Cybersecurity teams are on high alert at the 2024 Olympic Games

As athletes from around the world compete for gold at the 2024 Olympic and Paralympic Games in Paris, cybercriminals are fine-tuning their own game plans to hack, attack and exploit the world’s biggest event, potentially making the 30th Olympic Games the biggest cybersecurity risk in history.

“Cybercrime and cyber threats have increased tremendously in recent years. And this is the biggest show on earth, not just in sports, but probably the biggest event on earth, so you know it’s going to be a target for human disruption for all sorts of reasons,” said Richard Thurston, research director for European security services at IDC.

According to Cisco, the network infrastructure provider for the Paris Games, there were 450 million cyberattacks on the COVID-postponed 2021 Tokyo Summer Olympics. Cisco expects the Paris Olympics (July 26-August 11) and Paralympics (August 28-September 8) to be eight times more likely to be attacked.

An IDC research report released ahead of the Games suggests that “Paris 2024 will have the highest potential for cyber disruption in history.” IDC further describes the Games as “the most connected Olympic Games ever” with “the most complex threat landscape” and “the greatest degree of ease for threat actors to execute attacks.”

Much of this relief is thanks to artificial intelligence, as Paris hosts the first Olympic Games in the age of generative AI.

GenAI has already been used in a sophisticated online smear campaign against the Games. In 2023, Russian disinformation collective Storm-1679 created an AI-generated video using a deepfake of Hollywood star Tom Cruise. The video, “Olympics Has Fallen” (a rude reference to the 2013 action thriller “Olympus Has Fallen”), used a deepfake of Cruise’s image and voice to denigrate the International Olympic Committee (IOC) ahead of the Paris Games.

Cybercriminals are also using AI as a weapon for malvertising and SEO poisoning before and during the Olympics, warns Ashley Jess, senior intelligence analyst at Intel 471.

“I just saw someone last week explaining how to use ChatGPT to create websites that optimize search engines so that the malicious site appears at the top (of the search results), using hundreds of websites at once,” says Jess.

This AI-based tactic could also be used to create fake Olympic ticket websites and rank those sites at the top of online searches for tickets to the Paris Games, she adds. To prevent ticket fraud, Paris organizers have set up only one website for legal ticket sales, tickets.paris2024.orgBy June, however, French authorities had already identified 338 fraudulent Olympic ticket sites on the Internet.

Hacktivism and cyber espionage

Out of greed, cybercriminals will use Olympic-themed emails and websites as clickbait to launch lucrative campaigns such as phishing and ransomware attacks. Hacktivists, in turn, may target the Paris Games for political and social reasons. Due to the current geopolitical conflicts in Ukraine and the Gaza Strip, the 2024 Summer Olympics could be particularly vulnerable to hacktivist attacks.

“A hacktivist will most likely damage websites or conduct denial-of-service attacks against the infrastructure supporting the event, mainly to embarrass the host country or organization,” says Sami Khoury, head of the Canadian Centre for Cyber ​​​​Security (CCCS), the Canadian equivalent of the ANSSI. “They will seize the opportunity because there will be billions of people watching the Olympics.”

“Hacktivism will not only target Olympic infrastructure,” Khoury continues. “In the context of the Paris Olympics, it could target France, but also other countries and governments that support Ukraine.”

During the 2016 Summer Olympics in Rio de Janeiro, DDoS attacks by the hacktivist collective Anonymous brought down various Brazilian government websites – a digital protest against police and military raids in Rio’s impoverished favelas.

The Paris Summer Games are also a prime target for state-sponsored cyber espionage. Like hacktivism, this type of espionage has a political motive; however, unlike hacktivism, it is always coordinated, funded or approved by a specific government. The CCCS issued a bulletin in May warning of the risk of cyber espionage at major global sporting events, noting that Russia’s exclusion from several international sports organizations – including the IOC and the Fédération Internationale de Football Association (FIFA) – following the invasion of Ukraine could prompt the Kremlin to support retaliatory cyber espionage measures.

A cyberespionage operation at the Rio Olympics was like something out of a James Bond film. When a World Anti-Doping Agency (WADA) official logged into the WADA database via the WiFi at his Rio hotel, hackers stole his login details. Weeks later, the Russian cyberespionage group Fancy Bear published WADA’s confidential medical records of more than 125 athletes who competed in Rio, including American gymnast Simone Biles and tennis stars Venus and Serena Williams.

Protecting the games

The French government’s national cybersecurity agency, Agence national de la sécurité des systèmes d’information (ANSSI), is overseeing the huge effort to ensure the cybersecurity of the Paris Olympics. Since mid-2023, it has held several awareness seminars and crisis planning exercises with multiple stakeholders from government, security and sports. Eviden (a division of Atos, the lead IT integrator for the Games) manages the Paris Olympics’ cybersecurity services and operations, “which can be provided by a dedicated SOC for the Games as well as up to 17 SOCs worldwide,” according to the IDC report.

This is a far cry from the stunning faux pas committed by Japan’s cybersecurity minister ahead of the 2020 Tokyo Summer Olympics. Just two years before the Games, Yoshitaka Sakurada admitted he doesn’t use computers and seemed confused about how USB sticks work.

Despite years of planning, anything can happen at the last minute. Shortly before the opening ceremony of the 2018 Winter Olympics in Pyeongchang, South Korea, hackers sponsored by the Russian state launched a malware attack called Olympic Destroyer. It took down the official Olympic website and the stadium’s Wi-Fi, disrupted broadcast operations and the on-site news center, and prevented some spectators from entering the ceremony because they were unable to print their tickets.

The Paris Games have also been on the brink of a cyber disaster. While some banks, airlines and media outlets around the world suffered outages on their Microsoft-based systems following a faulty CrowdStrike update on July 19, Paris organizers said the impact on Olympic operations was minimal and limited to the delivery of some uniforms and accreditations.

Third-party cyber risks

Although the CrowdStrike incident was not a malicious cyberattack, it puts the issue of third-party risk in the Olympics spotlight. Even if ANSSI can successfully fend off cyberattacks directly targeting this summer’s games, the Paris Olympics could still be disrupted if a malicious cyberattack somewhere in the daisy chain cripples one of its IT providers.

“Essentially, there is third-party software that is part of the infrastructure and clouds for (Olympic) telecommunications, security or fulfillment. If those fail or are attacked, the impact can be very, very big,” says Eugene Spafford, executive director emeritus of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.

According to Spafford, the greatest risk is to the IT infrastructure of “organizations that are in any way connected to what is happening in Paris or around the Olympic Games.” These include direct suppliers and partners of the event, as well as hotels and other tourism companies that serve the 10 to 15 million visitors expected in France during the Games.

However, IDC’s Thurston urges cybersecurity teams worldwide to recognize that the Paris Games are increasing cyber risk well beyond the perimeter of Paris, France or the Olympics themselves. In addition to the proliferation of Olympic-related phishing, malware and ransomware, he points out that cybersecurity teams across countries and industries may be understaffed due to the summer holidays. In addition, 24-hour coverage of the Olympics on television and social media could impact the ability of business employees to evade cyber fraud and hackers.

“Employees may be streaming something about the Olympics or watching coverage online while working at the same time,” says Thurston. “Sometimes security is lacking in those moments, so companies need to be aware of these threats, which may change during the Olympics.”

If the Paris Games go ahead without any major cybersecurity issues, no one will be climbing onto the podium to win a medal behind the scenes, but silence would be worth its weight in gold.

What SOC teams can do

Tips for SOC teams around the world during the heightened cyber risk period of the Paris Olympic Games:

• Monitor geopolitical events and be aware of how they could make your company (or your partners and suppliers) the target of an Olympics-related hacktivism cyberattack that could have a ripple effect on your IT systems, says Jess of Intel 471.
• Be especially vigilant against cyber threats if your company or organization has relationships with companies that play a key role in the Olympic Games supply chain, advises IDC’s Thurston.
• Run simulations or other tests of your backup plans, fallback services, fallback servers and hot spares to ensure they work as intended, says Purdue’s Spafford.
• Make your organization aware of Olympics-related phishing, clickbait, fraud and scam campaigns and educate them on how they work, Spaffordadds.
• Make sure your internet-based infrastructure and operating systems are up to date and patched and that all employees use strong passwords with MFA, advises CCCS’s Khoury.
• If your company is directly linked to the Games as a supplier or partner, you can’t let your guard down during the Games, including at night or on weekends. During the 9am-5pm time zone in which the Games are being held in Paris, the likelihood of cyber incidents is higher than in your own time zone, Khoury adds.