The "Olympic Destroyer" computer virus used to attack last month's Pyeongchang Winter Games was embedded with forged code to make investigators believe the attack was done by hackers linked to North Korea, Russia's Kaspersky Lab reported on Thursday.
Discovery of the effort to insert a fake digital fingerprint in the Olympic Destroyer virus underscores the emerging threat of hackers using false flags to incriminate innocent parties or undermine confidence in information provided by security researchers.
"Attribution is not just difficult, it's getting impossible," Kaspersky researcher Vitaly Kamluk told reporters on the sidelines of the Kaspersky Security Analyst Summit, which is being held in Cancun, Mexico. "If it continues this way, you will see industry making a lot of mistakes and people will lose trust."
Olympic Destroyer temporarily took the Olympics website offline, preventing some people from printing tickets, and knocked out Wi-Fi used by reporters covering the games. Authorities have not identified any suspects, though cyber security firms have speculated that China, North Korea or Russia could be behind the hack.
While it is not the first time that false flags have been used to make it tougher for investigators to identify hackers, this is one of the most sophisticated attempts known to date because the forged indicators were difficult to locate, Kamluk said.
He said that while he does not know who was behind the hack, he is certain the attackers inserted the false digital fingerprint to make it look like Lazarus, a group linked to North Korea.
Kaspersky researchers obtained a sample of Olympic Destroyer from a Pyeongchang ski resort, which is one of the Russian anti-virus software maker's clients.
Early review of that code suggested it was from Lazarus because some technical features looked similar to malicious software used in a previous attack widely believed to have been launched by Lazarus, Kaspersky researcher Igor Soumenkov told the crowd of some 300 security experts.
But closer inspection revealed evidence that specific elements were forged, he said.
"We can say with 100 percent confidence that it is false. It is not the Lazarus Group," he said. "We don’t know who they are, but they are not the Lazarus group.”
Reporting by Jim Finkle in Cancun, Mexico; Editing by Matthew Lewis.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.