THIS PAST WINTER, malware ripped through the Pyeongchang Olympics, disrupting Wi-Fi, shutting down the Olympics website, and causing generalized digital havoc. The so-called [Olympic Destroyer attack](https://www.wired.com/story/olympic-destroyer-malware-pyeongchang-opening-ceremony/] gained infamy, too, for using a number of false flags to muddy attribution. Now, researchers at Kaspersky Lab say the group behind those February attacks has returned, with a new target: organizations that respond to and protect against biological and chemical threats.
While the activity Kaspersky has seen has not turned destructive, researchers there say that hackers have taken steps that echo the early groundwork laid by the Olympic Destroyer group. Using a sophisticated spearphishing technique, the group has attempted to gain access to computers in France, Germany, Switzerland, Russia, and Ukraine. The concern: That these early intrusions will escalate in the same destructive way Olympic Destroyer did.
“We’re pretty confident this is the same group,” says Kaspersky security researcher Kurt Baumgartner. “We’re saying the same sort of tactics. We’re seeing targeting that may line up with the previous group. We’re seeing multiple places where there may be crossover.”
Those tactics, so far, involve spearphishing emails that present themselves as coming from an acquaintance, with a decoy document attached. The execution, Baumgartner says, is remarkably similar to how Olympic Destroyer began: Emails target a group of people affiliated with a specific event; if they open the document, a macro runs, enabling multiple scripts to run in the background that enable access to the target computer.
While the hacker group excels at avoiding detection, its activity has enough hallmarks that Kaspersky has high confidence that it’s a repeat performance. “When you look at the obfuscation that they’re looking in the spearphishing macros, this is a very specific set of macros,” says Baumgartner. “No one else is using this stuff.”
In the case of Olympic Destroyer, that early access was eventually used to deploy malware designed to destroy data on victim machines. Kaspersky says it chose to go public with its findings because if these latest attacks the same timeline as Pyeongchang, they may be about to escalate in a similar fashion.