Assessing Threats to the Pyeongchang 2018 Winter Olympics
Olympic events are high-budget, high-profile convergences of elite athletes and global media organizations that tend to carry inherently geopolitical undertones. As such, they can be seen as appealing targets for various cyber and physical adversaries motivated by financial or political gain. The 2018 Winter Olympics in Pyeongchang, South Korea are no exception, with the precarious geopolitics of the Korean Peninsula and the complex dynamics of the Korean-language underground exacerbating security concerns.
Olympic events have a long history of attracting cyber attacks, and Pyeongchang 2018 is shaping up to be no exception. The weeks leading up to the 2018 Winter Olympics were plagued with cyber attacks targeting organizations affiliated with the Games. In late January, the Russia-linked “Fancy Bear” threat actor group, which is alleged to be behind the U.S. Democratic National Committee cyber attacks, leaked emails and documents stolen from Olympics-related agencies which reveal drug anti-doping violations, athletes’ use of prescribed drugs, and other sensitive information in an apparent attempt to inflict reputational damage. On Feb. 2, researchers at McAfee published a blog post detailing a suspected North Korean espionage operation, which they dubbed “Operation GoldDragon.” This operation targets key Korean-language organizations involved with the Olympics through phishing emails containing a malicious Word document. The phishing scheme originated from a remote server in the Czech Republic registered with fake South Korean credentials.
Shortly before the opening ceremony began on Feb. 9, a Wi-Fi outage affected Pyeongchang Olympic Stadium, as well at the main press center for the Games, in what was later confirmed to be a cyber attack. The official Pyeongchang 2018 website was also disrupted for 12 hours, preventing users from accessing event information or printing their tickets. An investigation by Cisco Systems’ research arm Talos found the attacks were not a data exfiltration operation, but rather an attempt to disrupt the Games. The identity of the actors behind the attacks is still unknown.
While Flashpoint has not observed any direct physical threats to the Olympics or affiliated events in Korean-language open web or Deep & Dark Web (DDW) communities, this runs in contrast to North Korea’s history of targeting international sporting events hosted by South Korea. Less than a year before the 1988 Summer Olympic Games in Seoul, North Korean agents successfully detonated an explosive device on a passenger flight from South Korea to Thailand, killing 115 people. The two agents responsible for the attack took cyanide after being apprehended; one survived and was taken to South Korea for interrogation, where she revealed the bombing was directly ordered by Kim Jong-il, current North Korean leader Jong-un’s predecessor and father. In her testimony, the apprehended North Korean agent stated that Kim Jong-il wanted to destabilize South Korea and discourage international teams from attending the Olympics.
During the 2002 FIFA World Cup in South Korea, North Korea instigated a maritime confrontation known as the Second Battle of Yeonpyeong, which left 19 dead and 43 wounded. This incident was regarded by many as an attempt to steal the limelight from South Korea during a moment of international prominence.
Despite North Korea’s history of violence, events appear to be shaping up differently for the 2018 Pyeongchang Olympics. Amid rising geopolitical tensions on the Korean Peninsula, the unification of athletes from North and South Korea as a singular Team Korea strikes a poignant message. Moreover, the three-day visit to the Games by Kim Yo-jong, sister of Kim Jong-un, coinciding with the opening ceremony made her the first member of North Korea’s ruling family to travel to South Korea since the Korean War. She was accompanied by head of state Kim Yong-nam, making him the most senior North Korean official to visit South Korea. Only time will tell if these rare moments of inter-Korean diplomacy will have a lasting, meaningful impact on geopolitical tensions within the region.
Given South Korea’s history of being targeted by a myriad of cyber attacks from multiple threat actor groups, the international prominence of the Olympics, and the financial and political motives for targeting the games, Flashpoint assesses with moderate confidence that organizations affiliated with the 2018 Pyeongchang Winter Olympics will continue to be targeted by malicious cyber activity until the Games conclude on Feb. 25.
Director of Asia Pacific Research
Jon Condra serves as Director of Asia Pacific Research at Flashpoint. He joined the company in July 2014 from Versign iDefense. Aside from helping coordinate Flashpoint’s Subject Matter Experts and the delivery of intelligence products, Jon specializes in East Asian — and in particular Chinese — underground communities, including hacking, hacktivist, and cybercriminal communities. Jon speaks and reads Mandarin Chinese, and has a BA from Gettysburg College and an MA in Security Studies/Intelligence from Georgetown University.