Cyber Incident Victim: Atos
Date:
Feb 2018
Location:
South Korea
Summary
Hackers compromised the primary IT service provider for the Winter Olympics months prior to a disruptive cyberattack during the opening ceremony, deploying destructive malware known as Olympic Destroyer. The attackers leveraged stolen employee credentials from the provider to propagate the malware, which targeted systems by deleting critical files and disrupting operations, leading to temporary website outages and localized network failures. Evidence suggested the breach involved reconnaissance activities and a supply chain intrusion, enabling rapid spread within the environment. While the incident caused operational disruptions, competitions remained unaffected, and an investigation was initiated to determine the attack's origins and full scope.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 5 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2017, hackers compromised systems belonging to Atos, the IT service provider hosting cloud infrastructure for the 2018 Pyeongchang Winter Olympics. Evidence uploaded to VirusTotal indicated attackers infiltrated Atos networks, with early malware samples originating from France (where Atos is headquartered) and Romania (where some security team members worked). The intrusion provided attackers with authenticated credentials of Atos employees, visible within malware strings upon analysis. This access likely facilitated reconnaissance ahead of the main attack. On February 9, 2018, during the Opening Ceremony, attackers deployed Olympic Destroyer malware, causing the official Olympics website to fail for several hours and disrupting ticket sales/downloads. Local Wi-Fi networks near Olympic venues also experienced temporary outages. The malware propagated using stolen credentials to spread rapidly across systems before executing its destructive payload, which deleted shadow backups, boot configuration data, and event logs.
Olympics officials confirmed a cyberattack on February 11 but disclosed minimal details. Cisco Talos researchers subsequently identified Olympic Destroyer as a wiper malware designed to cause mass system failures. Forensic analysis revealed the malware samples contained Atos employee credentials, suggesting the initial breach served as a supply chain attack vector. Atos acknowledged an ongoing investigation into a potential breach related to the incident, coordinating with partners and authorities while emphasizing no competitions were disrupted. The malware's worm-like design enabled autonomous credential theft and lateral movement within compromised environments, maximizing disruption potential. While the exact method of initial credential theft remains unconfirmed, the incident demonstrated risks inherent in third-party cloud infrastructure dependencies for critical events.