Olympic Destroyer
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.(Citation: Talos Olympic Destroyer 2018) |
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
Olympic Destroyer will attempt to clear the System and Security event logs using |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.(Citation: Talos Olympic Destroyer 2018) |
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Olympic Destroyer uses PsExec to interact with the |
Enterprise | T1569 | .002 | System Services: Service Execution |
Olympic Destroyer utilizes PsExec to help propagate itself across a network.(Citation: Talos Olympic Destroyer 2018) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0034 | Sandworm Team |
(Citation: CrowdStrike GTR 2019) (Citation: Trend Micro Cyclops Blink March 2022) (Citation: mandiant_apt44_unearthing_sandworm) (Citation: US District Court Indictment GRU Unit 74455 October 2020) (Citation: Secureworks IRON VIKING ) (Citation: UK NCSC Olympic Attacks October 2020) |
References
- Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015.
- CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020.
- Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
- Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.
- Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
- UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.