At the start of January, security firm McAfee announced that it had identified a malicious email campaign targeting organisations involved with the Pyeongchang Winter Olympics. The email, which was sent to a large list of South Korean organisations, appeared to be from the South Korean National Counter-Terrorism Center (NCTC), but in reality originated from an IP address in Singapore.

Attached was a Word document entitled, in Korean, ‘Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics’. As with all documents, if a user opens the document in Word it will initially do so in protected mode, but the file instructs users to select ‘Enable Content’, disabling this mode and allowing the hidden malicious scripts it contains to run.

Such tactics would be unlikely to be widely effective from most sources, but with the Olympics name, a seemingly trustworthy sender and considering its relevance to its recipients, it is likely to have successfully fooled many into opening it.

This sophisticated attack is the latest example of spear phishing, where targeted emails are designed to fool recipients into believing they are from a trusted, relevant source and is unlikely to be the last that uses the Olympic name to achieve its goal.

“With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes,” said McAfee Labs in a post detailing the campaign. “In similar past cases, the victims were targeted for their passwords and financial information.”

Be wary of Word: Using software to launch malicious scripts

Word is increasingly being used to hide malicious scripts, which in this case were designed to allow other malicious software to be remotely installed onto infected computers at a later date. 


“Based on our analysis, this implant establishes an encrypted channel to the attacker’s server, likely giving the attacker the ability to execute commands on the victim’s machine and to install additional malware,” wrote McAfee.

“This implant establishes an encrypted channel to the attacker’s server, likely giving the attacker the ability to execute commands on the victim’s machine and to install additional malware.”

This is particularly unusual in South Korea, where attackers have previously focused on using documents designed for Hangul, a popular alternative word processing software. However, this latest attack was able to be much harder to detect by threat protection software by using Word, as it allowed the embedded scripts to run while heavily disguised. 


As a result, it would not have been caught by much of the software designed to prevent malicious emails from getting to users’ inboxes. 


For non-security professionals, then, the lesson is to be extremely wary of disabling protected mode on Word documents unless you are absolutely certain of their source, even if they look as if they come from a reliable origin. And if they ask you to disable protected mode, that’s even more reason to be wary.

A screenshot of the document requesting users to disable protected mode. Image courtesy of McAfee Labs

Spear phishing: A sophisticated threat to all industries

Even if you have no involvement with the Olympics, the lessons learned from this campaign have significant implications for all industries, as attackers will use similar methods to reach a host of targets, posing as very different but relevant organisations. 


"The malware infected emails targeted at organisations linked to the Winter Olympics fits into the general trend we are observing at the moment where cyber criminals are increasingly relying upon targeted attacks rather than mass attacks,” said Wieland Alge, General Manager of EMEA at Barracuda Networks. 

“Cyber criminals are increasingly relying upon targeted attacks rather than mass attacks.”

“Traditionally we have seen mass campaigns that promise something fairly generic – such as lottery winnings or free tickets to an event. However, cyberattacks are becoming ever more targeted and sophisticated as spear phishing emails become an increasingly lucrative tool for cyber criminals.”


In particular, major events, exhibitions or conferences may be a choice target for specific industries, alongside well-known suppliers. Always be cautious about files that you have not specifically requested, and if in doubt, delete the email or contact the apparent sender without opening the attachment to confirm the email is genuine. 

Image courtesy of mg Park / Shutterstock.com

Share this article