The UK National Cyber Security Centre and US intelligence agencies have disclosed a joint operation which thwarted Russian plans to mount a cyber attack on the Tokyo Olympics.
All Russian competitors have been excluded from participating in the Games due to persistent state-sponsored doping offences. This admission from the UK and US is the first evidence that Russia was preparing to disrupt the world’s premier sporting event.
The Russian cyber-reconnaissance work covered the Games organisers, logistics services and sponsors and was under way before the Olympics was postponed due to coronavirus.
The UK is the first government to confirm details of the breadth of a previously reported Russian attempt to disrupt the 2018 winter Olympics and Paralympics in Pyeongchang, South Korea. It declared with what it described as 95% confidence that the disruption of both the winter and summer Olympics was carried out remotely by the GRU unit 74455.
In addition, the US indicted six Russian military intelligence officers for their alleged role in hacking attacks on the 2018 winter Olympics, and on targets of the “NotPetya” malware, including a Pennsylvania hospital, which is also alleged to be the work of the GRU’s unit 74455, known by cybersecurity researchers as the “Sandworm team”.
The US justice department estimates the total worldwide damage caused by the NotPetya worm at more than US$10bn, with more than 300 victims worldwide, making it the costliest hacking attack ever. The US indictments also cover alleged GRU attacks on Ukraine, Georgia, the South Korean Olympics, the French elections and the investigation into the 2018 Russian Novichok nerve agent attack in the UK.
The six indicted GRU officers were charged with roles in producing components of the NotPetya, Olympic Destroyer and other malware, as well as involvement in spearphishing attacks on Olympic, French and Georgian officials.
Reacting to the news, Andy Watkin-Child, a Board member of The Security Institute said: “The GRU are a very capable cyber threat. The US Department of Justice indictment makes it clear that hacking and nation state attacks will not be tolerated. These attacks have had a significant impact on the public and private sector.
“Whilst it is not always possible to defend yourself against nation state attacks, the indictment should raise questions at board level regarding ‘how do we maintain business resilience in the event of a cyber attack’.”
Former British Intelligence Officer, Philip Ingram MBE stated: “The Russians have been deliberately undermining various Olympic Games since Russia’s athletics federation was suspended over a 2015 World Anti-Doping Agency (WADA) report that exposed systematic state-sponsored doping in Russian athletics. This was extended for another four years in 2019 and since then, Russia has played dirty in the cyber arena, trying to discredit other nation’s athletes and Olympic programmes.
“In 2016 the Russian state-affiliated Fancy Bears hacking group released medical data relating to five British athletes including Mo Farah and Tour De France Winners Chris Froome and Sir Bradley Wiggins. This is all part of what the Russians call маскировка (maskirovka) literally masking, where they are trying to cover up their misdemeanours by trying to suggest others.
“The Main Directorate or GRU, are the most proactive army of the different Russian intelligence agencies and are used in many of the more direct-action events we have seen reported. They have a number of cyber Advanced Persistent Threats (APTs) linked to them and often use plausibly deniable outlets to carry out their attacks.”
John Hultquist, Senior Director of Analysis, Mandiant Threat Intelligence commented: “The attack on the Pyeongchang Olympics was the culmination of a lengthy effort to discredit and harass the Olympic community that began within hours of the decision to disqualify Russian athletes from the Games. Prior to the destructive attack, Sandworm and other elements of the GRU orchestrated DDoS attacks, hack and leak operations and other operations in the wake of the decision, going so far as to physically travel to hack organisations up close.“The Pyeongchang Games were targeted with a destructive attack that was meant to bring operations to a halt and it nearly succeeded. The attack was carried out with malware bearing many similarities to tools used by North Korea but ultimately ties to Sandworm were uncovered. Despite their efforts to throw off investigators, the group’s involvement was predicted before the games even began and many investigators ultimately attributed the incident to Russia.“Despite the thin veneer of their ruse, Russia did succeed in creating a viable alternative explanation for the attack, affording them a measure of deniability. Furthermore, despite this attack on an international event they have avoided a backlash from the international community. It’s important that their role is finally being recognised because Russia has thus far avoided even so much as an official accusation.“The importance of these events as elections loom can’t be understated. This was the actor who targeted the elections in 2016 and an attack on an international event of goodwill is not an act of contrition. If there was a false impression, that in the wake of the 2016 incident, Russian has exercised restraint, this incident is evidence to the contrary. This was an act of international harassment using a tool that we may well see again this US Presidential election cycle.”