A tall, soft-spoken engineer, Soumenkov had a habit of arriving at work late in the morning and staying at Kaspersky’s headquarters well after dark—a partially nocturnal schedule that he kept to avoid Moscow traffic.
One night, as his coworkers headed home, he pored over the code at a cubicle overlooking the city’s jammed Leningradskoye Highway. By the end of that night, the traffic had thinned, he was virtually alone in the office, and he had determined that the header metadata didn’t actually match other clues in the Olympic Destroyer code itself; the malware hadn’t been written with the programming tools that the header implied. The metadata had been forged.
This was something different from all the other signs of misdirection that researchers had fixated on. The other red herrings in Olympic Destroyer had been so vexing in part because there was no way to tell which clues were real and which were deceptions. But now, deep in the folds of false flags wrapped around the Olympic malware, Soumenkov had found one flag that was provably false. It was now clear that someone had tried to make the malware look North Korean and failed due to a slipup. It was only through Kaspersky’s fastidious triple-checking that it came to light.
A few months later, I sat down with Soumenkov in a Kaspersky conference room in Moscow. Over an hour-long briefing, he explained in perfect English and with the clarity of a computer science professor how he’d defeated the attempted deception deep in Olympic Destroyer’s metadata. I summarized what he seemed to have laid out for me: The Olympics attack clearly wasn’t the work of North Korea. “It didn’t look like them at all,” Soumenkov agreed.
And it certainly wasn’t Chinese, I suggested, despite the more transparent false code hidden in Olympic Destroyer that fooled some researchers early on. “Chinese code is very recognizable, and this looks different,” Soumenkov agreed again.
Finally, I asked the glaring question: If not China, and not North Korea, then who? It seemed that the conclusion of that process of elimination was practically sitting there in the conference room with us and yet couldn’t be spoken aloud.
“Ah, for that question, I brought a nice game,” Soumenkov said, affecting a kind of chipper tone. He pulled out a small black cloth bag and took out of it a set of dice. On each side of the small black cubes were written words like Anonymous, Cybercriminals, Hacktivists, USA, China, Russia, Ukraine, Cyberterrorists, Iran.
Kaspersky, like many other security firms, has a strict policy of only pinning attacks on hackers using the firm’s own system of nicknames, never naming the country or government behind a hacking incident or hacker group—the safest way to avoid the murky and often political pitfalls of attribution. But the so-called attribution dice that Soumenkov held in his hand, which I’d seen before at hacker conferences, represented the most cynical exaggeration of the attribution problem: That no cyberattack can ever truly be traced to its source, and anyone who tries is simply guessing.
Soumenkov tossed the dice on the table. “Attribution is a tricky game,” he said. “Who is behind this? It’s not our story, and it will never be.”
Michael Matonis was working from his home, a 400-square-foot basement apartment in the Washington, DC, neighborhood of Capitol Hill, when he first began to pull at the threads that would unravel Olympic Destroyer’s mystery. The 28-year-old, a former anarchist punk turned security researcher with a controlled mass of curly black hair, had only recently moved to the city from upstate New York, and he still didn’t have a desk at the Reston, Virginia, office of FireEye, the security and private intelligence firm that employed him. So on the day in February when he started to examine the malware that had struck Pyeongchang, Matonis was sitting at his makeshift workspace: a folding metal chair with his laptop propped up on a plastic table.