Winter Olympics proving a temptation for hackers

WASHINGTON – The Winter Games don't open until next month, but one related competition is already in full swing: hacking.

Cybersecurity researchers found a clever hacking scheme against Olympics organizations this month, and a Russia-linked unit is also raising a ruckus as it seeks to avenge the ban against Russia's official participation over alleged state-backed doping.

Hackers — from low-level ticket scammers to sophisticated digital spies — are preparing for the Winter Games in Pyeongchang Feb. 9 to 25. Some hackers might be looking to disrupt the Games for causes like jihad or in opposition to Korean reunification. Others may seek to hijack e-mail accounts, disrupt television broadcasts or scalp phony tickets, the cybersecurity experts said.

"The whole world's watching. It's one of the largest stages you can possibly have to get a message out there," said Ross Rustici, senior director for intelligence at Cybereason, a Boston cybersecurity firm.

"You got a lot of lower-tier guys going after these Games. It's headhunting, bragging rights," Rustici said, adding that some might try to interrupt media coverage.

"If they can claim credit for bringing down the broadcast of the Olympics, that immediately gives them credibility in dark web forums," Rustici said. "Bringing down a television network, then releasing a press release, gets your cause a lot of attention."

He called that a "low probability, high-risk scenario."

Once recipients opened the attachment, which appeared to be from South Korea's National Counter-Terrorism Center, and then clicked on a link to ensure they were using the right version of Word, the host computer would link to a remote server hosting an image containing malware. That implant would allow hackers to introduce further code and hijack the computer.

"They sent the e-mail to just over 300 organizations and we are aware that some of them did actually fall for this trick," Raj Samani, chief scientist for McAfee, said from his base in London.

Samani said the campaign "was obfuscated to the nth degree" and the hackers "spent a lot of time and obviously a lot of money to hide what they were trying to do."

The implant scheme, using a tool for hiding code in images or photographs that had been in the public domain only since Dec. 20, would have given hackers valuable insight on nearly all aspects of the Games.

"You have absolute, full visibility over all of their operations. It's everything. My guess is that it gives you full insight into everything going on with regard to the Olympics," Samani said. "It's not just theft of information. Potentially it's the modification of data as well."

Samani stopped short of blaming North Korea for the e-mail campaign.

"We didn't say it was North Korea. We just said a nation state that speaks Korean," Samani said.

Among the targets of the Dec. 28 e-mail chain were organizations involved in hockey.

Barely three weeks later, North and South Korea announced a surprise rapprochement that would allow their athletes to march under one flag at the opening ceremony of the Games and field a joint women's hockey team.

Given North Korea's move toward more participation, experts said that its hackers would be less likely to disrupt the event. The same is not true for Russia, which is still angered by a Dec. 5 International Olympic Committee decision to bar its team as punishment for state-backed doping at the 2014 Winter Games in Sochi, Russia.

In a series of posts on a website this month, a group calling itself Fancy Bears' Hack Team has focused on drug testing, disclosing a stream of new, hacked Olympics-related e-mails to further its allegation that doping rules are unfair. Fancy Bear is the code name researchers use for the GRU cyber unit of Russia's military.

One post last week alleged that Scandinavian athletes had been given widespread exemptions for use of an asthma medicine, Salbutamol, "which opens airways to and from the lungs," and said it showed "violations of the principles of fair play."

In a snarky signoff, the hackers referred to "therapeutic use exemption," or TUE, for athletes that have no clinical need for it.