The team behind the 2018 Winter Olympics hack is still active, according to security researchers -- in fact, it's switching to more serious targets. Kaspersky has discovered that the group, nicknamed Olympic Destroyer, has been launching email phishing attacks against biochemical warfare prevention labs in Europe and Ukraine as well as financial organizations in Russia. The methodology is extremely familiar, including the same rogue macros embedded in decoy documents as well as extensive efforts to avoid typical detection methods.
While Kaspersky didn't directly point fingers, it brought up a number of clues suggesting that Russia was responsible. Most of the lab targets were people associated with an upcoming biochemical threat conference run by Spiez Laboratory, which just happened to be involved in the investigation of the nerve agent poisoning of former Russian double agent Sergei Skripal and his daughter Yulia. Also, Kaspersky noted that the custom images and messages in the documents were in "perfect" Russian, and one of them specifically references the Skripal attack (conveniently, a piece where scientists couldn't definitively came from Russia).
So why target Russian financial outfits, then? Kaspersky acknowledged that there could be multiple parties involved (say, profit-oriented crooks in addition to state-sponsored attackers). However, it's generally accepted that Russia tried to frame North Korea for the Olympic hack. It's entirely possible that the Russian targets amounted to a false flag meant to cast doubt on the true origins of the attack. The focus on labs and the Skripal connection may have been meant to rattle the West for daring to attribute assassination attempts to Russia.
It may be difficult to completely prevent campaigns like this when political tensions are so high. Kaspersky believes the labs can curb this in the future, however, such as tightening their overall security and running impromptu security audits. It's also a reminder to be cautious -- a seemingly innocuous attachment can have dire consequences.
- This article originally appeared on Engadget.