Russian hackers, with hardly a shred of deniability, have targeted the Pyeongchang Olympics for months in retaliation for the country's doping ban, stealing and leaking documents from Olympics-related organizations. Now a more insidious attack has surfaced, one designed not to merely embarrass, but disrupt the opening ceremonies themselves. And while neither Olympics organizers nor security firms are ready to point the finger at the Kremlin, the hackers seem to have at least left behind some calling cards that look rather Russian.

Over the weekend, the Pyeongchang Olympics organizers confirmed that they're investigating a cyberattack that temporarily paralyzed IT systems ahead of Friday's opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets. (While Intel also scrubbed its planned live drone show during the opening ceremonies, the Pyeongchang organizing committee said in a statement that the cause was "too many spectators standing in the area where the live drone show was supposed to take place," rather than malware.)

Now security researchers at Cisco's Talos division have released an analysis of a piece of sophisticated, fast-spreading malware they're calling Olympic Destroyer, which they believe was likely the cause of that outage.

"It was effectively a worm within the Olympic infrastructure that caused a denial-of-service attack," says Talos researcher Warren Mercer.

According to a detailed blog post the Talos researchers published Monday morning, Olympic Destroyer is designed to automatically jump from machine to machine within a target network and destroy certain data on the computer, including part of its boot record, rebootingdevices and then preventing them from loading. "It turns off all the services, the boot information is nuked, and the machine is disabled," says Talos research director Craig Williams.

'They wanted to do as much damage as they could, as fast as they could.' Craig Williams, Cisco Talos

Talos points out that Olympic Destroyer's disruptive tactics and spreading methods resemble NotPetya and BadRabbit, two pieces of Ukraine-targeting malware seen in the last year that the Ukrainian government, the CIA, and other security firms have all tied to Russian hackers.

But strangely, unlike those earlier malware attacks, this latest sample destroys only backup data on victim machines, while leaving the rest of the PC's hard drive intact. The malware's real target, the Talos researchers believe, was any data stored on servers that infected PCs could reach on the network; Olympic Destroyer would permanently corrupt those server-side files. That approach may have been designed for a faster, stealthier form of data destruction while still potentially leaving functioning malware infections behind on some victim machines, allowing the hackers to maintain access. "It might have been an optimization," says Williams. "They wanted to do as much damage as they could, as fast as they could." As a result, however, the Olympic organizers were able to get their systems working again within 24 hours, compared with NotPetya victims who in many cases permanently lost tens of thousands of computers and took weeks to fully recuperate.1

When WIRED reached out to the International Olympics Committee for comment, the IOC referred the inquiry to the local Pyeongchang Organizing Committee, which hasn't responded. In other reports, however, organizers have declined to name any potential suspects or motives behind the attack.

The Talos researchers say they obtained the Olympic Destroyer malware when it was detected and uploaded by the company's security products, though the researchers haven't revealed the exact origin of the code. But as evidence that it did in fact target Olympics infrastructure specifically, they point to a list of 44 usernames and passwords included in the malware's code, all for accounts on PyeongChang2018.com, the Olympics' domain. With those accounts as a starting point, the malware then spread using Windows features like PSExec and Windows Query Language—which allow one machine to connect to another—and then scoured the next target machine's browser data and system memory for more credentials. "It comes in with 44 logins, and then as it compromises machines it pumps more and more user data out of them," says Williams.