Olympics Open and Cyberattacks Begin

PYEONGCHANG, South Korea — Internet problems before and during the opening ceremony of the Winter Olympics on Friday were being investigated as a possible cyberattack, officials said Saturday.

Sung Baik-you, a spokesman for the Pyeongchang Organizing Committee, said Saturday that some technical issues “impacted some of our noncritical systems last night for a few hours.”

Sung did not elaborate and said that the committee was investigating the cause. He said the attack “did not disrupt any event or have any effect on the safety or security of any athletes or spectators.” A spokeswoman for the committee said a cybersecurity team was assisting in the investigation.

During the ceremony, the wireless service in the stadium stopped working as soon as the ceremony began, hampering reporters and spectators who wanted to post on social media.

According to a report by the Yonghap News Agency, the attack disrupted some internet-based telecasts at the main press center. When organizers shut down servers to deal with the attack, the Pyeongchang 2018 website stopped working, and some spectators who had bought tickets for the opening ceremony were unable to print out their reservations. According to Reuters, drones that were scheduled to film the ceremony failed to deploy, forcing broadcasters to splice in prerecorded video.

Sung said that the organizers sold 99 percent of 35,000 tickets to the opening ceremony, though viewers noticed many empty seats.

It is possible the frigid weather kept some away, in addition to technical problems.

Mark Adams, a spokesman for the International Olympic Committee, said he hoped to have more information Sunday.

A U.S. State Department official said the State Department’s Diplomatic Security Service said it was aware of attack reports and continued to work closely with South Korean law enforcement and security agencies, but deferred questions to the International Olympic Committee.

Olympic Games are often targets of cyberattacks and before the opening, the U.S. Department of Homeland Security warned Americans that cybercriminals would likely try to infiltrate the games.

North Korea has a persistent army of hackers that have attacked central banks and movie studios. Observers had hoped that the fact that North Korean athletes were attending the games might ease the threat of cyberattacks, while others said that Russian groups might seek to retaliate for a ban on Russian athletes.

In recent weeks, U.S. security researchers at the security firms McAfee and FireEye fired off warnings about an escalating nation-state attack on Olympic organizations. Neither firm has been able to tie the active campaign back to one nation state, but they believe a state is responsible given the resources and organization involved, and the fact that there is little profit incentive to the attacks.

The attacks began last year with phishing emails to Olympic-related targets. By January, researchers at McAfee said that attackers had successfully compromised several victims, installed malware on their machines and were now actively stealing data off their machines. At the time, attackers’ end goal remained unclear, but security experts across the industry said they have been bracing for what they now describe as an inevitable attack.

In the days leading up to Friday’s opening ceremony, attackers had moved to Phase 3 of their attack, Ryan Sherstobitoff, a senior analyst at McAfee, said Saturday.

Over the past few days, McAfee’s advanced threat research team discovered that attackers had successfully installed a new, “more persistent implant” in victims’ servers that may have led to the opening ceremony disruptions, though investigators were still trying to nail down the exact cause Saturday.

“We do not have any further information beyond our discovery that would suggest the new implant led to it, but it is highly plausible,” Sherstobitoff wrote by email.

He said this new implant would give attackers the ability to do whatever they wished with victims’ machines, including potentially taking them offline.