He looked down to see a message from a subordinate on KakaoTalk, a popular Korean messaging app. The message shared perhaps the worst possible news Oh could have received at that exact moment: Something was shutting down every domain controller in the Seoul data centers, the servers that formed the backbone of the Olympics' IT infrastructure. As the opening ceremony got underway, thousands of fireworks exploded around the stadium on cue, and dozens of massive puppets and Korean dancers entered the stage.
Oh saw none of it.
He was texting furiously with his staff as they watched their entire IT setup go dark. He quickly realized that what the partner company had reported wasn't a mere glitch. It had been the first sign of an unfolding attack. He needed to get to his technology operations center. As Oh made his way out of the press section toward the exit, reporters around him had already begun complaining that the Wi-Fi seemed to have suddenly stopped working. Thousands of internet-linked TVs showing the ceremony around the stadium and in 12 other Olympic facilities had gone black. The Olympics' official app, including its digital ticketing function, was broken too; when it reached out for data from backend servers, they suddenly had none to offer.
The Pyeongchang organizing committee had prepared for this: Its cybersecurity advisory group had met 20 times since They'd conducted drills as early as the summer of the previous year, simulating disasters like cyberattacks , fires, and earthquakes. But now that one of those nightmare scenarios was playing out in reality, the feeling, for Oh, was both infuriating and surreal. Once Oh had made his way through the crowd, he ran to the stadium's exit, out into the cold night air, and across the parking lot, now joined by two other IT staffers.
They jumped into a Hyundai SUV and began the minute drive east, down through the mountains to the coastal city of Gangneung, where the Olympics' technology operations center was located. From the car, Oh called staffers at the stadium and told them to start distributing Wi-Fi hot spots to reporters and to tell security to check badges manually, because all RFID systems were down.
But that was the least of their worries. Oh knew that in just over two hours the opening ceremony would end, and tens of thousands of athletes, visiting dignitaries, and spectators would find that they had no Wi-Fi connections and no access to the Olympics app, full of schedules, hotel information, and maps. The result would be a humiliating confusion.
If they couldn't recover the servers by the next morning, the entire IT backend of the organizing committee—responsible for everything from meals to hotel reservations to event ticketing—would remain offline as the actual games got underway. And a kind of technological fiasco that had never before struck the Olympics would unfold in one of the world's most wired countries.
Oh arrived at the technology operations center in Gangneung by 9 pm, halfway into the opening ceremony. The center consisted of a large open room with desks and computers for staffers; one wall was covered with screens. When he walked in, many of those staffers were standing, clumped together, anxiously discussing how to respond to the attack—a problem compounded by the fact that they'd been locked out of many of their own basic services, like email and messaging.
All nine of the Olympic staff's domain controllers, the powerful machines that governed which employee could access which computers in the network, had somehow been paralyzed, crippling the entire system. The staff decided on a temporary workaround: They set all the surviving servers that powered some basic services, such as Wi-Fi and the internet-linked TVs, to bypass the dead gatekeeper machines.
By doing so, they managed to bring those bare-minimum systems back online just minutes before the end of the ceremony. Over the next two hours, as they attempted to rebuild the domain controllers to re-create a more long-term, secure network, the engineers would find again and again that the servers had been crippled.
Some malicious presence in their systems remained, disrupting the machines faster than they could be rebuilt. A few minutes before midnight, Oh and his administrators reluctantly decided on a desperate measure: They would cut off their entire network from the internet in an attempt to isolate it from the saboteurs who they figured must still have maintained a presence inside. That meant taking down every service—even the Olympics' public website—while they worked to root out whatever malware infection was tearing apart their machines from within.
London Olympic Games to simulate cyber-attacks – Naked Security
For the rest of the night, Oh and his staff worked frantically to rebuild the Olympics' digital nervous system. By 5 am, a Korean security contractor, AhnLab, had managed to create an antivirus signature that could help Oh's staff vaccinate the network's thousands of PCs and servers against the mysterious malware that had infected them, a malicious file that Oh says was named simply winlogon. At am, the Olympics' administrators reset staffers' passwords in hopes of locking out whatever means of access the hackers might have stolen.
Just before 8 that morning, almost exactly 12 hours after the cyberattack on the Olympics had begun, Oh and his sleepless staffers finished reconstructing their servers from backups and began restarting every service. Amazingly, it worked.
The day's skating and ski jumping events went off with little more than a few Wi-Fi hiccups. R2-D2-style robots puttered around Olympic venues, vacuuming floors, delivering water bottles, and projecting weather reports. Within hours of the attack , rumors began to trickle out into the cybersecurity community about the glitches that had marred the Olympics' website, Wi-Fi, and apps during the opening ceremony. Two days after the ceremony, the Pyeongchang organizing committee confirmed that it had indeed been the target of a cyberattack. But it refused to comment on who might have been behind it.
Oh, who led the committee's response, has declined to discuss any possible source of the attack with WIRED.
The incident immediately became an international whodunit: Who would dare to hack the Olympics? The Pyeongchang cyberattack would turn out to be perhaps the most deceptive hacking operation in history, using the most sophisticated means ever seen to confound the forensic analysts searching for its culprit.
The difficulty of proving the source of an attack—the so-called attribution problem —has plagued cybersecurity since practically the dawn of the internet. Sophisticated hackers can route their connections through circuitous proxies and blind alleys, making it almost impossible to follow their tracks.
The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History
Forensic analysts have nonetheless learned how to determine hackers' identities by other means, tying together clues in code, infrastructure connections, and political motivations. In the past few years, however, state-sponsored cyberspies and saboteurs have increasingly experimented with another trick: planting false flags. Those evolving acts of deception, designed to throw off both security analysts and the public, have given rise to fraudulent narratives about hackers' identities that are difficult to dispel, even after governments announce the official findings of their intelligence agencies.
It doesn't help that those official findings often arrive weeks or months later, with the most convincing evidence redacted to preserve secret investigative techniques and sources. When state-sponsored Russian hackers stole and leaked emails from the Democratic National Committee and Hillary Clinton's campaign in , we now know that the Kremlin likewise created diversions and cover stories.
It invented a lone Romanian hacker named Guccifer 2. Those deceptions became conspiracy theories, fanned by right-wing commentators and then-presidential candidate Donald Trump. The deceptions generated a self-perpetuating ouroboros of mistrust: Skeptics dismissed even glaring clues of the Kremlin's guilt, like Russian-language formatting errors in the leaked documents, seeing those giveaways as planted evidence.
Even a joint statement from US intelligence agencies four months later naming Russia as the perpetrator couldn't shake the conviction of disbelievers. With the malware that hit the Pyeongchang Olympics, the state of the art in digital deception took several evolutionary leaps forward. Investigators would find in its code not merely a single false flag but layers of false clues pointing at multiple potential culprits. And some of those clues were hidden deeper than any cybersecurity analyst had ever seen before.
From the start, the geopolitical motivations behind the Olympics sabotage were far from clear. The usual suspect for any cyberattack in South Korea is, of course, North Korea. The hermit kingdom has tormented its capitalist neighbors with military provocations and low-grade cyberwar for years. In the run-up to the Olympics, analysts at the cybersecurity firm McAfee had warned that Korean-speaking hackers had targeted the Pyeongchang Olympic organizers with phishing emails and what appeared to be espionage malware.
At the time, McAfee analysts hinted in a phone call with me that North Korea was likely behind the spying scheme. But there were contradictory signals on the public stage. As the Olympics began, the North seemed to be experimenting with a friendlier approach to geopolitics. The two countries had even taken the surprising step of combining their Olympic women's hockey teams in a show of friendship.
Why would North Korea launch a disruptive cyberattack in the midst of that charm offensive? Then there was Russia. The Kremlin had its own motive for an attack on Pyeongchang. Investigations into doping by Russian athletes had led to a humiliating result in advance of the Olympics: Russia was banned. Its athletes would be allowed to compete but not to wear Russian flags or accept medals on behalf of their country.
For years in the lead-up to that verdict, a state-sponsored Russian hacker team known as Fancy Bear had been retaliating, stealing and leaking data from Olympics-related targets. Russia's exile from the games was exactly the sort of slight that might inspire the Kremlin to unleash a piece of disruptive malware against the opening ceremony. If the Russian government couldn't enjoy the Olympics, then no one would. If Russia had been trying to send a message with an attack on the Olympics' servers, however, it was hardly a direct one.
Days before the opening ceremony, it had preemptively denied any Olympics-targeted hacking. In fact, there would be plenty of evidence vaguely hinting at Russia's responsibility. The problem, it would soon become clear, was that there seemed to be just as much evidence pointing in a tangle of other directions too.
Three days after the opening ceremony , Cisco's Talos security division revealed that it had obtained a copy of Olympics-targeted malware and dissected it.