Atos, the cloud provider to the Winter Olympics, likely had its computer systems penetrated late last year by the hackers who carried out a cyberattack during the opening ceremony.
The report from CyberScoop, based on data from anti-virus aggregator VirusTotal, found that samples of the Olympic Destroyer malware deployed during the opening ceremony carry indications that hackers were inside Atos systems since at least December.
Some of the earliest samples posted to the VirusTotal repository came from unknown users located in France, where Atos is headquartered, as well as Romania, where some members of the Atos security team work.
Paris-based Atos is a worldwide IT partner of the Pyeongchang games. According to Atos, all the games’ critical IT systems are delivered via its Canopy Cloud.
Atos told CyberScoop that a thorough investigation was being conducted following the issues at the opening ceremony.
“Together with our partner McAfee Advanced Threat Research, we can confirm that the cyberattack, which caused no critical disruption of the Olympic Games, used hardcoded credentials embedded in a malware. The credentials embedded in the malware do not indicate the origin of the attack.”
The official Winter Olympics website was down for several hours during the Friday opening ceremony, disrupting ticket sales and downloads during the opening ceremony, CyberScoop reported. Local wi-fi networks near the Olympic site were also reported to be temporarily unavailable.
Researchers with Cisco, CrowdStrike and FireEye said they had uncovered a computer virus dubbed “Olympic Destroyer” that was likely used in the attack.
Evidence of cyberattack
Cybersecurity professionals often upload evidence of cyberattacks that they’re responding to on VirusTotal.
Evidence of cyberattacks on VirusTotal frequently contain details beyond the malware code itself, including stolen usernames, passwords, private email addresses, confidential internal domain names and other details about the victim organisation.
The evidence reviewed by CyberScoop contained a trove of information seemingly belonging to various employees of Atos, including employee usernames and passwords.
The Atos-related information on VirusTotal was attached to Olympic Destroyer malware samples, which suggested hackers had penetrated the company in recent months.
Security researchers with Cisco’s Talos unit said last week that the malware seemed to be designed to destroy data and cause mass computer failures. “There does not appear to be any exfiltration of data.”
Atos has itself attempted to move into the cybersecurity space in recent months, making an offer in December to acquire digital security vendor Gemalto for US$5.05 billion.
But Gemalto rejected the bid, instead opting to be purchased by French electrical system builder and services provider Thales for US$5.63
Atos first made its mark in North America by purchasing Xerox’s IT outsourcing business for US$1.05 billion in December 2014.
Buying the US$1.5 billion, 9,800-employee entity nearly tripled the size of the company’ operations in the United States, with Atos becoming a primary IT services provider for Xerox and taking on its IT outsourcing customers.
Atos is one of three providers, along with Datacom and NEC, selected to supply the Western Australian government under the state’s ‘GovNext’ transformed IT buying regime.