Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hi, I'm Rian Levy.
0:09
Welcome to
0:12
Cyberism's Malicious Life.
0:28
It's November 28, 2017 and the city of Pyeongchang
0:30
is bustling with activity. In
0:36
a little more than three months, the beautiful
0:39
mountainous South Korean city will
0:41
host the opening ceremony of the 2018 Winter
0:45
Olympics and thousands of athletes,
0:48
journalists and fans will flood
0:50
its streets, ski lanes and world
0:53
famous Buddhist temples.
0:55
No one is probably more busy
0:58
than the members of the Pyeongchang
1:00
Organizing Committee, who are responsible
1:03
for the preparations.
1:04
The Winter Olympics is one of
1:07
the biggest sporting events in the world
1:09
and they have been working hard towards this
1:11
event for the past 6 years.
1:14
After all, South Korea's national
1:16
pride is on the line. Millions
1:18
of people from all over the world will
1:21
be tuning in to watch the opening
1:23
ceremony the following events.
1:28
While all this commotion and nectivity
1:31
was going on,
1:32
an email landed in the mailboxes
1:34
of 30 people.
1:36
Some were members of the organizing
1:38
committee, others were Olympic
1:41
partners, employees of organizations
1:43
and businesses that worked with the
1:46
organizing committee, such as two local
1:48
ski resorts and the company which
1:51
provided the official timekeeping
1:53
service of the games. The
1:54
email, titled List of Delegates,
1:57
was from none other than the Vice-Pris-
2:00
president of the International Olympics
2:02
Committee. It's safe to assume that
2:04
most, if not all, of the recipients
2:07
of this email opened
2:08
it.
2:10
A.zip file was attached
2:12
to the email containing a Microsoft
2:15
Word document, which supposedly
2:17
held the actual list of VIP
2:19
delegates to the games. But
2:22
when the recipients tried to open the
2:24
document, they were presented with garbled
2:27
and gibberish text. Ah,
2:30
it's probably an encoding problem. You
2:32
know how it is. Sometimes it's hard
2:34
to get vastly different languages,
2:37
such as English and Korean, to play
2:39
nicely in the same document.
2:42
Luckily, a button appeared at
2:44
the top of the document, labeled Enable
2:47
Content. That will surely
2:50
fix the problem.
2:53
Since you're listening to a podcast
2:55
about cyber security, I don't
2:57
think I need to tell you that clicking
3:00
on that button was a very, very
3:02
bad idea. But apparently,
3:05
at least some of the recipients did. And
3:08
unsurprisingly, pressing the button executed
3:11
a PowerShell script that downloaded
3:13
and executed a second malware that
3:16
planted a backdoor in the system. For
3:20
the next three months, hundreds of
3:23
similar emails were sent to
3:25
many people who were somehow involved
3:27
with the preparations towards the Winter
3:30
Olympics, such as the employees
3:32
of the South Korean Ministry of Agriculture,
3:35
Food and Rural Affairs, and employees
3:38
of the Korean Ministry of Public
3:40
Safety and Security.
3:42
Crucially, some of the emails landed
3:45
in the inboxes of two IT
3:47
companies, the companies which provided
3:50
the servers and networking equipment
3:52
which formed the computing infrastructure
3:55
for the games. Thousands of computers
3:58
supporting everything from ticketing
4:00
services to ski lifts.
4:03
In the weeks leading up to the games, one
4:05
of these IT companies struggled
4:08
with numerous glitches and mail
4:10
functions in their network.
4:12
But with a network so complicated,
4:15
such bugs and hitches are to
4:17
be expected and there was more than
4:19
enough Time to work out all the
4:22
kinks out of the system.
4:24
So nobody gave the glitches a
4:26
second thought.
4:44
And then, on February 9th, came
4:46
the moment everyone was eagerly
4:48
waiting for. the 2018 Winter
4:51
Olympics Opening Ceremony. And
4:54
as the bell rings here in the stadium, bells
4:57
ring all the way around Korea.
