Cyber-threats at the Olympics

Melissa Bischoping at Tanium argues that preparation key to prevent an unprecedented level of cyber-threat at Paris Olympics 

When it comes to discussing the cyber-threats to this year’s Olympic Games, Vincent Strubel — head of France’s cyber-security agency, ANSSI — doesn’t pull any punches. "We can’t prevent all the attacks,” he told reporters in the run-up to the Paris Games. “There will not be Games without attacks, but we have to limit their impacts on the Olympics,” he said. 

With Paris taking centre stage for both the Olympics (July 26 - Aug 11) and the Paralympics (Aug 28 - Sept 8) it’s clear how ANSSI has approached the task of keeping the Games safe. "There are 500 sites, competition venues and local collectives, and we’ve tested them all,” said Strubel. “The Games are facing an unprecedented level of threat, but we’ve also done an unprecedented amount of preparation work, so I think we’re a step ahead of the attackers," he said. Part of that work was put to the test in 2023, when France hosted the Rugby World Cup, providing an ideal opportunity for ANSSI to test its detection, warning, and incident response systems. 

According to its 2023 Cyber Threat Overview, ANSSI “did not notice any significant change in the threat before or during the competition, and no large-scale computer attack was detected.” If there’s a lesson to be learned, it’s that when it comes to cyber-security, planning, preparation and testing is key. And it’s never-ending.

Not immune to global events

The ongoing Israeli-Palestinian conflict and the war in Ukraine could all potentially spill over from battlefields to sporting arenas. Rogue states — and those keen to see their particular cause grab a moment in the spotlight — are also in the frame. And all of this is set against a backdrop of a host nation that is on its heels following a snap election amid ongoing political tensions.

In what ANSSI describes as” the greatest threat to the most critical networks and to the French ecosystem” it has warned against a “resurgence in the number of ransomware attacks against French institutions.” Indeed, ANSSI noted last year of an “upsurge of attacks aimed at promoting a political agenda” and, in particular, “distributed denial of service attacks (DDoS) conducted by pro-Russian hacktivist groups.” This doesn’t just apply to the high-profile main suppliers to the Games who could be in the crosshairs of a potential attack.

The threat applies to all businesses regardless of whether they have any direct link to the Games. While malicious Olympics-related content circulated on social media could be a way for innocent employees to fall victim to fraud or worse. As is so often the case, the concern is those most likely to fall victim to an attack are those least expecting it. 

Critical infrastructure at risk

In its report on the threats facing the 2024 Olympic Games, security company Recorded Future warned that attacks could affect companies indirectly supporting the event in sectors such as transportation and logistics, healthcare, hospitality, and public service. “The 2024 Paris Olympic Games face numerous threats due to their high-profile nature and international significance,” said the report, warning that the event remains a “potential target for violent extremists and opportunistic criminal groups.”

While there are concerns about attacks on national infrastructure or anything that might jeopardise the smooth running of the event, there are countless threats on a much smaller scale. With more than 13 million expected ticket sales and over 15 million expected visitors — generating an estimated $11.8 billion in economic activity — the Games are an ideal opportunity for cyber-criminals to exploit the weaknesses associated with an event of this size and scale. 

Spoofing and phishing scams are likely to dominate, with the use of AI likely to add a new level of sophistication to malicious cyber-attacks. Make no mistake — every athlete, official, dignitary, resident or visitor is a potential risk — not just to themselves but to those around them. Now more than ever, the onus is on the people to take these, and other, necessary steps to protect themselves, as everyone will be a prime target. 

Expect a spike in malicious activity 

“One of the ways to gain unauthorised access would be through identity-based vectors,” said Jonathan Ong, senior cyber-security analyst at Omdia. “This means we could see a rise in phishing attacks targeted at credential harvesting. This is further fuelled by the interest in the Games and augmented by the democratisation of AI tools. “Phishing emails are now more sophisticated and error-free, and deepfakes have thrown traditionally safer verification methods like video and speech into doubt,” he said. Of course, with such little time left, it’s up to businesses to do what they can with whatever resources they have available. 

Richard Absalom, principal analyst at the Information Security Forum, said that companies should treat the Olympics threat as a risk management exercise, prioritising the biggest risks and focusing what resources they have on mitigating these. “Dig down into your key critical suppliers (especially those based in France) and who else they do business with,” said Absalom. “Are they exposed in any way when it comes to the Games?”

On a technical level, that means prioritising patches for the most vulnerable flaws while bolstering defences using measures such as multi-factor authentication, access control reviews and tightening password management.

As the Games are under way, the success of this global event has made it a target for those who wish to draw attention to their cause célèbre, or who simply see it as a way to make a quick buck. For those on the frontline protecting infrastructure, assets, and people, only time will tell if this summer’s Olympics are remembered for all the right reasons. 

Melissa Bischoping is Director Endpoint Security Research at Tanium

Main image courtesy of iStockPhoto.com and Olivier DJIANN