network, or they could attempt to compromise the devices themselves and create a botnet used to launch a denial-of-service attack,” Smith continued. “I think the criminals are going to be more focused on a financial profit.”

These opportunistic, greed-motivated attacks are a major focus of Radware’s alert, which also notes that ATM skimmers may target points of sale around Pyeongchang, that fake websites offering free tickets to Olympic events could contain malicious downloads and that fake charging stations could steal information from users’ mobile devices. Smith noted that data phished or intercepted from targets could likely be sold on the darknet for a profit. The United States Computer Emergency Readiness Team put out a notice last week for those travelling to the games, suggesting that users avoid using public or unsecured WiFi connections, that they use strong PINS and passwords, update their mobile software and switch off WiFi when they’re not using it.

But financially-motivated attacks on crowds of spectators are not the only cyber threats to come out of the 2018 Olympic Games.

Potential Nation-State Attack Targets Olympics Infrastructure

One cyber threat, targeting a number of those involved in sponsoring, supporting or providing infrastructure for this year’s Olympic Games, was identified in January by McAfee’s Advanced Threat Research team. One member of that team, senior researcher at McAfee Ryan Sherstobitoff, told Forensic Magazine that this specifically targeted attack, first propagated through email, appears to seek information about Olympics-related organizations and shows signs of originating from a nation-state actor.

“The objective and aim of this campaign is to understand the direction, planning and operation involved with the Pyeongchang Olympics,” Sherstobitoff said. McAfee researchers studied this threat in-depth when it was first reported in early January, and identified two phases of the attack already underway. “What we see from our observations is that because of the sophistication, the complexity, the ability to adapt and use new techniques, this most likely has the hallmarks of a nation-state.”

In the first phase of the attack, which first appeared on Dec. 22, 2017, someone posing as a representative from the National Counter-Terrorism Center (NCTC) in South Korea sent an email to 333 organizations involved in the Olympics. This spearphishing attack used the appearance of a legitimate sender—and the fact that the NCTC was running drills to prepare for the Olympics at the time—to trick victims into opening the email.

The email contained a Korean-language Word document that, when opened, would ask the user to “Enable Content” to view the full document. Doing so would launch a script, through Microsoft’s automated PowerShell framework, that would then download and read a hidden image file from another server—the image file contained an additional hidden script that created a backdoor between the victim’s device and the attacker’s server. This method of hiding malicious code in a hidden image is an example of a cyberattack technique called steganography.

The malicious document with instructions to enable content. (Credit: McAfee)
The enable content message. (Credit: McAfee)

McAfee researchers later discovered a second phase of the attack, which they unveiled last week and dubbed Gold Dragon. Gold Dragon is the implant that comes from the malicious Word document the victims received in early January, and the researchers discovered that the implant remains on the victim’s system, gathering specific information that the attacker could later use to launch a more advanced attack. This includes usernames, domains, machine names and network configurations.

Sherstobitoff said it is yet to be seen whether a “phase three” is in the works, and when it may strike.

“Depending on what the actor’s intent is, it can either be destructive, it can either be data stealing and exposing and holding things for ransom. There are so many different avenues that, if you have an implant on a network, you can launch anything at that time depending on the circumstances,” he explained. "Whatever nation-state doesn't feel that it's going in their favor, they can destroy something by installing an implant, or doing something further with that, or leak a bunch of information to the media or to an open source that would damage or embarass individuals involved, or organizations."

Although the attack cannot be pinned on any specific nation as of yet, a tense political climate means many potential motives at play.

“This (Olympic Games) is actually uniquely different because of the regional tensions on the Korean peninsula (…) North Korea is actually appearing there and there’s other kind of intricacies between Russia and the Olympics committee (regarding doping controversies), so this one’s really unique because this one’s a political battleground,” Sherstobitoff concluded.

A spokesperson for the International Olympic Committee responded to a Forensic Magazine inquiry saying “Cyber security is a top priority at the Olympic Games” but that the committee “will not discuss details in public.”