5:01
Ringing for peace and connecting
5:03
everyone to begin the festival. 35,000 excited
5:07
spectators filled the huge pentagonal
5:10
stadium and hundreds of cameras screened
5:13
the event
5:13
to viewers in more than 200 countries
5:16
all over the world. As the
5:18
enthusiastic crowd was chanting
5:21
the time-honored countdown towards
5:23
the start of the ceremony, a worm
5:26
was waking up somewhere inside
5:28
the Olympic network.
5:32
The malware scanned the computer it had
5:34
infected and scoured it for
5:36
user and browser credentials.
5:38
It then used the credentials it found to
5:40
log on to other computers on the network.
5:44
When the malware discovered new credentials
5:46
in a newly infected computer, it
5:48
compiled a new version of itself with
5:51
the augmented set of credentials and
5:54
used the new binary to infect
5:56
the next computer in line.
5:58
in all, it was an inc- incredibly
6:00
efficient method of propagation
6:03
in a confined environment such
6:05
as the Olympic Games Network. Once
6:08
an infected machine was fully compromised
6:11
and its credentials exfiltrated, the
6:13
malware sprung its malicious payload.
6:16
It wiped the computer's boot configuration
6:19
data and all backups, thus
6:21
crashing the computer and making it
6:24
unbootable. From Wired
6:26
Magazine, quote, As the
6:28
opening ceremony got underway, thousands
6:31
of fireworks exploded around the stadium
6:34
on queue and dozens of massive
6:36
puppets and Korean dancers entered
6:39
the stage.
6:40
San Jin Oh, director of technology
6:43
for the Pyeongchang Olympic organizing
6:45
committee,
6:46
saw none of it. He was
6:48
texting furiously with his staff
6:51
as they watched their entire IT
6:53
setup
6:54
go dark. As O
6:56
made his way out of the press section
6:58
towards the exit, reporters around
7:01
him had already began complaining
7:03
that the Wi-Fi seemed to have suddenly
7:06
stopped working.
7:07
Thousands of internet-linked TVs
7:09
showing the ceremony around the stadium
7:12
and in 12 other Olympic facilities
7:15
had gone black.
7:16
Every RFID-based security
7:18
gate leading into every Olympic
7:21
building was down. The Olympics
7:23
official app, including its digital
7:26
ticketing function, was broken too.
7:29
When it reached out for data from backend
7:31
servers, they suddenly had
7:33
none to offer. The
7:37
attack concentrated on a class of
7:39
computers called domain controllers,
7:42
the machines who controlled authentication
7:44
and authorization for many digital
7:47
services, from Wi-Fi to the
7:49
official Olympic apps. D
7:52
gates and skill lifts were disabled.
7:54
Hundreds of computers went dark. It
7:57
was the nightmare everyone in the
7:59
organized
8:00
committee was dreading. But
8:05
the South Koreans were not
8:07
caught off-guard.
8:09
South Korea has suffered many cyber
8:11
attacks from its totalitarian neighbor
8:13
and nemesis North Korea, and
8:16
so the threat of a cyber attack
8:18
during the Olympic Games was
8:20
always present during the planning. Within
8:23
minutes, the staffers at the Games
8:26
Technology Operations center sprang
8:28
into action. Using a temporary
8:30
workaround, they bypassed the dead
8:33
domain controllers and brought many
8:35
critical services, such as WiFi
8:37
and internet-linked TVs, back
8:40
online, just minutes before the
8:42
opening ceremony concluded and tens
8:44
of thousands of athletes and visitors
8:47
streamed out of the stadium. Later
8:49
that night, the engineers waged battle
8:52
with malware that crippled their network.
8:55
Every time a server was brought back
8:57
online, it quickly became infected
9:00
again and crashed. A local
9:02
security vendor quickly crafted an identifying
9:05
signature for the malware, but it
9:07
took a drastic measure, cutting
9:09
the entire Olympic network from the
9:11
internet for the tide to turn
9:14
in their favor.
