Russian military spies are believed to have hacked hundreds of computers at the 2018 Winter Olympics in Pyeongchang, South Korea, and attempted to shift the blame onto North Korea. US intelligence officials, who spoke to the Washington Post anonymously, said Russian agents compromised about 300 computers used by Olympics authorities, hacked routers and distributed new malicious malware leading up to and during the sporting event's opening ceremonies.
Earlier this month, Olympics officials confirmed that the Games were hit with a cyberattack during the opening ceremony on 9 February that resulted in the official Pyeongchang 2018 website being knocked offline, the Wi-Fi network being disrupted at the stadium and also led to the failure of internet protocol televisions (IPTVs) at the Main Press Center.
However, officials refused to reveal who the attackers were.
Cybersecurity researchers at CrowdStrike, FireEye and Cisco's Talos have identified the destructive malware used in the attack as the Olympic Destroyer, which is designed to destroy targeted systems and wipe files on shared network drives. The website was down for over 12 hours leaving many attendees unable to print out their tickets for the ceremony.
Experts believe the attack was intended to embarrass organisers and disrupt the event rather than steal data.
Speaking to the Post, two US intelligence officials said Russia's military intelligence agency, the GRU, infiltrated up to 300 Olympics-related computers in early February. They said the GRU also tried to make it seem like the attacks were carried out by North Korean hackers by using North Korean IP addresses among other tactics in the "false-flag operation".
It is still unclear if Russia's reported access was the cause of the disruptions at the opening ceremony.
The hackers are believed to be working for the GRU's Main Center for Special Technology (GTsST) – the same unit experts have tied to the NoyPetya cyberattack that took down a swathe of computers in Ukraine in 2017.
Officials believe the Olympics cyberattack was in retaliation to the International Olympic Committee's decision to ban Russia from the Winter Games over the alleged state-sponsored doping scandal. Some Russia athletes were allowed to compete, however, under a neutral flag as the "Olympic Athletes from Russia".
US officials also expressed concerns over the possibility of Russia attempting to disrupt the Winter Games' closing ceremony on Sunday, 25 February, as well.
"We're watching it pretty closely," one official said. "It's essentially a Korean problem. We will help the Koreans as requested."
However, the 2018 Winter Olympics appeared to end unscathed as it came to a close in a sentimental ceremony which had pyrotechnics, K-pop performances and a diplomatic thaw between North and South Korea as Pyeongchang handed off the Games to Beijing.
In the months leading up to the Winter Games, security researchers observed increasingly frequent phishing campaigns targeting multiple Olympics organisations by the GRU-linked hacking group Fancy Bear or APT28.
"Prior to the Olympics, FireEye iSIGHT Intelligence surveyed the cyber espionage threats to the games and predicted the potential for a Russia-nexus espionage group, particularly the destructive Sandworm Team, to carry out an attack, and further the likelihood that they would follow their usual TTPs by making another group, such as a North Korean espionage group, appear responsible," John Hultquist, Director of Intelligence Analysis at cybersecurity firm FireEye, told IBTimes UK.
"We concur with the assessment that Russia likely conducted these attacks, and were most likely motivated by retaliation against the Olympics for the banning of Russian athletes. Similarly, we attribute a number of recent compromises against Olympic and other international sporting entities to the Russia-nexus APT28."
Prior to the Winter Games, Russia had denied any involvement in cyberattacks that had targeted, or could potentially target, the event.
The Russian foreign ministry told Reuters at the time, "We know that Western media are planning pseudo-investigations on the theme of 'Russian fingerprints' in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea. Of course, no evidence will be presented to the world."