The Olympics have always been a geopolitical microcosm: beyond the athletic match-ups, they provide a vehicle for diplomacy and propaganda, and even, occasionally, a proxy for war. It stands to reason, then, that in 2018 they've also become a nexus of hacker skullduggery. The Olympics unfolding next week in Pyeongchang may already be the most thoroughly hacked in the games' history—with potentially more surprises to come.

More so than any previous Olympics, the run-up to Pyeongchang has been plagued by apparent state-sponsored hackers: One Russia-linked campaign has stolen and leaked embarrassing documents from Olympic organizations, while security researchers have tracked another operation, possibly North Korean, that appears to be spying on South Korean Olympics-related organizations.

Security researchers tracking those two operations say the full scope of either remains far from clear, leaving the looming question of whether they could still present new disruptions timed to unfold during the games themselves. And more broadly, the intrusions signal that the geopolitical tensions that have long underscored the Olympics now extend into the digital realm as well.

"The Olympics have always been the most politicized sporting event of them all," says Thomas Rid, a professor of strategic studies at Johns Hopkins University's School of Advanced International Studies. "It’s not a surprise at all that they've become a high-profile target for hacking."

Operation GoldDragon

The far stealthier of the two known Olympics hacking operations—and perhaps the most troubling—has quietly targeted South Korean Olympics-related organizations for well over a month. Researchers for security firm McAfee discovered just this week that the campaign, which they've named Operation GoldDragon, has attempted to plant three distinct spyware tools on target machines that would enable hackers to deeply scour the compromised computers' contents. McAfee identifies those malicious tools by the names GoldDragon, BravePrince, and GHOST419.

'The Olympics have always been the most politicized sporting event of them all.' Thomas Rid, Johns Hopkins University

The firm's researchers say they've linked those malware samples to a phishing campaign that lures victims with Korean-language emails, indicating South Korean targets. The messages, which spoof a note from South Korea's National Counter-Terrorism Center—and, according to McAfee, were timed to actual terrorism drills in Pyeongchang—targeted a BCC'd list of more than 300 Olympics-related targets, McAfee says, with only the address "icehockey@pyeongchang2018.com" visible in its "to" line. Analyzing the email's metadata, however, McAfee identified other intended victims, including local tourism organizations in Pyeongchang, ski resorts, transportation, and key departments of the Pyeongchang Olympics effort.

The hackers attached a Korean-language Word document to the email, crafted to run a malicious script on the target machine. If the victim clicked "enable content" after opening that tainted attachment, they would give the attacker remote access to the computer. The attackers could use that initial, temporary foothold to install their spyware for more persistent visibility into any hacked machine. McAfee notes that script is hidden in an innocent-looking image file with clever steganography and other obfuscation tactics.

McAfee traced the phishing scheme to a remote server in the Czech Republic, registered with fake credentials to a South Korean government ministry. And they found publicly accessible logs on that remote server that showed victim machines were in fact connecting to it from South Korea, a sign of actual infections. "Was this a successful campaign? The answer is yes," says McAfee chief scientist Raj Samani. "We know that it's had victims."

Despite all of those findings, the origin and the ultimate aim of that relatively sophisticated malware campaign remains unclear. But based on the Korean language and targeting, Samani hints that his working theory points to a North Korean espionage operation keeping tabs on its southern neighbor.

That spying may seem to run counter to a recent thawing of diplomatic relations between the two Koreas, one that has even resulted in a combination of the two countries' national women's hockey teams. But North Korea likely wouldn't call off its aggressive hacking over a momentary olive branch. "I would guess it's a 'keep your friends close and your enemies closer' approach," Samani says.

Anti-Doping Bears

A far louder and more explicit hacker threat has come from a notorious outfit linked with the Kremlin's GRU military intelligence agency, known as Fancy Bear, or APT28—according to many security researchers, almost certainly the same Fancy Bear that hacked the Democratic National Committee and Clinton campaign in the midst of the 2016 election.

'Was this a successful campaign? The answer is yes.' Raj Samani, McAfee

Since as early as September of that year, those brazen hackers have repeatedly targeted athletic organizations, with the intent of exposing evidence of what they claim is widespread doping in Western countries, an apparent retaliation for the ban of Russian athletes from the 2016 and 2018 games for the same charge. "We will start with the US team which has disgraced its name by tainted victories," the hackers wrote in a message on their website when they first began leaking documents from the World Anti-Doping Association in September of 2016. "Wait for sensational proof of famous athletes taking doping substances any time soon."