The final instalment of our series hacker:HUNTER Olympic Destroyer examines how Pyeongchang winter Olympics hackers put smokescreen to misdirect cybersecurity analysts. But through the fog, analysts realized the culprit wasn’t who you might expect.

“Like placing someone else’s fingerprints at the crime scene.”

If successful, the 2018 Pyeongchang cyberattack could have cost billions of dollars, leaving a canceled Olympics and a geopolitical disaster in its wake. Their deceptive methods meant the cybercriminals nearly got away with it. Why did they want to point the analysts at another group? And who was behind it all?

Threat attribution – what is it?

Cybercriminals don’t leave a calling card, but they do leave evidence. The art of finding and using that evidence to find the culprit is known as threat attribution.

Threat attribution is forensic analysis for advanced persistent threats (APTs). It analyzes the attackers’ ‘fingerprints,’ such as the style of their code, where they attack and what kinds of organizations they target. Attacks can be matched with the fingerprints of other attacks attributed to specific groups.

Cybercriminals carry special ‘fingerprints’

Hackers have their own set of tactics, techniques and procedures. Cybersecurity experts can identify threat actors by studying these elements.

In February 2016, hackers attempted to steal $851 million US dollars and siphoned $81 million US dollars from the Central Bank of Bangladesh. The attack was linked to notorious cyber espionage and sabotage group Lazarus Group. Lazarus attacks casinos, financial institutions, and investment and cryptocurrency software developers.

Lazarus has certain targets and ways of attacking: Infecting a website employees of a targeted organization often visit or finding a vulnerability in one of their servers. These are the ‘fingerprints’ used in threat attribution.

Finding a needle within in a needle in a haystack

Crucially, Lazarus Group is long thought to be linked to North Korea. Olympic Destroyer included a piece of Lazarus’s malware code, but the type of attack didn’t fit. Its fingerprints better matched a cluster of attacks by another group with a very different agenda.

Watch the full video to see if you knew who the hacker was all along.

This APT might not have worked, but over the years, others have. To see what a successful APT looks like, watch Chasing Lazarus: A hunt for the infamous hackers to prevent big bank heists.