Hacking Paris 2024: Olympic Cyber Threats
Published 07/11/2024
Originally published by CXO REvolutionaries.
Written by Rob Sloan, VP, Cybersecurity Advocacy, Zscaler.
Despite repeated predictions of cyber-fueled chaos at the Olympic and Paralympic Games since at least 2004, to date, no Olympics has ever been significantly disrupted. There is reason to believe this year might be different.
Over the last two decades, the reliance on IT to make the Games a success has grown exponentially. Despite sophisticated defenses, an ever-growing attack surface is making the Games harder to protect. Atos, the Olympics’ worldwide IT partner since 2001, reported blocking 4.4 billion security events during Tokyo 2020 (held in 2021), though all but a handful were benign.
Attempted False Flag Attack
Only once in Olympic history has an attack had any noticeable impact: the ‘Olympic Destroyer’ malware that affected the 2018 Winter Olympics in Pyeongchang, Korea.
The attack disrupted the event's IT infrastructure, caused issues with WiFi around the Olympic stadium during the opening ceremony, and affected the official Olympic Games app. It was eventually attributed to Russia’s GRU military intelligence agency.
Clues in the code that pointed towards North Korea were a deliberate tactic to obfuscate the attacker’s true identity–a false flag. The hack was seen as revenge for Russia’s Olympic Committee being suspended from the Games for systematic doping violations. Some Russian athletes with no history of drug use were allowed to participate as neutrals under the Olympic Flag.
A Track Record in Hacking
Russia is suspended from participation again as a sanction from the International Olympic Committee for its invasion of Ukraine. Already an international pariah, Russia may have little to lose in seeking to disrupt the Games again, albeit deniably.
Russia’s motive is threefold: spite for not being allowed to participate, damage the reputation of the Olympics to promote its own 2024 World Friendship Games in September, and as a reproach to French President Emmanuel Macron’s pro-Ukraine stance. President Macron has said he fully expects Russia will malevolently target the Games.
The group that carried out the 2018 attack (‘Fancy Bear’ or APT 28) was also named as being behind the sabotage of French broadcaster TV5Monde in 2015. Disrupting the opening ceremony–the crown jewel of the Olympics was broadcast to over three billion people in 2021–would cause maximum embarrassment to the host country.
Fancy Bear was also behind a hack of the World Anti-Doping Agency (WADA) in 2016, which resulted in the leak of confidential medical data of athletes with therapeutic use exemptions, including Simone Biles and Serena Williams. That attack came shortly after Russia's track and field team was excluded from Rio 2016 for state-backed doping.
“Non-state actors may also decide to attack the Games, but their efforts are unlikely to rise above the level of nuisance.”
Russia’s track record means any attack will likely lead to commentators pointing fingers without necessarily waiting for evidence. With North Korea, Iran and China–countries regularly linked to hostile cyber activity–all competing in Paris 2024, it seems unlikely they would be motivated to disrupt proceedings. Non-state actors may also decide to attack the Games though, either for financial gain, notoriety or for ideological reasons, but their efforts are unlikely to rise above the level of nuisance.
Maximum Impact
Attacks against confidentiality and availability have been proven to have limited effect. The most disruptive attack might be to target the integrity of the Games' data instead.
Among eight cyber-critical risks to the Olympics identified in 2017 by the Center for Long-Term Cybersecurity, the most notable and damaging was manipulating the scoring and/or results of events. The authors noted: “It will only take one serious cybersecurity failure to call the entire integrity of a sporting event into question.”
“Manipulating the scoring data could call the integrity of the whole event into question.”
Such an attack would be beyond all but the most sophisticated actors, though within the capabilities of Fancy Bear and other Russian state-backed attackers. Seeking to undermine the Games' reputation could support the goal of promoting Russia's Olympics competitor, the 2024 World Friendship Games.
Preparation is Everything
Organizations often fall short in areas such as executive support for cybersecurity, availability of financial resources and human expertise, a robust technical strategy, and knowledge sharing. Fortunately, Paris organizers appear to have these bases covered.
President Macron has stated that securing the Games digitally is of paramount importance, thereby setting the tone at the top and making the criticality of the mission clear for everyone.
Next, there is sufficient funding available for cybersecurity, around €17 million,according to some reports. This is intended to cover attack prevention, simulations, securing application code, network segmentation, audits and setting up security operations centers. According to its website, Atos, the IT supplier, and Atos Group company Eviden, the official cybersecurity services and operations supplier, follow zero trust principles, which will be critical in reducing the damage an attacker can cause if they can compromise network security.
Finally, lessons learned at previous Games and other large-scale events have been shared with the Paris 2024 team, who will be well aware of the challenges they face.
With billions of eyes watching the Games this summer, we must trust that the headlines will be dominated by stories of sporting excellence and not by cybersecurity failures.
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
AI-Powered Cybersecurity: Safeguarding the Media Industry
Published: 11/20/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024