threatintel
actor tracker
Named attack · kill-chain walkthrough

Olympic Destroyer

Sandworm's false-flag wiper at the PyeongChang opening ceremony

Sandworm (GRU Unit 74455)February 9, 2018 (Opening Ceremony)High confidence

Attributed to Russian GRU Unit 74455 (Sandworm) by the U.K. NCSC and U.S. partners in October 2020. Six GRU 74455 officers — Yury Andrienko, Sergei Detistov, Pavel Frolov, Anatoliy Kovalev, Artem Ochichenko, and Petr Pliskin — were indicted by the U.S. Department of Justice on October 19, 2020. Kaspersky GReAT's forensic analysis of deliberately planted false-flag indicators (rich-header forgery, reused code strings) first exposed the deception in March 2018.

Sandworm pre-positioned inside PyeongChang 2018 partner networks months before the Winter Olympics, then detonated a wiper precisely as the Opening Ceremony began on February 9, 2018. The attack took down the official Pyeongchang2018.com ticketing website, stadium Wi-Fi, press-centre printers, and the official mobile app — sabotaging the spectacle in real time. The malware was deliberately seeded with forged code artifacts pointing at Lazarus Group (DPRK), APT3, and APT10 to frustrate attribution. Kaspersky GReAT later unpicked the layered deception through PE rich-header analysis, exposing one of the most sophisticated false-flag operations in cyber history.

scene 00 / 07
SandwormGRU Unit 74455months before Feb 9IT partnerT1566.001broadcastT1566.001IOC/KOCT1566.001logisticsT1566.001ticketingT1566.001spear-phishingPyeongChang 2018 partner orgsOlympic Destroyer dropperpacked · self-modifying at runtimePowerShell · WMI executionT1059.001 · T1047 · T1027dropper SHA-256 (Cisco Talos, 2018-02-12):edb1ff2500e92357f4fabac53c4b1d32b35e63e3ec91d0e1b2aa1f4ad32c7a0self-modifying code defeats static signaturesKaspersky GReAT analysis · 2018credential harvesterChrome · Firefox · IE · Windows Credential Managersaved passwords written to temp file → lateral-movement feedT1555.003 · T1003PsExec w/ harvested credsT1569.002 · T1021.002WMI remote invocationT1047infectedhosthosthosthosthosthosthosthosthostfalse-flag binaryPE rich-header forged to match Lazarus Group samplescode strings echoing APT3 (China) · APT10 (China)multi-layer misdirection — T1036 · T1027Kaspersky GReAT unmasks via rich-header impossibility proof · Mar 2018Kaspersky GReAT"impossible to compile naturally"Securelist · 2018-03-08Lazarus / DPRK← framedAPT3 / CN← framedAPT10 / CN← framedFeb 9, 2018 — Opening Ceremonysimultaneous detonation — wiper fires across all compromised hostsT1485 data destruction · T1490 inhibit recovery · T1070.001 clear event logs · T1489 service stoppyeongchang2018.comticketing site downstadium Wi-Fibroadcast disruptedpress printersaccreditation offlineofficial mobile appiOS + Android darkvssadmin delete shadows /all · wevtutil cl · bcdedit /set {recoveryenabled} noUK NCSC + US DOJ attribution · October 19, 2020GRU Unit 74455 — six officers indicted:Andrienko · Detistov · Frolov · Kovalev · Ochichenko · PliskinFive Eyes joint attribution · US Treasury OFAC designations · G0034 Sandworm Team
  1. Phase 01 · Initial AccessTA0001

    Spear-phishing of PyeongChang 2018 partner organisations months before the ceremony

