Desperate Korean administrators spent two panicked hours scrambling to bring those basic services back online before the end of the opening ceremony, and the rest of that sleepless night working to stabilize their entire network before the athletic events began at 8 a.m. the following morning. Amazingly, the administrators succeeded at isolating the malware, rebuilding their systems and saving the event from disaster with only hours to spare.
Today, almost two years since that unprecedented sabotage attempt, the public response from the global community to hold the hackers responsible has been equally remarkable: There has been none.
Russia has faced no new sanctions, no criminal charges, not so much as a strongly worded statement for carrying out the worst cyberattack that has hit the Olympics. That failure to respond has practically invited the Kremlin to strike again at the 2020 Summer Olympics in Tokyo — and it has further eroded any sense of the red lines that protect civilian organizations from state-sponsored cyberattacks.
In the first weeks after Olympic Destroyer struck, to be fair, it was far from clear who was responsible. The malicious code that crippled the Olympics network included layers of false fingerprints, snippets of code designed to lead astray forensic investigators. Some digital detectives were fooled into blaming North Korea or China, while many more threw up their hands in confusion.
Yet within two weeks of the Olympics cyberattack, U.S. intelligence officials, speaking anonymously to The Washington Post, named Russia as the culprit, though without providing any evidence to back up that claim. In my new book, “Sandworm,” I lay out the evidence that definitively proves the GRU’s responsibility publicly for the first time. Much of the evidence was assembled in 2018 by the private intelligence firm FireEye — and in late November confirmed by Google researchers in a talk at the security conference CyberwarCon — incontrovertibly showing that Olympic Destroyer shared infrastructure with a group of Russia’s GRU hackers known as Sandworm.
Sandworm is responsible for many of the worst attacks in the brief history of cyberwar. Olympics aside, Sandworm triggered the first blackouts ever caused by hackers, turning off the power to hundreds of thousands of Ukrainian civilians in 2015 and 2016. In 2017, it unleashed the self-propagating malware known as NotPetya, the costliest cyberattack, which spread from Ukraine to the rest of the world, paralyzing companies such as Merck, Maersk, FedEx and many others.
Crucially, FireEye said it shared its private report on Sandworm’s culpability for the Olympics attack with U.S. government officials in summer 2018. And yet, almost a year and a half later, our government has entirely failed to respond to Russia’s provocation in attacking this peaceful event on a global stage.
In other cases, diplomatic tools and even criminal charges have been used to draw red lines for state-sponsored hackers: The Obama administration — nearly four months after the fact — released a public statement confirming the Kremlin’s responsibility for the breach of the Democratic National Committee in late 2016, and followed up with new sanctions against Russia for its election interference. The FBI, as part of the investigation of special counsel Robert S. Mueller III, indicted 12 members of the GRU last year for that election-targeted hacking. But when it comes to Olympic Destroyer, our government has failed to even officially state that the Kremlin was responsible, not to mention levying new sanctions or indictments against the hackers responsible.
The Trump administration may, in “America First” fashion, be trying to reserve those measures for attacks on Americans. But the opening ceremony of the PyeongChang Olympics was not simply a Korean event; it was a global one, with American athletes, spectators and even Vice President Pence in attendance. If Russia were trying to lash out at every country in the world, including the United States, it hardly could have chosen a better target.
Without a punitive reaction to that provocation, a repeat attack seems practically inevitable. Russia’s motive for its 2018 attack has never been confirmed, but it likely carried out its 2018 Olympics cyber sabotage in a petty act of vengeance for the International Olympic Committee’s decision to ban the country from the Olympics as punishment for its organized doping program. Just last month, the World Anti-Doping Agency (WADA) recommended that Russia be banned from the 2020 Olympics, too. And even before that decision, the Kremlin was already showing every sign of preparing another Olympics attack. Microsoft warned in October that APT28, a different team of GRU hackers, began targeting WADA in September, after the agency’s announcement that it had found “inconsistencies” in Russia’s compliance with anti-doping rules. (The U.S. Justice Department indicted several GRU hackers last year for their role in similar hacking operations targeting WADA ahead of the 2018 Olympics — an act that makes the lack of response to Olympic Destroyer all the more inexplicable.)
By keeping silent, the U.S. government may have sent an implicit signal to the Kremlin that its attempts to confuse the attribution of its 2018 attack somehow succeeded. Or, worse, that silence may suggest to Russia and other global powers that this sort of attack remains within the acceptable bounds of state-sponsored hacking — that the rules of that game have yet to be clearly written.
Either way, America’s silence leaves the 2020 Olympics open to another cyberattack. This time, we’ll be lucky if that attack doesn’t have far more severe disruptive effects: permanent data destruction that leaves IT networks unrecoverable, repeated attacks throughout the games, or even attempts to trigger blackouts or other disruptive effects on physical infrastructure. But on a broader stage, the nonresponse to Olympic Destroyer also heralds a kind of digital anarchy, where a country such as Russia can launch indiscriminate attacks on civilian infrastructure with impunity, and Western powers will look the other way.
To see what that sort of anarchy might look like, look no further than the usual model for all of Russia’s escalating acts of cyberwar: Ukraine. Since its pro-Western revolution in 2014, the GRU has hacked Ukraine in every manner conceivable. It attempted to spoof the results of the country’s 2014 presidential election, presaging by two years Russia’s interference in the 2016 U.S. presidential election. The GRU then carried out not one but two cyberattacks disabling the Ukrainian power grid.
Even after those quintessential acts of cyberwarfare against civilian critical infrastructure, the U.S. government remained silent about Russia’s digital torment of its smaller neighbor, treating that cyberwar as Ukraine’s problem alone. In June 2017, the Russian military accepted that unspoken invitation to escalate further. It released NotPetya, which devastated the networks of hundreds of Ukrainian companies, its banking and payment systems, airports and transportation systems, and practically every government agency.
Within hours, NotPetya spread beyond Ukraine’s borders to cause terrible collateral damage. The malware shut down 17 of Maersk’s shipping terminals in ports across the globe. It disrupted Merck’s ability to manufacture drugs such as the vaccine for human papillomavirus. It disabled the medical record systems of hospitals across the United States.
This is what unchecked Russian cyberwar looks like, enabled by the negligence of global diplomacy and the failure of Western nations to look beyond their own immediate interests and establish norms in cyberspace. As the 2020 Olympics approaches, it’s well past time for that silence to end.