UK exposes series of Russian cyber attacks against Olympic and Paralympic Games

Russia’s military intelligence service, the GRU, conducted cyber reconnaissance against officials and organisations at the 2020 Olympic and Paralympic Games due to take place in Tokyo this summer before they were postponed, the UK has revealed today.

The targets included the Games’ organisers, logistics services and sponsors.

The attacks on the 2020 Summer Games are the latest in a campaign of Russian malicious cyber activity against the Olympic and Paralympic Games.

The UK is confirming for the first time today the extent of GRU targeting of the 2018 Winter Olympic and Paralympic Games in Pyeongchang, Republic of Korea.

The GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the opening ceremony of the 2018 Winter Games.

It went on to target broadcasters, a ski resort, Olympic officials and sponsors of the games in 2018.

The GRU deployed data-deletion malware against the Winter Games IT systems and targeted devices across the Republic of Korea using VPNFilter.

The National Cyber Security Centre (NCSC) assesses that the incident was intended to sabotage the running of the Winter Olympic and Paralympic Games, as the malware was designed to wipe data from and disable computers and networks.

Administrators worked to isolate the malware and replace the affected computers, preventing potential disruption.

Foreign Secretary Dominic Raab said:

The GRU’s actions against the Olympic and Paralympic Games are cynical and reckless. We condemn them in the strongest possible terms.

The UK will continue to work with our allies to call out and counter future malicious cyber attacks.

The UK has already acted against the GRU’s destructive cyber unit by working with international partners to impose asset freezes and travel bans against its members through the EU cyber sanctions regime.

Today (Monday 19 October), the US Department of Justice has announced criminal charges against Russian military intelligence officers working for the GRU’s destructive cyber unit – also known by the codenames Sandworm and VoodooBear – for conducting cyber attacks against the 2018 Winter Games and other cyber attacks, including the 2018 spear phishing attacks against the UK’s Defence Science and Technology Laboratory (DSTL).

The UK attributed the attacks against DSTL, which followed the Salisbury poisonings, to Russia in 2018.

Background

These cyber attacks were committed by the GRU’s Main Centre for Special Technologies, GTsST also known by its field post number 74455 and known in open source as:

  • Sandworm
  • BlackEnergy Group
  • Telebots
  • VoodooBear
  • Iron Viking
  • Quedagh
  • Electrum
  • Industroyer
  • G0034

The UK government is today confirming for the first time that the GRU unit known as GTsST or by its field post number 74455 were responsible for:

GRU actionUK government response
Winter Olympics, February 2018GTsST actors launched a significant campaign against the Winter Olympic games, which included the use of Olympic Destroyer malware. This malware targeted the Winter Olympic and Paralympic Games. NCSC assess that the intent behind the incident was almost certainly sabotage as the malware was designed to wipe data from and disable computers and networks. Disruption to the Winter Olympics could have been greater if it had not been for administrators who worked to isolate the malware and replace affected computers. More broadly, the GTsST actors targeted multiple entities across South Korea (and the world) which were linked with the Winter Olympics. This activity utilised a range of capabilities known to be used by the GTsST. This includes targeting of: officials, sponsors, a ski resort, official service providers, and broadcastersThe UK government is publicly exposing this attack as the work of the GRU for the first time today

The UK government has previously publicly exposed that this unit of the GRU was responsible for:

GRU actionUK government response
BlackEnergy, December 2015Shut off part of Ukraine’s electricity grid, with 230,000 people losing power for between 1 – 6 hoursUK government publicly exposed this attack as the work of the GRU in February 2020
Industroyer, December 2016Shut off part of Ukraine’s electricity grid, also known as CrashOverride. It resulted in a fifth of Kyiv losing power for an hour. It is the first known malware designed specifically to disrupt electricity gridsUK government publicly exposed this attack as the work of the GRU in February 2020
NotPetya, June 2017Destructive cyber attack targeting the Ukrainian financial, energy and government sectors and affecting other European and Russian businessesUK government publicly exposed this attack as the work of the GRU in February 2018. EU sanctioned the GRU unit for this attack in July 2020
BadRabbit, October 2017Ransomware encrypted hard drives and rendered IT inoperable. This caused disruption including to the Kyiv metro, Odessa airport, Russia’s central bank and two Russian media outletsUK government publicly exposed this attack as the work of the GRU in October 2018
VPNfilter, October 2017VPNFILTER malware infected thousands of home and small business routers and network devices worldwide. The infection potentially allowed attackers to control infected devices, render them inoperable and intercept or block network trafficIn April 2018, the NCSC, FBI and Department for Homeland Security issued a joint Technical Alert exposing that the GRU was responsible
DSTL, April 2018The GRU attempted to use its cyber capabilities to gain access to the UK’s Defence and Science Technology Laboratory (DSTL) computer systemsUK government publicly exposed this attack as the work of the GRU in October 2018
FCO, March 2018The GRU attempted to compromise the UK Foreign and Commonwealth Office (FCO) computer systems via a spearphishing attackUK government publicly exposed this attack as the work of the GRU in October 2018
Georgia, 28 October 2019The GRU carried out large scale disruptive cyber-attacks against Georgian web hosting providers that resulted in widespread defacement of websites, including sites belonging to the Georgian Government, courts, NGOs, media and businesses, and also interrupted the service of several national broadcastersUK government publicly exposed this attack as the work of the GRU in February 2020

The National Cyber Security Centre has assessed with high confidence that all of these attacks were almost certainly (95%+) carried out by the unit known as the Main Centre for Special Technologies (GTsST) also known as Unit 74455 of the GRU.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: