Russian cybersecurity firm Kaspersky Lab claim that their investigation has revealed that hackers behind the "Olympic Destroyer" attack at last month’s Opening Ceremony of the Winter Olympic Games here used duplicated software to cover their tracks.
The Olympic Destroyer hack took down WiFi during the Ceremony at Pyeongchang Olympic Stadium on February 9 and also affected several broadcasts of the event by knocking out television screens.
Additionally, it affected the Pyeongchang 2018 websites, leaving fans unable to print tickets or view results of events.
Kaspersky claim the Olympic Destroyer was a network worm launched to infect the servers of Pyeongchang 2018.
The worm was then able to steal passwords from infected computers, allowing it to shut down the systems.
Since the Opening Ceremony, various rumours about who was behind the attack have been circulating with suspicions falling on North Korean, Russian and Chinese hackers.
North Korea were said to be spying on the Pyeongchang 2018 computers before the Games even started and the frosty relations between North and South Korea an obvious motive.
The motive behind a Russian attack is also clear given the team’s controversial ban from the Olympics for doping violations.
Although the motives behind a Chinese-based attack are unclear, Chinese hackers were suspected after similarities were drawn between the Olympic Destroyer and malware previously used by Chinese attackers.
Interestingly, however, Kaspersky point out that the Olympic Destroyer was a relatively mild hack, making the real motive behind the attack unclear.
Kaspersky say that their initial investigations also led to North Korea and, more specifically, the Lazarus Group, who are backed by the North Korean state, after their researchers found traces of Lazarus' digital fingerprints in the hack.
Further research showed that the software used to hack last month’s Olympic Ceremony was, in fact, an imitation of Lazarus Group software designed to divert suspicion from the real attackers.
Kaspersky even believe that there could have been a second level of deception in the hack as some evidence, including the use of NordVPN and host provider MonoVM, points to Russian hacker group Fancy Bears', now famous for hacking the database of the World Anti-Doping Agency on several occasions.
As reported by ITPro, head of the Asia-Pacific Research Department at Kaspersky, Vitaly Kamluk, commented: "It's as if a criminal had stolen someone else' DNA and left it at a crime scene instead of their own.
"We discovered and proved that the DNA found on the crime scene was dropped there on purpose."
Kaspersky conclude that, given the number of possible different sources behind the attack, it is impossible to know for 100 per cent who carried it out.
"We've always said that attribution in cyberspace is very hard as lots of things can be faked, and Olympic Destroyer is a pretty precise illustration of this," Kamluk said.
Kaspersky do, however, say that the likely purpose of the attack was to test the malware's ability to fool security researchers in a real-life setting, which would allow them to create other deceptive attacks in the future.