Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Olympic Destroyer
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Olympic Destroyer
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Olympic Destroyer

Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
ID: S0365
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 25 Mar 2019
Last Modified: 23 Apr 2021

Techniques Used
Domain ID Name Use
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.(Citation: Talos Olympic Destroyer 2018)
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Olympic Destroyer will attempt to clear the System and Security event logs using wevtutil.(Citation: Talos Olympic Destroyer 2018)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.(Citation: Talos Olympic Destroyer 2018)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Olympic Destroyer uses PsExec to interact with the ADMIN$ network share to execute commands on remote systems.(Citation: Talos Olympic Destroyer 2018)(Citation: PsExec Russinovich)
Enterprise T1569 .002 System Services: Service Execution

Olympic Destroyer utilizes PsExec to help propagate itself across a network.(Citation: Talos Olympic Destroyer 2018)

Groups That Use This Software
ID Name References
G0034 Sandworm Team

(Citation: CrowdStrike GTR 2019) (Citation: Secureworks IRON VIKING ) (Citation: US District Court Indictment GRU Unit 74455 October 2020) (Citation: UK NCSC Olympic Attacks October 2020) (Citation: Trend Micro Cyclops Blink March 2022)

References

  1. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  2. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  3. Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015.
  4. CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020.
  5. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
  6. UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.
  7. Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.