    • Sandworm conducted targeted spear-phishing against organisations with a role in the Games — including IT providers, infrastructure partners, and national Olympic bodies — starting well before the February 9 Opening Ceremony.
    • Decoy documents referencing PyeongChang security briefings and event logistics were used to deliver the initial implant; ESET noted the lures were tailored to recipients with legitimate Games-related roles.
    • The pre-positioning campaign gave operators months of dwell time to map target networks, harvest credentials, and stage the destructive payload before the detonation window.
    • Cisco Talos observed the dropper arrive via spear-phish and noted the binary was heavily obfuscated and packed — a pattern consistent with Sandworm operational discipline.
    Techniques
    T1566.001 · Phishing: Spearphishing AttachmentT1204.002 · User Execution: Malicious File
    Indicators
    edb1ff2521…ee13eb — Olympic Destroyer dropper SHA-256 — Cisco Talos Feb 12 2018
    Sources
  2. Phase 02 · ExecutionTA0002

    A packed dropper launched the wiper module and self-modifying credential harvester

    • The Olympic Destroyer dropper was a packed Windows executable that, once opened, decrypted and executed the primary payload in memory — avoiding writes of the core wiper logic to disk in plaintext form.
    • Cisco Talos noted the binary used a self-modifying technique: the credential-harvesting module altered its own code at runtime, complicating static analysis and sandbox detonation.
    • PowerShell was used for execution of downstream components, consistent with the living-off-the-land pattern documented by Kaspersky and MITRE for this campaign.
    • The malware used Windows Management Instrumentation (WMI) to enumerate host configuration and initiate lateral-movement routines without spawning child processes visible to basic process-tree monitoring.
    Techniques
    T1059.001 · Command and Scripting Interpreter: PowerShellT1047 · Windows Management InstrumentationT1027 · Obfuscated Files or Information
    Sources
  3. Phase 03 · Credential AccessTA0006

    Browser and Windows credential stores harvested to fuel lateral movement

    • Olympic Destroyer contained a credential-harvesting module documented by Kaspersky that extracted saved passwords from Chrome, Internet Explorer, Firefox, and the Windows credential manager.
    • Harvested credentials were written to a temporary file and then read by the lateral-movement component — feeding PsExec and WMI remote execution with legitimate account credentials.
    • The credential harvester used a self-modifying code pattern noted by Cisco Talos, making it harder for AV engines to match the routine via static signatures.
    • MITRE ATT&CK documents Olympic Destroyer's use of T1555.003 (browser credential stores) and T1003 (OS credential dumping) as distinct harvesting paths, indicating operators swept multiple credential surfaces.
    Techniques
    T1555.003 · Credentials from Password Stores: Credentials from Web BrowsersT1003 · OS Credential Dumping
    Sources
  4. Phase 04 · Lateral MovementTA0008

    PsExec and WMI carried the wiper across every reachable host before detonation

    • Olympic Destroyer used PsExec — a legitimate Sysinternals remote-execution utility — with the harvested credentials to copy and execute itself on additional Windows hosts across the target network, mirroring a technique documented in the NotPetya campaign the year before.
    • WMI remote invocation provided a second lateral-movement vector when PsExec was unavailable, allowing command execution on remote hosts without writing a new binary to a share.
    • ESET and Kaspersky both noted the worm-like self-replication: once on a new host the malware immediately repeated the credential harvest and attempted further spread before triggering its destructive logic.
    • The dual PsExec + WMI approach maximised reach across the Games-related infrastructure in the hours before the Opening Ceremony began.
    Techniques
    T1569.002 · System Services: Service Execution (PsExec)T1047 · Windows Management InstrumentationT1021.002 · Remote Services: SMB/Windows Admin Shares
    Sources
  5. Phase 05 · Defense EvasionTA0005

    Forged PE rich-headers and reused strings planted to frame Lazarus, APT3, and APT10

