0:00

Hi, I'm Rian Levy.

0:09

Welcome to

0:12

Cyberism's Malicious Life.

0:28

It's November 28, 2017 and the city of Pyeongchang

0:30

is bustling with activity. In

0:36

a little more than three months, the beautiful

0:39

mountainous South Korean city will

0:41

host the opening ceremony of the 2018 Winter

0:45

Olympics and thousands of athletes,

0:48

journalists and fans will flood

0:50

its streets, ski lanes and world

0:53

famous Buddhist temples.

0:55

No one is probably more busy

0:58

than the members of the Pyeongchang

1:00

Organizing Committee, who are responsible

1:03

for the preparations.

1:04

The Winter Olympics is one of

1:07

the biggest sporting events in the world

1:09

and they have been working hard towards this

1:11

event for the past 6 years.

1:14

After all, South Korea's national

1:16

pride is on the line. Millions

1:18

of people from all over the world will

1:21

be tuning in to watch the opening

1:23

ceremony the following events.

1:28

While all this commotion and nectivity

1:31

was going on,

1:32

an email landed in the mailboxes

1:34

of 30 people.

1:36

Some were members of the organizing

1:38

committee, others were Olympic

1:41

partners, employees of organizations

1:43

and businesses that worked with the

1:46

organizing committee, such as two local

1:48

ski resorts and the company which

1:51

provided the official timekeeping

1:53

service of the games. The

1:54

email, titled List of Delegates,

1:57

was from none other than the Vice-Pris-

2:00

president of the International Olympics

2:02

Committee. It's safe to assume that

2:04

most, if not all, of the recipients

2:07

of this email opened

2:08

it.

2:10

A.zip file was attached

2:12

to the email containing a Microsoft

2:15

Word document, which supposedly

2:17

held the actual list of VIP

2:19

delegates to the games. But

2:22

when the recipients tried to open the

2:24

document, they were presented with garbled

2:27

and gibberish text. Ah,

2:30

it's probably an encoding problem. You

2:32

know how it is. Sometimes it's hard

2:34

to get vastly different languages,

2:37

such as English and Korean, to play

2:39

nicely in the same document.

2:42

Luckily, a button appeared at

2:44

the top of the document, labeled Enable

2:47

Content. That will surely

2:50

fix the problem.

2:53

Since you're listening to a podcast

2:55

about cyber security, I don't

2:57

think I need to tell you that clicking

3:00

on that button was a very, very

3:02

bad idea. But apparently,

3:05

at least some of the recipients did. And

3:08

unsurprisingly, pressing the button executed

3:11

a PowerShell script that downloaded

3:13

and executed a second malware that

3:16

planted a backdoor in the system. For

3:20

the next three months, hundreds of

3:23

similar emails were sent to

3:25

many people who were somehow involved

3:27

with the preparations towards the Winter

3:30

Olympics, such as the employees

3:32

of the South Korean Ministry of Agriculture,

3:35

Food and Rural Affairs, and employees

3:38

of the Korean Ministry of Public

3:40

Safety and Security.

3:42

Crucially, some of the emails landed

3:45

in the inboxes of two IT

3:47

companies, the companies which provided

3:50

the servers and networking equipment

3:52

which formed the computing infrastructure

3:55

for the games. Thousands of computers

3:58

supporting everything from ticketing

4:00

services to ski lifts.

4:03

In the weeks leading up to the games, one

4:05

of these IT companies struggled

4:08

with numerous glitches and mail

4:10

functions in their network.

4:12

But with a network so complicated,

4:15

such bugs and hitches are to

4:17

be expected and there was more than

4:19

enough Time to work out all the

4:22

kinks out of the system.

4:24

So nobody gave the glitches a

4:26

second thought.

4:44

And then, on February 9th, came

4:46

the moment everyone was eagerly

4:48

waiting for. the 2018 Winter

4:51

Olympics Opening Ceremony. And

4:54

as the bell rings here in the stadium, bells

4:57

ring all the way around Korea.

5:01

Ringing for peace and connecting

5:03

everyone to begin the festival. 35,000 excited

5:07

spectators filled the huge pentagonal

5:10

stadium and hundreds of cameras screened

5:13

the event

5:13

to viewers in more than 200 countries

5:16

all over the world. As the

5:18

enthusiastic crowd was chanting

5:21

the time-honored countdown towards

5:23

the start of the ceremony, a worm

5:26

was waking up somewhere inside

5:28

the Olympic network.

5:32

The malware scanned the computer it had

5:34

infected and scoured it for

5:36

user and browser credentials.

5:38

It then used the credentials it found to

5:40

log on to other computers on the network.

5:44

When the malware discovered new credentials

5:46

in a newly infected computer, it

5:48

compiled a new version of itself with

5:51

the augmented set of credentials and

5:54

used the new binary to infect

5:56

the next computer in line.

5:58

in all, it was an inc- incredibly

6:00

efficient method of propagation

6:03

in a confined environment such

6:05

as the Olympic Games Network. Once

6:08

an infected machine was fully compromised

6:11

and its credentials exfiltrated, the

6:13

malware sprung its malicious payload.

6:16

It wiped the computer's boot configuration

6:19

data and all backups, thus

6:21

crashing the computer and making it

6:24

unbootable. From Wired

6:26

Magazine, quote, As the

6:28

opening ceremony got underway, thousands

6:31

of fireworks exploded around the stadium

6:34

on queue and dozens of massive

6:36

puppets and Korean dancers entered

6:39

the stage.

6:40

San Jin Oh, director of technology

6:43

for the Pyeongchang Olympic organizing

6:45

committee,

6:46

saw none of it. He was

6:48

texting furiously with his staff

6:51

as they watched their entire IT

6:53

setup

6:54

go dark. As O

6:56

made his way out of the press section

6:58

towards the exit, reporters around

7:01

him had already began complaining

7:03

that the Wi-Fi seemed to have suddenly

7:06

stopped working.

7:07

Thousands of internet-linked TVs

7:09

showing the ceremony around the stadium

7:12

and in 12 other Olympic facilities

7:15

had gone black.

7:16

Every RFID-based security

7:18

gate leading into every Olympic

7:21

building was down. The Olympics

7:23

official app, including its digital

7:26

ticketing function, was broken too.

7:29

When it reached out for data from backend

7:31

servers, they suddenly had

7:33

none to offer. The

7:37

attack concentrated on a class of

7:39

computers called domain controllers,

7:42

the machines who controlled authentication

7:44

and authorization for many digital

7:47

services, from Wi-Fi to the

7:49

official Olympic apps. D

7:52

gates and skill lifts were disabled.

7:54

Hundreds of computers went dark. It

7:57

was the nightmare everyone in the

7:59

organized

8:00

committee was dreading. But

8:05

the South Koreans were not

8:07

caught off-guard.

8:09

South Korea has suffered many cyber

8:11

attacks from its totalitarian neighbor

8:13

and nemesis North Korea, and

8:16

so the threat of a cyber attack

8:18

during the Olympic Games was

8:20

always present during the planning. Within

8:23

minutes, the staffers at the Games

8:26

Technology Operations center sprang

8:28

into action. Using a temporary

8:30

workaround, they bypassed the dead

8:33

domain controllers and brought many

8:35

critical services, such as WiFi

8:37

and internet-linked TVs, back

8:40

online, just minutes before the

8:42

opening ceremony concluded and tens

8:44

of thousands of athletes and visitors

8:47

streamed out of the stadium. Later

8:49

that night, the engineers waged battle

8:52

with malware that crippled their network.

8:55

Every time a server was brought back

8:57

online, it quickly became infected

9:00

again and crashed. A local

9:02

security vendor quickly crafted an identifying

9:05

signature for the malware, but it

9:07

took a drastic measure, cutting

9:09

the entire Olympic network from the

9:11

internet for the tide to turn

9:14

in their favor.

9:15

Finally, by 8 am the following

9:17

morning, the battle was won. The

9:20

malware was cleared from the network and

9:22

all digital services resumed, just

9:25

in time for the first skating

9:27

and ski jumping events. In

9:29

fact, most of the participants weren't

9:32

even aware of what had happened during

9:34

the night and the games went on with

9:36

almost no interruptions. Ultimately,

9:39

the 2018 Winter Olympics was

9:42

globally praised for being impeccably

9:45

organized

9:45

and executed.

9:48

Some magnificent memories of the

9:51

past two and a half weeks. the

10:00

first to analyze the malware

10:02

where researchers from cisco's tell

10:04

us security division and they

10:06

were also the ones to give it its name

10:09

olympic destroy you

10:11

in the investigation they learned that

10:13

samples of the malware were uploaded

10:15

to virus total the malware

10:17

repository even as early as

10:20

two months prior to the attack itself

10:23

these samples it seems were uploaded

10:25

to the repository by an anonymous

10:27

member of the security team of

10:30

one of the to ip sub contractors

10:32

who worked in service of the south korean

10:34

olympic committee these

10:36

early samples revealed

10:38

the attackers spear fishing efforts

10:41

and to that the attack was

10:43

a classic supply chain attack

10:46

olympic

10:46

destroyer it was found infiltrated

10:49

the victim network via the to

10:51

ski resorts which served many

10:53

of the visitors and perhaps most

10:55

crucially the desktop computer

10:58

of the architect who actually designed

11:00

the games is network the

11:03

obvious question in everyone's minds

11:05

was who

11:06

was responsible for the attack

11:09

who

11:09

was vile enough to launch

11:11

such potentially destructive attack

11:14

against an event which more than anything

11:16

symbolizes peace and global

11:19

corporation who

11:20

wished to humiliate south

11:22

korea in front of the whole world

11:26

the obvious suspect was

11:28

north korea the ultimate bad

11:30

boy of global geopolitics

11:33

given

11:33

the long running anymore city

11:35

between the two koreas it

11:37

was easy to imagine kim jong on

11:39

ordering a cyber strike on the

11:41

winter olympics just to embarrass

11:44

the quote unquote evil capitalist

11:46

enemy and need

11:49

it didn't take long for crowd strike

11:51

a cyber security vendor to discover

11:53

striking similarities between

11:55

olympic destroyers file deletion

11:58

routines and code for

12:00

in malware created by North

12:02

Korea's notorious Lazarus

12:04

cybercrime group.

12:06

Another team of researchers, this time

12:08

from Kaspersky, found an

12:11

even more convincing piece of evidence.

12:13

It was a data structure called RichHeader

12:16

that appears in some of the files used

12:19

by the malware. This RichHeader

12:21

metadata consists of pairs

12:24

of 4-byte integers and

12:26

encodes information about the various

12:28

source files used in the compilation

12:31

tool who produced the binary.

12:34

Olympic Distory's rich header, they found,

12:36

was identical to a header that was

12:39

previously discovered in North

12:41

Korean malware.

12:43

This was the smoking gun

12:45

everyone was looking for. Case

12:48

closed. Except,

12:50

it didn't quite

12:53

make sense.

13:10

During the preparations for the Olympic

13:12

Games, the relationship between

13:14

the two Koreas actually seemed

13:16

to become more friendly.

13:18

Jim Jong-un invited South Korea's

13:21

president to visit Pyongyang and

13:23

sent his sister as a diplomatic

13:25

emissary to the Games.

13:27

The two countries even agreed to combine

13:30

their Olympic women's hockey teams

13:32

in a rare act of goodwill.

13:35

Sure, the North Koreans can seem

13:37

unpredictable at times, but

13:40

reaching out in a friendly handshake with

13:42

one hand while executing a crippling

13:45

cyber-attack with the other?

13:47

It was odd and illogical,

13:50

even by North Korean standards. And

13:53

so the investigation continued, and

13:56

the more it continued, the more bizarre

13:58

things seem to get. the into

14:00

their an israeli cyber security

14:03

vendor discovered code snippets

14:05

in olympic destroy that looked

14:07

as if they were crafted by a pity

14:09

three and a pity ten

14:11

to chinese hacking groups

14:14

and so at this point everyone

14:16

was scratching their heads trying

14:18

to make sense of the contradictory

14:20

data some

14:21

analysts pointed at north

14:23

korea others at china

14:26

if you even suspected the russians at

14:28

a hand in the attack but

14:30

no strong evidence for this was

14:33

uncovered will know that

14:35

attribution in cyber is

14:37

a hard problem but

14:39

this this

14:41

was a real mess

14:48

the best strategy for organizations

14:50

to avoid becoming a victim of

14:52

were somewhere is to prevent the

14:54

attack from being successful in

14:56

the first place cyber reason remains

14:59

undefeated in the fight against went

15:01

somewhere because it moved beyond

15:03

alerting to deliver an operation

15:05

centric approach that detects

15:07

and prevents ransom or attacks at the

15:10

earliest stages of initial

15:12

inglis and lateral move

15:14

the cyber reason predictive response

15:16

skip ability disrupts ransom or

15:18

attacks prior to data exploration

15:21

and long before the ransom where payload

15:24

can be delivered visit cyber

15:26

isn't dot com to learn more

15:28

about predictive where summer protection

15:30

and how your organization can realize

15:33

both increased efficiency and

15:35

efficacy through an operation centric

15:37

approach to security operations

15:49

there

15:49

is something important you need

15:51

to know about which haters

15:53

not a lot of people know about

15:55

them there's

15:56

no official documentation

15:58

about which headers

16:00

which makes it hard for researchers

16:02

to learn about the information

16:04

they contain, plus they're

16:06

rarely useful in malware analysis,

16:09

so for the most part, only automated

16:11

tools use these headers when classifying

16:14

newly discovered malware.

16:17

But here and there, there are people

16:19

who like to dig deeper into the

16:21

inner workings of such obscure data

16:23

structures, and Igor Sumenkov

16:26

is one of them. Sumankov is

16:28

a researcher at Kaspersky and

16:31

in an interview to Kaspersky's Tomorrow

16:33

Unlocked YouTube channel, he recalled

16:36

hearing his colleagues discussing the perfect

16:38

match between Olympic Distoir's

16:40

Rich Hedder and Heather's found

16:43

in North Korean malware. Quote,

16:45

I remember just sitting in the office

16:48

analyzing some malware and my

16:50

colleague was talking to someone else

16:53

and saying, hey,

16:53

well, there's something going on

16:56

and you know, we found a match, I

16:58

think we can relate it to another attack.

17:01

And he's saying, well, there's a rich

17:03

header.

17:04

It completely matched.

17:06

And I'm thinking, well, that's

17:08

not really possible.

17:09

You're not getting a complete match on

17:12

the rich header.

17:13

So I'm thinking, well, no, that can't

17:15

be real. Give me the samples."

17:19

Why was Sumankov suspicious

17:22

of the perfect match between the header

17:24

found in Olympic destroyer and

17:26

a header found in a North Korean

17:29

malware. Well recall

17:31

that rich headers encode information

17:33

about the source files present during

17:35

the malware's compilation process.

17:38

This encoding is very sensitive

17:40

to change, meaning that if we

17:43

add or remove even a single source

17:45

file, the resulting header will

17:47

change as well.

17:49

It is the same butterfly effect that

17:51

makes hashes so effective in detecting

17:54

file changes. even a single

17:56

bit of information in a file will bring

17:59

about a relatively

18:00

major change in the calculated

18:02

hash.

18:03

And although rich headers are somewhat less

18:05

sensitive to changes, Sumenkov

18:08

knew that it's highly implausible

18:10

that any two malware's would produce

18:13

exactly the same header.

18:16

And indeed, when Sumenkov analyzed

18:18

olympic destroyer's header, it didn't

18:20

take him long to realize that something

18:23

was seriously wrong. The

18:25

header contents made it seem as if the

18:28

malware was compiled using Microsoft's

18:30

Visual Studio 6, yet referenced

18:33

a file, mscoree.dll,

18:36

which did not exist in this version

18:39

of Visual Studio.

18:41

A more in-depth analysis of the header revealed

18:43

to Simenkov that Olympic Destroyer

18:46

was actually compiled using Visual

18:48

Studio 2010.

18:50

This could only mean one thing.

18:53

The original header was a fake,

18:56

a ruse. The malware authors lifted

18:58

a header from an existing malware and

19:01

copied it into theirs in order to

19:03

convince the researchers that Olympic

19:05

Destroyer was created by the North Korean

19:08

Lazarus Group.

19:09

And it almost worked, too.

19:12

Had Igor Sumonkov gone to

19:14

grab a cup of coffee or go

19:16

to the toilet instead of overhearing his

19:19

colleagues speaking about their find

19:21

in Olympic Destroyer? This faint

19:24

might have been a success. "'To

19:26

our knowledge, the evidence we were able

19:28

to find was not previously used

19:31

for attribution,' wrote Vitali

19:33

Kamlok, head of the APAC

19:35

research team, in a statement released

19:38

by Kaspersky. Yet the attackers

19:40

decided to use it, predicting that someone

19:43

would find it. They counted on the fact

19:46

that forgery of this artifact is

19:48

very hard to prove.

19:49

It's as if a criminal had stolen someone

19:52

else's DNA and left it at

19:54

the crime scene instead of their own.

19:56

We discovered and proved that the DNA

19:59

found

20:00

the crime scene was dropped there

20:02

on purpose.

20:03

All this demonstrates how much effort

20:05

attackers are ready to spend in

20:07

order to stay unidentified for

20:10

as long as possible.

20:12

We've always said that attribution

20:14

in cyberspace is very hard,

20:16

as lots of things can be faked,

20:19

and Olympic Destroyer is a

20:21

pretty precise illustration of this.

20:28

Equipped with this new knowledge, Kaspersky's

20:31

researchers re-examined some of the

20:33

samples of the malware discovered

20:35

in one of the game's IT subcontractors.

20:38

They came across a version of Olympic

20:41

Destroyer that was compiled on

20:43

the very day of the opening ceremony

20:46

at about 11am. This

20:48

version had one of the malware's features

20:51

removed, a 60 minutes delay

20:53

between the initial infection and

20:56

the final shutdown of the machine.

20:58

It seems that two hours prior an

21:01

earlier version of the worm was unleashed

21:03

in one of the ski resorts and

21:05

following this quote unquote test run,

21:08

its authors realized that the

21:10

delay feature was a bad

21:12

idea for some reason. They

21:15

hurriedly compiled a new version of

21:17

the worm without that delay, but

21:20

in their rush forgot to paste the

21:22

fake header.

21:23

And indeed in this version of the worm,

21:26

the rich header was very different

21:28

from the fake one, proving that

21:30

Igor Simenkov was right.

21:34

Although it was possible that this was

21:36

a North Korean double bluff, planting

21:39

fake evidence against itself to

21:41

make it seem as if it was being

21:43

framed, most researchers didn't

21:46

believe this to be the case and

21:48

saw Somenkov's discovery as

21:50

a convincing argument for North Korea's

21:53

innocence. if the Lazarus

21:55

Group wasn't to blame for the attack

21:58

on the Winter Olympics.

22:00

Then, who was?

22:09

Michael Matonis, a researcher from

22:11

FireEye, took a different approach

22:13

to investigating Olympic Destroyer.

22:16

While most researchers focused

22:18

on the malware itself, Matonis

22:20

decided to zoom in on the Microsoft

22:23

Word files that were attached to the

22:25

phishing emails sent to the various

22:27

Olympic committee members and partners

22:30

back in November and December

22:32

of 2017, during the reconnaissance phase

22:36

of the attack.

22:37

One file he examined contained a

22:40

macroscript that planted a backdoor

22:42

in the victim's computer.

22:44

But this malicious script was generated

22:47

using an open source tool, so this

22:49

avenue of investigation led him

22:52

nowhere.

22:53

But digging deeper into the metadata

22:55

of the document, Matonis found

22:58

an IP address, an address he

23:00

learned that was identical to

23:02

the IP address that Olympic Destroyer

23:05

itself was using to communicate

23:08

with its command and control servers.

23:11

Matonis combed through FireEye

23:13

databases and found two more

23:15

malicious Word files who had the same

23:17

exact IP address embedded

23:20

in the metadata. files

23:22

were from 2017, a full

23:25

year before the Winter Olympics

23:27

cyberattack, and crucially, they

23:30

were part of a campaign against

23:32

Ukrainian civil rights groups and

23:34

similar organizations.

23:39

Matanis immediately realized

23:41

the significance of his find.

23:43

Having the same IP address in all

23:45

the malicious documents meant that the

23:47

attackers were using the same infrastructure

23:50

in both attacks, and the only country

23:53

that had a reason to attack both Ukraine

23:55

and the Olympic Games

23:57

was Russia. digging even

24:00

deeper into the case mcdonalds

24:02

and covered a domain name that was linked

24:04

to one of the ip addresses he found

24:06

in the documents account dash

24:09

logging serve dot com this

24:11

domain ring a bill

24:14

from thomas a

24:16

year or so earlier in august

24:18

of two thousand and sixteen the f

24:20

b i released an ember flesh

24:22

alert and emergency noticed the

24:25

bureau sense to private organizations

24:27

were targeted by cybercriminals

24:30

titled targeting activity against

24:32

state board of elections systems

24:35

the alert be field attacks against

24:37

the voters systems have to unnamed

24:39

states probably in an attempt to

24:42

influence that year's election race between

24:44

hillary clinton and donald

24:46

trump

24:47

a two state were later identified

24:49

as illinois and arizona the

24:52

illinois attack was successful and

24:54

the hackers managed to download the personal

24:56

data have some two hundred thousand

24:59

voters as part

25:01

of the fishing campaign that preceded

25:03

the breach the hackers used

25:05

spoofed emails pretending to come

25:07

from vr systems are voting

25:10

tech company to trick election

25:12

officials and the links in

25:14

these emails lead to a fake

25:16

login page

25:17

hosted on you guessed it

25:20

account dash logging serve

25:22

dot com this finding

25:24

was the be smoking gun that not

25:27

on his was looking for russia

25:29

was infamous from its attempts at

25:31

meddling with the us elections so

25:34

this was more than enough evidence

25:36

to confidently tribute the

25:39

olympic games attack to rush

25:49

it's

25:49

two thousand and ten eight

25:51

years prior to the pyong

25:53

winter games vitale

25:55

step enough was working for

25:57

all sadder the russian anti do

26:00

agency.

26:01

Rusada's official mission statement

26:03

was to combat the use of drugs

26:05

in sports, but it didn't take

26:07

long for Vitaly, who served

26:10

in several roles in the organization, including

26:12

as an advisor to the agency's

26:15

director, to realize that

26:17

Rusada was not only turning

26:19

a blind eye to cheating Russian

26:22

athletes, it was actually enabling

26:25

such cheating.

26:26

In an interview for the Evening Standard

26:29

he recalled that quote, I thought

26:31

I was part of a team to fix this.

26:34

I then understood I was part of this

26:36

bigger mechanism that has no belief

26:38

in clean sport.

26:40

They need medals, and as many

26:42

medal winners in as many possible

26:44

sports, especially Olympic

26:47

sports.

26:49

This bigger mechanism was

26:51

an organized systematic effort by

26:54

the Russian government, sports officials,

26:56

medals and coaches to help

26:58

their athletes cheat in international

27:01

competitions.

27:03

It began following the 2010 Winter

27:06

Olympics, in which the Russian

27:08

team failed to win enough

27:10

medals.

27:11

Russian athletes were given a special

27:14

concoction of drugs nicknamed the

27:16

Duchess after a popular Russian drink,

27:19

which they then swished in their mouths

27:21

rather than drinking or injecting

27:23

it. chemicals were quickly

27:25

absorbed by the thin inner lining

27:28

of the cheeks and were just as quick

27:30

to disappear from the bloodstream.

27:33

If a drug test came out positive

27:35

after all, the result was reported

27:37

to the Russian Deputy Minister of Sports,

27:40

who decided on the proper action.

27:43

If the athlete in question was talented

27:46

and promising, the incriminating

27:48

evidence would be removed from

27:51

Rusada's computer records.

27:53

During his conscious, Vitaly contacted

27:56

Wada, the world anti-doping

27:58

agency, set up a national

28:00

by the International Olympic Committee

28:02

and sent literally hundreds of emails

28:05

and letters detailing his government's

28:08

wrongdoings. But after three

28:10

years of failing to get Wada to

28:12

take his claims seriously, Vitaly

28:15

reached out to a German journalist who

28:17

agreed to investigate the matter.

28:20

Vitaly had a close ally

28:22

in his fight against organized doping,

28:25

Yulia Stepanova, his wife.

28:28

Julia was a runner, specializing

28:30

in the 800-meter track event. Starting

28:34

in 2007, her coach persuaded her to take

28:36

banned steroids, telling her that everyone

28:39

was doing the same and that doping

28:41

was the only way to succeed. And

28:44

indeed, Julia's results improved

28:46

dramatically, earning her a bronze medal

28:49

in the 2011 European Athletic

28:52

Indoor Championships in Paris. But

28:55

two years later, after she failed

28:57

a drug test, Yulia was banned

29:00

from all international competitions for

29:02

two years and stripped of

29:04

her medal. Angry and

29:06

disillusioned, Yulia joined her husband's

29:09

efforts and began to secretly

29:11

record Russian officials, doctors

29:14

and athletes talking about the

29:16

state-sponsored scheme to subvert

29:18

Wada's anti-doping efforts. The

29:21

couple's personal testimony, along

29:24

with Yulia's clandestine recordings,

29:26

were aired in 2014 in a German TV documentary.

29:31

The public's outcry was loud enough to

29:34

force Wada to launch a thorough

29:36

investigation, whose results stunned

29:39

everyone. Except the Russians, obviously.

29:42

It turns out that the number of quote-unquote

29:45

suspicious blood and urine samples

29:47

from Russian athletes exceeded

29:50

those of all other countries by

29:52

a notable margin, to put it mildly.

29:55

Vitaly and Yulia fled Russia a

29:57

short time prior to the airing of the documentary.

30:00

of course.

30:02

The rolling snowball, set in motion by

30:04

the brave couple, ended with

30:06

a decision by the International Olympic

30:08

Committee to ban Russia from participating

30:11

in the 2018 Winter Olympics.

30:15

Russian officials, as well as athletes

30:17

accused of cheating, were not permitted

30:20

to take part in the games.

30:22

Those who were allowed to compete did

30:24

so under the neutral Olympic

30:26

flag.

30:27

When a Russian athlete made it to the podium,

30:29

it was the Olympic anthem that was

30:32

played during the ceremony, rather

30:34

than the Russian one.

30:37

Unsurprisingly, many Russians were

30:40

furious with the Olympics Committee's decision,

30:43

seeing it as a humiliating act

30:45

against the Russian people.

30:47

Among them were six officers

30:49

of the GRU, the Russian Military

30:52

Intelligence Agency. They were

30:54

Sergei Detistov, the group's

30:57

captain, and his five subordinates,

30:59

Yuri Adrienko, Pavel Frolov,

31:02

Antoni Kovalov, Artem Ochichenko,

31:04

and Peter Pliskin. These

31:07

six men were no ordinary

31:09

military officers, though. They were

31:11

part of a notorious hacking group known

31:14

to the world by many names. Some

31:16

called them Iron

31:17

Viking, others known them as

31:19

Televots, Voodoo Bear, or Sandwar.

31:23

Internally in the Russian military, they

31:25

are known as Unit 74455. Although

31:31

our podcast's 200 plus

31:34

episodes might give the opposite

31:36

impression, the history of cyberwar

31:39

is rather short.

31:40

Nevertheless, Unit 74455 is

31:44

responsible for many of the more

31:46

well-known attacks of the past 15 years or so.

31:50

For example, its hackers were the ones who,

31:53

in a world first, attacked the

31:55

Ukrainian power grid in 2015 and 2016. also

32:00

responsible for Natpetya,

32:02

one of the most damaging and costliest

32:05

malware ever created.

32:07

We covered both stories in previous episodes

32:09

of Malicious Life.

32:12

In November 2017, Sergei

32:15

and his colleagues turned their sights

32:18

on the Olympics. Call it revenge,

32:21

or call it the actions of a quote-unquote,

32:23

a petulant child with the resources

32:26

of a nation-state, as the US

32:28

Department of Justice Assistant Attorney

32:30

General John Demers put it, the

32:33

six men were determined to

32:35

ruin the Olympics for everyone.

32:43

If by launching such a brazen

32:45

and potentially destructive attack, Russia

32:48

was hoping to persuade International

32:50

Olympic Committee to stop inquiring

32:53

too deeply into doping allegations,

32:56

it seems that the message didn't

32:58

have the effect the Russians were hoping

33:01

for. In 2018, the

33:03

World Anti-Doping Agency once

33:05

again banned Russia from participating

33:08

in the Olympic Games for four

33:10

more years when it was revealed that

33:12

the Russians were cheating even during

33:15

the the 2014 Sochi

33:17

Winter Olympics itself by

33:19

swapping positive drug samples with

33:22

clean ones through a tiny hole

33:24

in the sporting event's anti-doping

33:26

laboratory.

33:27

This ban was later shortened to

33:30

two years, but the Russians were

33:32

still excluded from the 2022 Tokyo

33:35

Olympic Games and the 2022 Beijing

33:38

Olympic Winter Games.

33:41

The US, in turn, also sent

33:43

Russia a message of its own.

33:46

In July 2018, Special

33:48

Counsel Robert Mueller unsealed

33:50

an indictment against the six men of

33:53

Unit 74455.

33:56

So again, Yuri and their pals

33:58

now have a 10 million...

34:00

dollar prize on their heads.

34:05

Looking back, the joint efforts

34:07

of Kaspersky, Talos, FireEye

34:10

and Intezer might help explain a

34:12

puzzling statement released by the

34:14

Russian Foreign Ministry two days

34:17

before the attack on the 2018 Winter Games. Quote,

34:22

It is known to us that Western mass media

34:24

are planning to throw in a pseudo-investigation

34:27

on the theme of the Russian trace in

34:30

hacker attacks on information

34:32

resources connected with conducting

34:34

the Winter Olympics in South Korea,"

34:37

said the Russian statement. As

34:39

before, no kind of evidence will

34:41

be presented to the world."

34:45

Weird

34:45

isn't it? Why would

34:48

the Russian government deny involvement

34:50

in an attack that was yet to

34:53

occur?

35:12

That's

35:14

it for this episode. Thank you for

35:17

listening. Malicious Life is produced

35:19

by PI Media. This episode

35:21

was written by me and edited by

35:24

our distinguished senior producer, Nate

35:26

Nelson. Sareet Kuzman does

35:28

our social media. Our website is

35:31

malicious.life. You can find us

35:33

on Twitter at at Malicious Life or

35:35

me at at RANLEVI. That's

35:38

R-A-N-L-E-V-I. Thanks

35:41

to Cyber Reason for underwriting

35:42

the podcast. Learn more at cyberreason.com.

35:46

bye-bye