2024 Olympics put cybersecurity teams on high alert

 

As athletes from around the world vie for gold at the 2024 Olympics and Paralympics in Paris, cybercriminals are fine-tuning their own game plans to hack, attack, and exploit the largest event on the planet, making the 30th Olympiad potentially the greatest cybersecurity risk in history.

“Cybercrime and cyberthreats have gone through the roof in recent years. And this is the biggest show on Earth, not just in sport but probably the biggest event on Earth. So you know it’s going to be the target for disruption by people for a variety of reasons,” says Richard Thurston, research manager of European security services at IDC.

There were 450 million cyberattacks against the COVID-delayed Tokyo summer games in 2021, according to Cisco, the network infrastructure provider for the Paris games. Cisco expects eight times more attacks to target the Paris Olympics (running July 26 to August 11) and Paralympics (happening August 28 to September 8).

An IDC research report released ahead of the games suggests “Paris 2024 will see the highest potential for cyber disruption in history.” IDC goes on to call these “the most connected Olympic games ever” with “the most complex threat landscape” and “the highest degree of ease for threat actors to execute attacks.”

0 seconds of 30 secondsVolume 0 

Much of that ease is courtesy of artificial intelligence, since Paris is hosting the first Olympics of the generative AI era.

AI threats and tools

GenAI has already been used in a sophisticated online smear campaign against the games. In 2023, Russian disinformation collective Storm-1679 created an AI-generated video starring a deepfake of Hollywood star Tom Cruise. The video, “Olympics Has Fallen” (a churlish nod to the 2013 action thriller “Olympus Has Fallen”), used a deepfake of Cruise’s image and voice to disparage the International Olympic Committee (IOC) in the run up the Paris games.

Cybercriminals are also weaponizing AI for malvertising and SEO poisoning before and during the Olympics, warns Ashley Jess, senior intelligence analyst at Intel 471.

“I just saw last week that someone was sharing how to use ChatGPT to build websites that optimize a search engine with your malicious website at the top [of search results]. It was leveraging hundreds of websites at the same time to do it,” says Jess.

This AI-based tactic could also be used to build fake Olympics ticketing websites and send those sites to the top of online searches for Paris games tickets, she adds. To hamper ticket fraud, Paris organizers have designated only one website for legitimate ticket sales, tickets.paris2024.org. As of June, however, French authorities had already identified 338 fraudulent Olympics ticket sites on the web.

Hacktivism and cyber espionage

Cybercriminals motivated by greed will use Olympic-themed emails and websites as clickbait to launch money-making exploits such as phishing and ransomware attacks. Hacktivists, on the other hand, may target the Paris games motivated by political and social causes. Current geopolitical conflicts in Ukraine and Gaza could make the 2024 summer Olympics particularly ripe for hacktivist attacks.

“A hacktivist will most likely do website defacement or denial of service attacks against the infrastructure that supports the event, mostly to embarrass the host country or the organization,” says Sami Khoury, head of the Canadian Centre for Cyber Security (CCCS), the Canadian equivalent of ANSSI. “They’ll take advantage of the opportunity because there will be billions of people watching the Olympics.”

“Hacktivism is not just going to be against the Olympic infrastructure,” Khoury continues. “In the context of the Paris Olympics, it could be against France, but it could also be against other countries and governments who support Ukraine.”

During the 2016 summer Olympics in Rio de Janeiro, DDoS attacks by the hacktivist collective Anonymous struck down various Brazilian government websites, a digital protest against police and military raids in Rio’s impoverished favelas.

This summer’s Paris games are also a prime target for state-sponsored cyber espionage. Like hacktivism, it has a political motive; unlike hacktivism, it’s always coordinated, funded, or sanctioned by a particular government. The CCCS issued a bulletin in May warning about the risk of cyber espionage at large global sporting events. It noted that Russia’s ban from several international sports organizations — including the IOC and the Fédération Internationale de Football Association (FIFA) — following the invasion of Ukraine could prompt the Kremlin to back retaliatory cyber espionage.

A cyber espionage operation at the Rio Olympics unfolded like something out of a James Bond movie. When an official from the World Anti-Doping Agency (WADA) logged into WADA’s database using the Wi-Fi at his Rio hotel, hackers stole his login credentials. Weeks later, the Russian cyber espionage group Fancy Bear publicly posted the confidential WADA medical records of more than 125 athletes who had competed in Rio, including American gymnast Simone Biles and tennis stars Venus and Serena Williams.

Protecting the games

The French government’s national cybersecurity agency, Agence national de la sécurité des systèmes d’information (ANSSI), is overseeing the monumental effort to keep the Paris Olympics cyber safe. Since mid-2023 it has held several awareness-raising seminars and crisis-planning exercises with multiple stakeholders across the government, security, and sports ecosystems. Eviden (a division of Atos, the lead IT integrator for the games) is managing Paris Olympics cybersecurity services and operations, “which can be delivered from a dedicated SOC for the games, as well as up to 17 SOCs worldwide,” according to the IDC report.

It’s a far cry from the jaw dropping gaffe made by Japan’s cybersecurity minister ahead of the 2020 Tokyo summer Olympics. Just two years before the games were scheduled to be held, Yoshitaka Sakurada admitted he didn’t use computers and seemed confused about how USB drives work.

Despite years of planning, anything can happen right up until the eleventh hour. Just before the opening ceremonies of the 2018 winter Olympics in PyeongChang, South Korea, Russian state sponsored hackers unleashed a malware attack dubbed Olympic Destroyer. It knocked out the official Olympics website and stadium Wi-Fi, wreaked havoc with broadcast operations and the on-site news media center, and prevented some spectators from entering the ceremonies when tickets couldn’t be printed off.

The Paris games have already had their own near brush with cyber disaster. While some banks, airlines, and media outlets around the world suffered outages to their Microsoft-based systems after a faulty CrowdStrike update on July 19, Paris organizers said the impact on Olympics operations was minimal and limited to the delivery of some uniforms and accreditations.

Third-party cyber risk

Though the CrowdStrike incident wasn’t a malicious cyberattack, it throws the issue of third-party risk into the Olympic spotlight. Even if ANSSI successfully fends off cyberattacks directly targeting this summer’s games, the Paris Olympics could still be disrupted if a malicious cyber strike takes out one of its IT providers somewhere along the daisy chain.

“Basically, you have third-party software that’s part of the infrastructure and clouds for [Olympics] telecommunications or security or ordering processing. If they go down or they’re attacked, that can have a ripple effect that’s very, very large,” says Eugene Spafford, executive director emeritus at Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS).

Spafford says the most immediate risk is to the IT infrastructure of “organizations that are connected to what’s going on in Paris or around the Olympics in some way.” That includes direct suppliers and partners of the event, plus hotels and other tourism businesses catering to the 10 to 15 million people expected to visit France during the games.

IDC’s Thurston, however, urges cybersecurity teams worldwide to recognize that the Paris games heighten the level of cyber risk well beyond the perimeter of Paris, France, or the Olympics themselves. Besides the proliferation of Olympic-themed phishing, malware, and ransomware, he points out that cybersecurity teams in every country and industry may be short-staffed due to summer vacations. On top of that, 24-hour coverage of the Olympics on TV and social media could hurt the ability of line of business employees to sidestep cyber scams and hackers.

“Employees might be streaming something about the Olympics or might be looking at the web coverage while they’re working at the same time,” says Thurston. “Sometimes security slips at those moments. That’s why organizations just have to be cognizant of those threats that might change during the Olympic period.”

If the Paris games do go off without a major cybersecurity hitch, no one behind the scenes will climb onto the podium for a medal. But silence, in that case, would truly be golden.

What SOC teams can do

Tips for SOC teams around the world during the heightened cyber risk period of the Paris Olympics:
  • Monitor geopolitical events and be aware of how they might make your organization (or your partners and suppliers) the target of an Olympic-related hacktivist cyberattack that could have a ripple effect on your IT systems, says Intel 471’sJess.
  • Be extra vigilant of cyberthreats if your business or organization has any relationship with companies playing key roles in the Olympics supply chain, IDC’s Thurston says.
  • Perform tabletop exercises or other tests of your backup plans, fallback services, fallback servers, and hot spares to make sure they work as intended, Purdue’s Spafford notes.
  • Raise awareness across your organization of Olympic related phishing, clickbait, scams, and fraud campaigns and how they work, Spaffordadds.
  • Ensure your Internet-facing infrastructure and operating systems are up to date and patched, and all staff are using strong passwords with MFA, advises CCCS’ Khoury.
  • If your company is directly tied to the games as a supplier or partner, don’t let your guard down at night or on weekends during the games; cyber incidents are more likely to happen during the 9 to 5 time zone of the Paris games rather than your own time zone, Khouryadds.

Comments