> At 6:30 am, the Olympics' administrators reset staffers' passwords in hopes of locking out whatever means of access the hackers might have stolen. Just before 8 that morning, almost exactly 12 hours after the cyberattack on the Olympics had begun, Oh and his sleepless staffers finished reconstructing their servers from backups and began restarting every service.

> Amazingly, it worked. The day's skating and ski jumping events went off with little more than a few Wi-Fi hiccups.

To me, this was the most interesting part of the article. What if the malware was part of a previous backup? What if hackers had access to an existing staffer, and the password reset would have been ineffective?

It reads like the fact that the winter Olympics streams worked just fine was a matter of luck on these two, relatively simple measures working.

In that sense, defending against any cyber attack ultimately comes down to an element of luck,... that the attacker didn’t gain access one level deeper, that they didn’t exploit a particular vulnerability that would have allowed wider or more persistent access, etc.

As far as initial response playbooks go, I would imagine password reset (with session clearing) and restore from known working backup is a pretty good start.

It was deeper than a backup. I think before that, they mentioned backups were infected/destroyed before they could even be brought up.

  The paragraph before your quote also mentioned an outside security firm gave them a patch of some sort as well. 

So with the patch, removing all sources of the malware, and changing passwords, AND THEN replacing with backups? That's kind of what I imagined happening to secure the network.

TL;DR - it was the Russians (GRU)