9:15
Finally, by 8 am the following
9:17
morning, the battle was won. The
9:20
malware was cleared from the network and
9:22
all digital services resumed, just
9:25
in time for the first skating
9:27
and ski jumping events. In
9:29
fact, most of the participants weren't
9:32
even aware of what had happened during
9:34
the night and the games went on with
9:36
almost no interruptions. Ultimately,
9:39
the 2018 Winter Olympics was
9:42
globally praised for being impeccably
9:45
organized
9:45
and executed.
9:48
Some magnificent memories of the
9:51
past two and a half weeks. the
10:00
first to analyze the malware
10:02
where researchers from cisco's tell
10:04
us security division and they
10:06
were also the ones to give it its name
10:09
olympic destroy you
10:11
in the investigation they learned that
10:13
samples of the malware were uploaded
10:15
to virus total the malware
10:17
repository even as early as
10:20
two months prior to the attack itself
10:23
these samples it seems were uploaded
10:25
to the repository by an anonymous
10:27
member of the security team of
10:30
one of the to ip sub contractors
10:32
who worked in service of the south korean
10:34
olympic committee these
10:36
early samples revealed
10:38
the attackers spear fishing efforts
10:41
and to that the attack was
10:43
a classic supply chain attack
10:46
olympic
10:46
destroyer it was found infiltrated
10:49
the victim network via the to
10:51
ski resorts which served many
10:53
of the visitors and perhaps most
10:55
crucially the desktop computer
10:58
of the architect who actually designed
11:00
the games is network the
11:03
obvious question in everyone's minds
11:05
was who
11:06
was responsible for the attack
11:09
who
11:09
was vile enough to launch
11:11
such potentially destructive attack
11:14
against an event which more than anything
11:16
symbolizes peace and global
11:19
corporation who
11:20
wished to humiliate south
11:22
korea in front of the whole world
11:26
the obvious suspect was
11:28
north korea the ultimate bad
11:30
boy of global geopolitics
11:33
given
11:33
the long running anymore city
11:35
between the two koreas it
11:37
was easy to imagine kim jong on
11:39
ordering a cyber strike on the
11:41
winter olympics just to embarrass
11:44
the quote unquote evil capitalist
11:46
enemy and need
11:49
it didn't take long for crowd strike
11:51
a cyber security vendor to discover
11:53
striking similarities between
11:55
olympic destroyers file deletion
11:58
routines and code for
12:00
in malware created by North
12:02
Korea's notorious Lazarus
12:04
cybercrime group.
12:06
Another team of researchers, this time
12:08
from Kaspersky, found an
12:11
even more convincing piece of evidence.
12:13
It was a data structure called RichHeader
12:16
that appears in some of the files used
12:19
by the malware. This RichHeader
12:21
metadata consists of pairs
12:24
of 4-byte integers and
12:26
encodes information about the various
12:28
source files used in the compilation
12:31
tool who produced the binary.
12:34
Olympic Distory's rich header, they found,
12:36
was identical to a header that was
12:39
previously discovered in North
12:41
Korean malware.
12:43
This was the smoking gun
12:45
everyone was looking for. Case
12:48
closed. Except,
12:50
it didn't quite
12:53
make sense.
13:10
During the preparations for the Olympic
13:12
Games, the relationship between
13:14
the two Koreas actually seemed
13:16
to become more friendly.
13:18
Jim Jong-un invited South Korea's
13:21
president to visit Pyongyang and
13:23
sent his sister as a diplomatic
13:25
emissary to the Games.
13:27
The two countries even agreed to combine
13:30
their Olympic women's hockey teams
13:32
in a rare act of goodwill.
13:35
Sure, the North Koreans can seem
13:37
unpredictable at times, but
13:40
reaching out in a friendly handshake with
13:42
one hand while executing a crippling
13:45
cyber-attack with the other?