    • The Olympic Destroyer binary was built with deliberately falsified PE rich-header metadata — a compiler fingerprint embedded in the PE format — that Kaspersky GReAT's Igor Soumenkov showed was borrowed from known Lazarus Group samples, pointing any automated similarity engine toward DPRK as the culprit.
    • Additional code strings and import-table patterns echoed malware linked to Chinese actors APT3 and APT10, creating a multi-layer misdirection: different analysts using different tools would reach different wrong conclusions.
    • Kaspersky reversed the deception by demonstrating the rich-header values were physically impossible to generate with Lazarus's known toolchain — the forgery was detectable only because it was too precise, using values that could only have been copied from existing binaries rather than compiled fresh.
    • WIRED's 2019 account of the incident described the false-flag as 'the most sophisticated attribution attack ever seen in the wild,' deliberately weaponising the threat-intel industry's own methods against itself.
    • MITRE ATT&CK documents the technique as T1036 (Masquerading) and T1027 (Obfuscated Files or Information) applied at the binary metadata level.
    Techniques
    T1036 · MasqueradingT1027 · Obfuscated Files or Information
    Sources
  6. Phase 06 · ImpactTA0040

    Detonated at Opening Ceremony: ticketing site, stadium Wi-Fi, printers, and mobile app all down

    • The wiper executed simultaneously across compromised hosts at the moment the PyeongChang 2018 Opening Ceremony began on February 9, 2018, taking down the official Pyeongchang2018.com website and the ticket-printing systems that attendees needed to enter the stadium.
    • Stadium Wi-Fi failed, disrupting broadcast feeds and press-centre operations; venue printers were rendered inoperable; the official iOS and Android apps became unreachable — publicly embarrassing the organising committee at the most-watched moment of the Games.
    • The wiper deleted Windows Event Log files, disabled Windows Error Recovery, deleted shadow copies (VSS), overwrote files, and disabled or deleted Windows backup services — maximising irreversibility and complicating forensic response.
    • ESET noted the wiper used vssadmin.exe to delete volume shadow copies and wevtutil.exe to clear Windows Event Logs, consistent with Sandworm's documented playbook.
    • Olympic Destroyer used bcdedit.exe to disable Windows boot recovery options, ensuring hosts could not automatically enter recovery mode after the destructive payload had run.
    Techniques
    T1485 · Data DestructionT1490 · Inhibit System RecoveryT1070.001 · Indicator Removal: Clear Windows Event LogsT1489 · Service Stop
    Indicators
    vssadmin.exe delete shadows /all /quiet — Shadow-copy deletion command executed by the wiper
    Sources
  7. Phase 07 · AttributionTA0043

    Kaspersky unmasks the false flag; DOJ indicts six GRU 74455 officers in October 2020

    • Kaspersky GReAT published its false-flag analysis on March 8, 2018, demonstrating that the PE rich-header values in Olympic Destroyer were copied from Lazarus samples rather than compiled by Lazarus's toolchain — the most technically detailed public refutation of a nation-state false flag to that date.
    • The U.K. NCSC, in a statement dated October 19, 2020, attributed Olympic Destroyer to the GRU and publicly named it as part of a sustained Sandworm campaign targeting the Games: 'The GRU's cyber unit attempted to disrupt the Games by targeting the infrastructure of the 2018 Winter Olympic Games.'
    • The U.S. Department of Justice unsealed an indictment on October 19, 2020 charging six GRU Unit 74455 officers — Yury Andrienko, Sergei Detistov, Pavel Frolov, Anatoliy Kovalev, Artem Ochichenko, and Petr Pliskin — with conspiracy charges covering Olympic Destroyer alongside NotPetya, the 2015–16 Ukraine grid attacks, and interference in the 2017 French election.
    • Anatoliy Kovalev, one of the six, was separately named in the 2018 indictment of twelve GRU officers for the 2016 U.S. election operations, connecting the Unit 74455 cadre to multiple Sandworm campaigns.
    • The U.S. Treasury OFAC simultaneously designated the six individuals, and the Five Eyes partners (U.S., U.K., Australia, Canada, New Zealand) issued coordinated public attribution.
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Sandworm (GRU Unit 74455)
Capability
  • T1566.001
  • T1204.002
  • T1059.001
  • T1047
  • T1027
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources