In a recent development that recalls the infamous ‘Olympic Destroyer’ cyber attack from the 2018 Winter Olympics, the same group of hackers has emerged once again, this time targeting biological and chemical threat prevention laboratories across Europe and Ukraine, alongside several financial institutions in Russia. The malicious campaign reflects a continued focus on high-stakes organizations linked to public safety and biosecurity.
Initially, the Olympic Destroyer attack successfully disrupted the Winter Olympic Games in Pyeongchang, employing sophisticated malware designed to mislead security researchers into misattributing the attack to various nation-state actors, including North Korea, Russia, and China. The destructive malware left cybersecurity experts scrambling for answers, and within days, researchers began analyzing the incident in depth, leading to the discovery of deceptive tactics and false attribution artifacts.
A recent report from Kaspersky Labs reveals that this hacker group has persisted in its operations, targeting organizations that respond to biological and chemical risks in countries such as France, Germany, Switzerland, Ukraine, and Russia. Researchers noted that the tactics employed in this new round of attacks closely resemble those utilized in the original Olympic Destroyer incident. The group has been utilizing spear-phishing techniques to deliver weaponized documents to specific users within these organizations, mimicking communications from trusted contacts.
The spear-phishing emails carry attachments that, when opened, initiate macros designed to download and execute PowerShell scripts—an attack vector likely identified in the MITRE ATT&CK framework under “Initial Access” and “Execution” tactics. These scripts facilitate the installation of a final payload that grants the attackers remote control over the compromised systems, thereby highlighting the adversary’s focus on persistence and privilege escalation.
Kaspersky’s researchers have detailed the obfuscation techniques utilized to escape detection, drawing direct parallels to the original Olympic Destroyer malware. Specifically, the attackers employed non-binary executables to minimize their footprint, circumventing defenses that typically monitor script executions. The second-stage payload disables PowerShell script logging to further mask their activities, indicating advanced knowledge of system vulnerabilities.
One particular focus for this group appears to be the upcoming Spiez Convergence conference—a key event in the biochemical threat landscape held at the Spiez Laboratory in Switzerland, which previously garnered attention for its role in investigating the poisoning of a former Russian spy. As tensions between nation-states rise, Kaspersky warns that organizations in this sector should bolster their cybersecurity defenses and conduct thorough security audits to safeguard against potential breaches.
While attribution remains elusive, the persistent nature of these attacks underscores an increasing trend towards focusing on entities that protect public health and safety. Business owners in these fields must remain vigilant and proactive in their cybersecurity measures. The implications of these attacks serve as a stark reminder of the evolving cyber threat landscape, where organizations must balance operational efficiency with robust security protocols.
In summary, the ongoing activities of this hacker group signal a need for organizations, particularly those dealing with biological and chemical threats, to reevaluate their cybersecurity strategies. By leveraging the MITRE ATT&CK Framework, organizations can identify key tactics and techniques that adversaries may employ, ensuring a more prepared and informed defense against future cyber threats.