13:47
It was odd and illogical,
13:50
even by North Korean standards. And
13:53
so the investigation continued, and
13:56
the more it continued, the more bizarre
13:58
things seem to get. the into
14:00
their an israeli cyber security
14:03
vendor discovered code snippets
14:05
in olympic destroy that looked
14:07
as if they were crafted by a pity
14:09
three and a pity ten
14:11
to chinese hacking groups
14:14
and so at this point everyone
14:16
was scratching their heads trying
14:18
to make sense of the contradictory
14:20
data some
14:21
analysts pointed at north
14:23
korea others at china
14:26
if you even suspected the russians at
14:28
a hand in the attack but
14:30
no strong evidence for this was
14:33
uncovered will know that
14:35
attribution in cyber is
14:37
a hard problem but
14:39
this this
14:41
was a real mess
14:48
the best strategy for organizations
14:50
to avoid becoming a victim of
14:52
were somewhere is to prevent the
14:54
attack from being successful in
14:56
the first place cyber reason remains
14:59
undefeated in the fight against went
15:01
somewhere because it moved beyond
15:03
alerting to deliver an operation
15:05
centric approach that detects
15:07
and prevents ransom or attacks at the
15:10
earliest stages of initial
15:12
inglis and lateral move
15:14
the cyber reason predictive response
15:16
skip ability disrupts ransom or
15:18
attacks prior to data exploration
15:21
and long before the ransom where payload
15:24
can be delivered visit cyber
15:26
isn't dot com to learn more
15:28
about predictive where summer protection
15:30
and how your organization can realize
15:33
both increased efficiency and
15:35
efficacy through an operation centric
15:37
approach to security operations
15:49
there
15:49
is something important you need
15:51
to know about which haters
15:53
not a lot of people know about
15:55
them there's
15:56
no official documentation
15:58
about which headers
16:00
which makes it hard for researchers
16:02
to learn about the information
16:04
they contain, plus they're
16:06
rarely useful in malware analysis,
16:09
so for the most part, only automated
16:11
tools use these headers when classifying
16:14
newly discovered malware.
16:17
But here and there, there are people
16:19
who like to dig deeper into the
16:21
inner workings of such obscure data
16:23
structures, and Igor Sumenkov
16:26
is one of them. Sumankov is
16:28
a researcher at Kaspersky and
16:31
in an interview to Kaspersky's Tomorrow
16:33
Unlocked YouTube channel, he recalled
16:36
hearing his colleagues discussing the perfect
16:38
match between Olympic Distoir's
16:40
Rich Hedder and Heather's found
16:43
in North Korean malware. Quote,
16:45
I remember just sitting in the office
16:48
analyzing some malware and my
16:50
colleague was talking to someone else
16:53
and saying, hey,
16:53
well, there's something going on
16:56
and you know, we found a match, I
16:58
think we can relate it to another attack.
17:01
And he's saying, well, there's a rich
17:03
header.
17:04
It completely matched.
17:06
And I'm thinking, well, that's
17:08
not really possible.
17:09
You're not getting a complete match on
17:12
the rich header.
17:13
So I'm thinking, well, no, that can't
17:15
be real. Give me the samples."
17:19
Why was Sumankov suspicious
17:22
of the perfect match between the header
17:24
found in Olympic destroyer and
17:26
a header found in a North Korean
17:29
malware. Well recall
17:31
that rich headers encode information
17:33
about the source files present during
17:35
the malware's compilation process.
17:38
This encoding is very sensitive
17:40
to change, meaning that if we
17:43
add or remove even a single source
17:45
file, the resulting header will
17:47
change as well.
17:49
It is the same butterfly effect that
17:51
makes hashes so effective in detecting
17:54
file changes. even a single
17:56
bit of information in a file will bring
17:59
about a relatively
18:00
major change in the calculated
18:02
hash.
18:03
And although rich headers are somewhat less
18:05
sensitive to changes, Sumenkov
18:08
knew that it's highly implausible
18:10
that any two malware's would produce
18:13
exactly the same header.
