S0365: Olympic Destroyer
Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.[1][2]
Analyst context for executives and security teams
Olympic Destroyer matters because it represents destructive Windows malware designed to make infected systems inoperable and spread across a network to maximize disruption. For leaders, the key decision is not just whether a signature exists, but whether the organization can detect credential theft, lateral movement over Windows administration channels, service disruption, recovery inhibition, log clearing, and rapid destructive activity before business operations are affected.
Executive priority
Treat this as an operational resilience and incident-readiness scenario. The supplied ATT&CK relationships connect Olympic Destroyer to credential access, discovery, SMB/admin share movement, WMI and service execution, lateral file transfer, data destruction, service stopping, recovery inhibition, reboot/shutdown, and Windows event log clearing. Executives should ask whether critical Windows environments have segmented administration paths, protected credentials, recoverable backups, and SOC playbooks for destructive malware. This is also useful evidence for audit and compliance discussions around backup integrity, privileged access control, logging retention, and incident response readiness.
Technical view
For SOC, detection engineering, and IR teams, validate coverage across the full behavior chain rather than relying on one malware indicator. On Windows, prioritize telemetry for LSASS access, browser credential store access, network and share discovery, SMB/admin share usage, WMI execution, service-control execution, internal file transfer, service termination, recovery-feature tampering, shutdown/reboot activity, and Windows event log clearing. Because MITRE provides no official detection text for this software object, detections should be derived from the linked ATT&CK techniques and tested against local administrative baselines to separate legitimate operations from destructive or worm-like propagation patterns.
Likely telemetry
- Windows endpoint process creation and command-line telemetry for native utilities and administrative tools
- EDR or OS telemetry showing suspicious access to LSASS process memory
- File and registry activity related to browser credential stores where collected
- SMB and Windows admin share access logs, including remote file copy behavior
- WMI operational logs and remote execution evidence
Detection direction
- Correlate credential-access signals with subsequent SMB, WMI, service execution, or admin share activity; single events may be legitimate, but chained activity increases concern.
- Baseline legitimate Windows administration, software deployment, backup, and helpdesk behavior to reduce false positives around WMI, service control, and SMB file copy.
- Monitor for destructive-impact precursors: service stopping, recovery inhibition, log clearing, and coordinated shutdown/reboot activity, especially across multiple systems.
- Validate whether logs remain available when Windows Event Logs are cleared; forward critical telemetry off-host where feasible.
- Test visibility for lateral movement over Windows admin shares and internal tool transfer, since these can blend into normal administration.
Mitigation priorities
- Prioritize resilient backups and recovery processes that are protected from routine administrative compromise and periodically tested for restoration.
- Harden privileged access to Windows systems, especially credentials that can access LSASS-protected material, admin shares, WMI, and service control functions.
- Segment critical Windows networks and restrict lateral movement paths such as SMB/admin shares and remote management interfaces to approved administrative sources.
- Reduce credential exposure in browsers and on endpoints where feasible, and enforce least privilege for users and administrators.
- Centralize and protect logs so event clearing on a host does not eliminate investigation evidence.
Analyst notes and limits
The strongest defensive value is in mapping Olympic Destroyer to a destructive intrusion pattern: credential collection, discovery, lateral movement, execution through Windows administration mechanisms, and impact actions that impair systems and recovery. The object is associated through ATT&CK with Sandworm Team and was used against the 2018 Winter Olympics, but local investigations still require independent evidence before making attribution claims.
The official malware object lists Windows as the platform but does not provide official detection guidance, aliases, labels, or object-level tactics. Some related techniques list broader platforms in ATT&CK; this take only treats Olympic Destroyer as supported on Windows per the supplied malware platform field. Control and detection recommendations require validation against local logging, endpoint coverage, administrative practices, and recovery architecture.
Olympic Destroyer
Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | Olympic Destroyer uses API calls to enumerate the infected system's ARP table.CitationTalos Olympic Destroyer 2018 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.CitationTalos Olympic Destroyer 2018 |
| Enterprise | T1489 | Service Stop | Olympic Destroyer uses the API call |
| Enterprise | T1529 | System Shutdown/Reboot | Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.CitationTalos Olympic Destroyer 2018CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Olympic Destroyer will attempt to clear the System and Security event logs using |
| Enterprise | T1485 | Data Destruction | Olympic Destroyer overwrites files locally and on remote shares.CitationTalos Olympic Destroyer 2018CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1570 | Lateral Tool Transfer | Olympic Destroyer attempts to copy itself to remote machines on the network.CitationTalos Olympic Destroyer 2018 |
| Enterprise | T1047 | Windows Management Instrumentation | Olympic Destroyer uses WMI to help propagate itself across a network.CitationTalos Olympic Destroyer 2018 |
| Enterprise | T1018 | Remote System Discovery | Olympic Destroyer uses Windows Management Instrumentation to enumerate all systems in the network.CitationTalos Olympic Destroyer 2018 |
| Enterprise | T1135 | Network Share Discovery | Olympic Destroyer will attempt to enumerate mapped network shares to later attempt to wipe all files on those shares.CitationTalos Olympic Destroyer 2018 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Olympic Destroyer utilizes PsExec to help propagate itself across a network.CitationTalos Olympic Destroyer 2018 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Olympic Destroyer uses PsExec to interact with the |
| Enterprise | T1490 | Inhibit System Recovery | Olympic Destroyer uses the native Windows utilities |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.CitationTalos Olympic Destroyer 2018 |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | cefd0038d3ff… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Olympic Destroyer 2018
Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
Open source URL -
[2]
US District Court Indictment GRU Unit 74455 October 2020
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
Open source URL -
[3]
mitre-attack S0365Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.