Olympic Code Similarities
Following up on reports by McAfee and Cisco Talos related to hacking during the winter Olympics of 2018 in Pyeongchang, we have analyzed the malware involved in these incidents in order to gain further insights into the origins of these malicious samples. We specialize in recognizing code reuse and similarities (as you can read here http://www.intezer.com/technology), therefore our analysis is focused on that aspect rather than the other points which most of them were already covered in the great posts by the McAfee and Talos teams.
In this case, we have found numerous small code fragments scattered throughout different samples of malware in these attacks that are uniquely linked to APT3, APT10, and APT12 which are known to be affiliated with Chinese threat actors. This article shows some of our findings. We would like to lay all the factual evidence we have out on the table but not make any definitive claims towards attribution.
Intezer believes in spreading knowledge and facts. As mentioned above, in this article we will only show the facts found by correlating our large binary code database to the samples related to the Winter Olympics. Attribution cannot be determined solely by analyzing code similarities, and we are not making any definitive claims towards any threat actor. However, we truly believe that our findings can be valuable for the infosec community, so we decided to share these technical data points for the benefit of future research, perhaps for correlating our findings with additional intelligence.
Connection to APT3
APT3, also known as Pirpi and Buckeye, is a threat group based in China that has been attributed to China’s Ministry of State Security. The system credentials stealer of the Olympic Destroyer malware shares 18.5% of it’s code with a component of APT3’s toolset, both compiled in x64. As described in the report by Talos, this component will try to steal credentials from LSASS in a way very similar to mimikatz, an open source tool for dumping Windows credentials.
In fact, according to our code reuse report on Intezer Analyze™, it looks like it directly borrowed some of the code from mimikatz. We also see the biggest code overlap with the credential stealer in Pirpi’s toolset. A deeper look in IDA Pro reveals multiple different function-for-function overlaps between the components of Pirpi and Olympic Destroyer.
From an operational point of view, APT3 has been known to use a tool to dump system credentials in the past and also has another tool in their toolset to dump passwords from browsers, another component of Olympic Destroyer.
Connection to APT10
APT10, also known as menuPass Group, has been attributed as a Chinese cyber espionage group. According to a report by FireEye, they have a previous history of infecting targets across the Europe, the United States, and Japan of targets in industries such as aerospace, engineering, telecommunications, and governments.
The code overlap involving the main binary of Olympic Destroyer and APT10 is not huge, but there is still some small code reuse. Specifically, this fragment of shared code is a function for generating AES keys. Also, it is important to mention that this code was seen only in APT10 and not in any other software or malware existing in our entire database.
Connection to APT12
APT12, also known as Beebus, is another threat actor that has been linked to cyber espionage by the Chinese government. According to an additional report by FireEye, Beebus also targeted aerospace, telecommunications, and government organizations in the United States and India. After analyzing one of the binaries from the McAfee report regarding an Olympics hacking attempt with the Brave Prince malware, we found code connections to Beebus, an additional malware Gold Dragon that was used in this attack, and an unattributed APT called CONFUCIUS.
From these results, with a deeper look, we saw a few full-function overlaps between multiple samples of Beebus and Brave Prince.
Although there are only a few functions that contain code reuse in each binary, the combination of these smaller code fragments amongst different components of attacks against the Olympics can show a possibility of the bigger picture. As stated earlier, this is not a definitive statement whatsoever of whether China is behind the attacks or not, but when deeply analyzing the code, there are several unique links to Chinese threat actors. We have supplied novel, factual evidence from our side, but further evidence is required to make any kind of attribution. For more in depth information, please feel free to contact us.
APT3 Credential Stealer – 4ca207f0c1b6fd5dc7f25e54f83d2b63cda4d909661fe8378cfae2ea7c55b289
Olympic Destroyer Credential Stealer – 58d5849871f6bac4adc4bccca83c0fad0d6a8542bd63c4c670ff932021eae34c
Olympic Destroyer – d934cb8d0eadb93f8a57a9b8853c5db218d5db78c16a35f374e413884d915016
APT10 – 72d7bcc54520a7d8929eeec78e2b2297a9094fa001483f86cddb7cf1b81704ff
Brave Prince – 94aa827a514d7aa70c404ec326edaaad4b2b738ffaea5a66c0c9f246738df579