18:16
And indeed, when Sumenkov analyzed
18:18
olympic destroyer's header, it didn't
18:20
take him long to realize that something
18:23
was seriously wrong. The
18:25
header contents made it seem as if the
18:28
malware was compiled using Microsoft's
18:30
Visual Studio 6, yet referenced
18:33
a file, mscoree.dll,
18:36
which did not exist in this version
18:39
of Visual Studio.
18:41
A more in-depth analysis of the header revealed
18:43
to Simenkov that Olympic Destroyer
18:46
was actually compiled using Visual
18:48
Studio 2010.
18:50
This could only mean one thing.
18:53
The original header was a fake,
18:56
a ruse. The malware authors lifted
18:58
a header from an existing malware and
19:01
copied it into theirs in order to
19:03
convince the researchers that Olympic
19:05
Destroyer was created by the North Korean
19:08
Lazarus Group.
19:09
And it almost worked, too.
19:12
Had Igor Sumonkov gone to
19:14
grab a cup of coffee or go
19:16
to the toilet instead of overhearing his
19:19
colleagues speaking about their find
19:21
in Olympic Destroyer? This faint
19:24
might have been a success. "'To
19:26
our knowledge, the evidence we were able
19:28
to find was not previously used
19:31
for attribution,' wrote Vitali
19:33
Kamlok, head of the APAC
19:35
research team, in a statement released
19:38
by Kaspersky. Yet the attackers
19:40
decided to use it, predicting that someone
19:43
would find it. They counted on the fact
19:46
that forgery of this artifact is
19:48
very hard to prove.
19:49
It's as if a criminal had stolen someone
19:52
else's DNA and left it at
19:54
the crime scene instead of their own.
19:56
We discovered and proved that the DNA
19:59
found
20:00
the crime scene was dropped there
20:02
on purpose.
20:03
All this demonstrates how much effort
20:05
attackers are ready to spend in
20:07
order to stay unidentified for
20:10
as long as possible.
20:12
We've always said that attribution
20:14
in cyberspace is very hard,
20:16
as lots of things can be faked,
20:19
and Olympic Destroyer is a
20:21
pretty precise illustration of this.
20:28
Equipped with this new knowledge, Kaspersky's
20:31
researchers re-examined some of the
20:33
samples of the malware discovered
20:35
in one of the game's IT subcontractors.
20:38
They came across a version of Olympic
20:41
Destroyer that was compiled on
20:43
the very day of the opening ceremony
20:46
at about 11am. This
20:48
version had one of the malware's features
20:51
removed, a 60 minutes delay
20:53
between the initial infection and
20:56
the final shutdown of the machine.
20:58
It seems that two hours prior an
21:01
earlier version of the worm was unleashed
21:03
in one of the ski resorts and
21:05
following this quote unquote test run,
21:08
its authors realized that the
21:10
delay feature was a bad
21:12
idea for some reason. They
21:15
hurriedly compiled a new version of
21:17
the worm without that delay, but
21:20
in their rush forgot to paste the
21:22
fake header.
21:23
And indeed in this version of the worm,
21:26
the rich header was very different
21:28
from the fake one, proving that
21:30
Igor Simenkov was right.
21:34
Although it was possible that this was
21:36
a North Korean double bluff, planting
21:39
fake evidence against itself to
21:41
make it seem as if it was being
21:43
framed, most researchers didn't
21:46
believe this to be the case and
21:48
saw Somenkov's discovery as
21:50
a convincing argument for North Korea's
21:53
innocence. if the Lazarus
21:55
Group wasn't to blame for the attack
21:58
on the Winter Olympics.
22:00
Then, who was?
22:09
Michael Matonis, a researcher from
22:11
FireEye, took a different approach
22:13
to investigating Olympic Destroyer.
22:16
While most researchers focused
22:18
on the malware itself, Matonis
22:20
decided to zoom in on the Microsoft
22:23
Word files that were attached to the
22:25
phishing emails sent to the various
22:27
Olympic committee members and partners
22:30
back in November and December
22:32
of 2017, during the reconnaissance phase
22:36
of the attack.
22:37
One file he examined contained a
22:40
macroscript that planted a backdoor
22:42
in the victim's computer.
22:44
But this malicious script was generated
22:47
using an open source tool, so this
22:49
avenue of investigation led him
22:52
nowhere.
22:53
But digging deeper into the metadata
22:55
of the document, Matonis found
22:58
an IP address, an address he
23:00
learned that was identical to
23:02
the IP address that Olympic Destroyer
23:05
itself was using to communicate
23:08
with its command and control servers.
23:11
Matonis combed through FireEye
23:13
databases and found two more
23:15
malicious Word files who had the same
23:17
exact IP address embedded
23:20
in the metadata. files
23:22
were from 2017, a full
23:25
year before the Winter Olympics
23:27
cyberattack, and crucially, they
23:30
were part of a campaign against
23:32
Ukrainian civil rights groups and
23:34
similar organizations.
23:39
Matanis immediately realized
23:41
the significance of his find.
23:43
Having the same IP address in all
23:45
the malicious documents meant that the
23:47
attackers were using the same infrastructure
23:50
in both attacks, and the only country
23:53
that had a reason to attack both Ukraine
23:55
and the Olympic Games
23:57
was Russia. digging even
24:00
deeper into the case mcdonalds
24:02
and covered a domain name that was linked
24:04
to one of the ip addresses he found
24:06
in the documents account dash
24:09
logging serve dot com this
24:11
domain ring a bill
24:14
from thomas a
24:16
year or so earlier in august
24:18
of two thousand and sixteen the f
24:20
b i released an ember flesh
24:22
alert and emergency noticed the
24:25
bureau sense to private organizations
24:27
were targeted by cybercriminals
24:30
titled targeting activity against
24:32
state board of elections systems
24:35
the alert be field attacks against
24:37
the voters systems have to unnamed
24:39
states probably in an attempt to
24:42
influence that year's election race between
24:44
hillary clinton and donald
24:46
trump
24:47
a two state were later identified
24:49
as illinois and arizona the
24:52
illinois attack was successful and
24:54
the hackers managed to download the personal
24:56
data have some two hundred thousand
24:59
voters as part
25:01
of the fishing campaign that preceded
25:03
the breach the hackers used
25:05
spoofed emails pretending to come
25:07
from vr systems are voting
25:10
tech company to trick election
25:12
officials and the links in
25:14
these emails lead to a fake
25:16
login page
25:17
hosted on you guessed it
25:20
account dash logging serve
25:22
dot com this finding
25:24
was the be smoking gun that not
25:27
on his was looking for russia
25:29
was infamous from its attempts at
25:31
meddling with the us elections so
25:34
this was more than enough evidence
25:36
to confidently tribute the
25:39
olympic games attack to rush
25:49
it's
25:49
two thousand and ten eight
25:51
years prior to the pyong
25:53
winter games vitale
25:55
step enough was working for
25:57
all sadder the russian anti do
26:00
agency.
26:01
Rusada's official mission statement
26:03
was to combat the use of drugs
26:05
in sports, but it didn't take
26:07
long for Vitaly, who served
26:10
in several roles in the organization, including
26:12
as an advisor to the agency's
26:15
director, to realize that
26:17
Rusada was not only turning
26:19
a blind eye to cheating Russian
26:22
athletes, it was actually enabling
26:25
such cheating.
26:26
In an interview for the Evening Standard
26:29
he recalled that quote, I thought
26:31
I was part of a team to fix this.
26:34
I then understood I was part of this
26:36
bigger mechanism that has no belief
26:38
in clean sport.
26:40
They need medals, and as many
26:42
medal winners in as many possible
26:44
sports, especially Olympic
26:47
sports.
26:49
This bigger mechanism was
26:51
an organized systematic effort by
26:54
the Russian government, sports officials,
26:56
medals and coaches to help
26:58
their athletes cheat in international
27:01
competitions.
27:03
It began following the 2010 Winter
27:06
Olympics, in which the Russian
27:08
team failed to win enough
27:10
medals.
27:11
Russian athletes were given a special
27:14
concoction of drugs nicknamed the
27:16
Duchess after a popular Russian drink,
27:19
which they then swished in their mouths
27:21
rather than drinking or injecting
27:23
it. chemicals were quickly
27:25
absorbed by the thin inner lining
27:28
of the cheeks and were just as quick
27:30
to disappear from the bloodstream.
27:33
If a drug test came out positive
27:35
after all, the result was reported
27:37
to the Russian Deputy Minister of Sports,
27:40
who decided on the proper action.
27:43
If the athlete in question was talented
27:46
and promising, the incriminating
27:48
evidence would be removed from
27:51
Rusada's computer records.
27:53
During his conscious, Vitaly contacted
27:56
Wada, the world anti-doping
27:58
agency, set up a national
28:00
by the International Olympic Committee
28:02
and sent literally hundreds of emails
28:05
and letters detailing his government's
28:08
wrongdoings. But after three
28:10
years of failing to get Wada to
28:12
take his claims seriously, Vitaly
28:15
reached out to a German journalist who
28:17
agreed to investigate the matter.
28:20
Vitaly had a close ally
28:22
in his fight against organized doping,
28:25
Yulia Stepanova, his wife.
28:28
Julia was a runner, specializing
28:30
in the 800-meter track event. Starting
28:34
in 2007, her coach persuaded her to take
28:36
banned steroids, telling her that everyone
28:39
was doing the same and that doping
28:41
was the only way to succeed. And
28:44
indeed, Julia's results improved
28:46
dramatically, earning her a bronze medal
28:49
in the 2011 European Athletic
28:52
Indoor Championships in Paris. But
28:55
two years later, after she failed
28:57
a drug test, Yulia was banned
29:00
from all international competitions for
29:02
two years and stripped of
29:04
her medal. Angry and
29:06
disillusioned, Yulia joined her husband's
29:09
efforts and began to secretly
29:11
record Russian officials, doctors
29:14
and athletes talking about the
29:16
state-sponsored scheme to subvert
29:18
Wada's anti-doping efforts. The
29:21
couple's personal testimony, along
29:24
with Yulia's clandestine recordings,
29:26
were aired in 2014 in a German TV documentary.
29:31
The public's outcry was loud enough to
29:34
force Wada to launch a thorough
29:36
investigation, whose results stunned
29:39
everyone. Except the Russians, obviously.
29:42
It turns out that the number of quote-unquote
29:45
suspicious blood and urine samples
29:47
from Russian athletes exceeded
29:50
those of all other countries by
29:52
a notable margin, to put it mildly.
29:55
Vitaly and Yulia fled Russia a
29:57
short time prior to the airing of the documentary.
30:00
of course.
30:02
The rolling snowball, set in motion by
30:04
the brave couple, ended with
30:06
a decision by the International Olympic
30:08
Committee to ban Russia from participating
30:11
in the 2018 Winter Olympics.
30:15
Russian officials, as well as athletes
30:17
accused of cheating, were not permitted
30:20
to take part in the games.
30:22
Those who were allowed to compete did
30:24
so under the neutral Olympic
30:26
flag.
30:27
When a Russian athlete made it to the podium,
30:29
it was the Olympic anthem that was
30:32
played during the ceremony, rather
30:34
than the Russian one.
30:37
Unsurprisingly, many Russians were
30:40
furious with the Olympics Committee's decision,
30:43
seeing it as a humiliating act
30:45
against the Russian people.
30:47
Among them were six officers
30:49
of the GRU, the Russian Military
30:52
Intelligence Agency. They were
30:54
Sergei Detistov, the group's
30:57
captain, and his five subordinates,
30:59
Yuri Adrienko, Pavel Frolov,
31:02
Antoni Kovalov, Artem Ochichenko,
31:04
and Peter Pliskin. These
31:07
six men were no ordinary
31:09
military officers, though. They were
31:11
part of a notorious hacking group known
31:14
to the world by many names. Some
31:16
called them Iron
31:17
Viking, others known them as
31:19
Televots, Voodoo Bear, or Sandwar.
31:23
Internally in the Russian military, they
31:25
are known as Unit 74455. Although
31:31
our podcast's 200 plus
31:34
episodes might give the opposite
31:36
impression, the history of cyberwar
31:39
is rather short.
31:40
Nevertheless, Unit 74455 is
31:44
responsible for many of the more
31:46
well-known attacks of the past 15 years or so.
31:50
For example, its hackers were the ones who,
31:53
in a world first, attacked the
31:55
Ukrainian power grid in 2015 and 2016. also
32:00
responsible for Natpetya,
32:02
one of the most damaging and costliest
32:05
malware ever created.
32:07
We covered both stories in previous episodes
32:09
of Malicious Life.
32:12
In November 2017, Sergei
32:15
and his colleagues turned their sights
32:18
on the Olympics. Call it revenge,
32:21
or call it the actions of a quote-unquote,
32:23
a petulant child with the resources
32:26
of a nation-state, as the US
32:28
Department of Justice Assistant Attorney
32:30
General John Demers put it, the
32:33
six men were determined to
32:35
ruin the Olympics for everyone.
32:43
If by launching such a brazen
32:45
and potentially destructive attack, Russia
32:48
was hoping to persuade International
32:50
Olympic Committee to stop inquiring
32:53
too deeply into doping allegations,
32:56
it seems that the message didn't
32:58
have the effect the Russians were hoping
33:01
for. In 2018, the
33:03
World Anti-Doping Agency once
33:05
again banned Russia from participating
33:08
in the Olympic Games for four
33:10
more years when it was revealed that
33:12
the Russians were cheating even during
33:15
the the 2014 Sochi
33:17
Winter Olympics itself by
33:19
swapping positive drug samples with
33:22
clean ones through a tiny hole
33:24
in the sporting event's anti-doping
33:26
laboratory.
33:27
This ban was later shortened to
33:30
two years, but the Russians were
33:32
still excluded from the 2022 Tokyo
33:35
Olympic Games and the 2022 Beijing
33:38
Olympic Winter Games.
33:41
The US, in turn, also sent
33:43
Russia a message of its own.
33:46
In July 2018, Special
33:48
Counsel Robert Mueller unsealed
33:50
an indictment against the six men of
33:53
Unit 74455.
33:56
So again, Yuri and their pals
33:58
now have a 10 million...
34:00
dollar prize on their heads.
34:05
Looking back, the joint efforts
34:07
of Kaspersky, Talos, FireEye
34:10
and Intezer might help explain a
34:12
puzzling statement released by the
34:14
Russian Foreign Ministry two days
34:17
before the attack on the 2018 Winter Games. Quote,
34:22
It is known to us that Western mass media
34:24
are planning to throw in a pseudo-investigation
34:27
on the theme of the Russian trace in
34:30
hacker attacks on information
34:32
resources connected with conducting
34:34
the Winter Olympics in South Korea,"
34:37
said the Russian statement. As
34:39
before, no kind of evidence will
34:41
be presented to the world."
34:45
Weird
34:45
isn't it? Why would
34:48
the Russian government deny involvement
34:50
in an attack that was yet to
34:53
occur?
35:12
That's
35:14
it for this episode. Thank you for
35:17
listening. Malicious Life is produced
35:19
by PI Media. This episode
35:21
was written by me and edited by
35:24
our distinguished senior producer, Nate
35:26
Nelson. Sareet Kuzman does
35:28
our social media. Our website is
35:31
malicious.life. You can find us
35:33
on Twitter at at Malicious Life or
35:35
me at at RANLEVI. That's
35:38
R-A-N-L-E-V-I. Thanks
35:41
to Cyber Reason for underwriting
35:42
the podcast. Learn more at cyberreason.com.
35:46
bye-bye
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More