A close analysis of the code that took down part of the 2018 Winter Olympics computer network reveals a cunning plan to seemingly falsely pin the blame on North Korea.

On the first day of the games in Pyeongchang, South Korea, the main website crashed, Wi-Fi networks around the events became unusable, and data was wiped from servers by malware later dubbed Olympic Destroyer. IT security outfits had warned of a cyber-assault looming before the event, after a phishing campaign was spotted, and the attack was beaten off rather quickly.

In the weeks that followed, several analyses suggested that the attack was the work of the North Korean state-sponsored hacking team known as the Lazarus Group. However, a study by Kaspersky Lab engineers suggests that Lazarus didn’t write the code, despite appearances to the contrary.

Vitaly Kamluk, head of the APAC research team at Kaspersky Lab, told the antivirus biz’s Security Analysts Summit this week that the misattribution was understandable. The data wiping part of Olympic Destroy looks, at first glance, exactly the same as the Lazarus Group wiper used in the Bluenoroff malware responsible for the $81m cyber-heist against the Central Bank of Bangladesh last year – even down to the header.

“We can say with 100 per cent confidence that the attribution to Lazarus is false,” he said.

But the wiper function’s Rich header, which contains some metadata, included hints to the development environment the code was written in. The Olympic Destroyer code showed it was developed using Visual Studio 10 and made to look as though the code was the same as the C++-written Bluenoroff.

“The only reasonable conclusion that can be made is that the Rich header in the wiper was deliberately copied from the Bluenoroff samples; it is a fake and has no connection with the contents of the binary,” Kaspersky's technical report on the matter states.

“It is not possible to completely understand the motives of this action, but we know for sure that the creators of Olympic Destroyer intentionally modified their product to resemble the Bluenoroff samples produced by the Lazarus group.”

So who did write the code? Kamluk said he didn’t know for sure, but that some of the methods of propagation and the VPNs used in the attack could link it to the Russian state-sponsored APT28 group.

Costin Raiu, Kaspersky’s director of global research and analysis, warned the conference that attribution is going to get tricky in the next couple of years. Security firms are building code databases that could automate the attribution of malware samples, but at the same time coders are getting smarter and we could see similar false flag operations in the future. ®