At the Olympic Games in Pyeongchang, as at so many sporting events, hackers competed in their own way. They even invited themselves to the opening ceremony and managed to strike before the Games began. A malware program dubbed Olympic Destroyer simultaneously hit the networks for Pyeongchang2018.com, ski resorts and servers belonging to Atos, the IT service provider for the Games. This computer worm then automatically spread through Windows network shares, rendering both the official website of the Olympic Games and the stadium’s Wi-Fi connection unusable. This prevented the event from being broadcast, blocked automatic doors and elevators at several hotel facilities, and did other damage. The episode illustrates the concerns that an international sporting event entails with respect to hackers (regardless of their motivations) and the consequences of a cyberattack that specifically targets such an event. Given that France is to host important events in 2023 and 2024, it is a good idea to reflect on the cyber risks that are part and parcel of major tournaments and competitions.
1 Sporting Events: Choice Targets…
Thanks to passionate supporters the world over, major sporting events represent a business worth billions of euros annually. Criminals, activists and terrorists find the scope of these events particularly alluring. Perhaps they wish to grab a piece of such an enormous pie, broadcast their ideological notions on a massive scale or carry out their misdeeds on this new playing field.
The growing digital dimension of sporting events presents a formidable opportunity. New technologies are enhancing performance and training for athletes, heightening the sensory experience for fans, and aiding judges and referees in decision-making. However, each new opportunity comes with its own set of new threats. Digital technologies, connected objects and industrial and real-time systems all inevitably offer up a surface of vulnerability. The latest editions of the Olympic Games have testified to this: 12 million attacks per day were identified in Beijing in 2008, 212 million fraudulent connections were detected in London in 2012 and 200 risk events were observed in Sochi in 2014.
Attacks vary widely, from stealing confidential information on athletes to blocking the system for announcing results. For example, the 2014 FIFA World Cup in Brazil suffered a broad range of cyberattacks: theft and dissemination of confidential data from the Ministry of Foreign Affairs and databases linked to the event, denial of service (DoS) attacks, distributed denial of service (DDoS) attacks, website defacement, attacks on ATMs, mobile phone trafficking, stadium ticket fraud, fake sporting event betting websites and so on. Similarly, the Olympic Games in Rio in 2016 were the target of attacks such as ransomware programs downloaded through websites that were supposed to present the results of the competitions, spear phishing campaigns and compromise of unsecured Wi-Fi hotspots such that banking Trojans could be introduced. More recently, the Russian hacking group known as Fancy Bears revealed a list of football players who were granted therapeutic use exemptions during the 2010 World Cup in South Africa.
2 …For Attackers with a Variety of Backgrounds and Motivations…
Cyberattacks may, of course, be financially motivated. The increased volume of financial transactions tied to a major sporting event entices many attackers.
The attention that major sporting events get from global media and the celebrity status of elite athletes also turn such events into sounding boards for hacktivists and the different ideologies that they promote. In this case, sporting events become a vehicle for political and societal protests. The ideological, political and economic enemies of the organising country focus their attention on that country and view the failure of the competition as an effective means of destabilisation. Indeed, Qatar is already the target of rival States as it prepares for the 2022 World Cup.
Finally, an international sporting event represents a prime target for terrorist groups, who may choose to conduct their attacks in cyberspace. For example, DAESH made threats before the Olympic Games in Rio; these threats were taken very seriously by the authorities.
One category of attack targets the organisation of the event, starting with facilities in general and stadiums in particular. Tens of thousands of people may be concentrated inside in these increasingly automated and connected buildings managed by complex IT systems called building management systems. All parts of such a system — elevators, air conditioning, physical security systems, audio and video broadcasting systems, refereeing support systems, public Wi-Fi and so on — present security flaws that may facilitate cyberattacks. Many different scenarios may be imagined: a stadium’s air conditioning or electrical facilities might be sabotaged. Display systems might be taken over to broadcast propaganda images. Public Wi-Fi networks might be hacked to steal data or introduce malware. Spoofing or DoS attacks might be conducted against equipment for measuring athletic performance or systems to aid in refereeing… The list goes on.In addition, terrorist attacks might take place outside stadiums. Terrorists might induce panic in a stadium by issuing a bomb alert or general evacuation message, then carry out a suicide bombing or other bombing as fans exit the stadium. Alternatively, they might hack video surveillance systems or metal/explosive detectors to help armed individuals get inside a stadium.
Hospitality facilities also represent choice targets as they are increasingly digital and their cybersecurity is often lacking. For example, a dozen guests of the lakeside Alpine Hotel in Austria were locked inside their rooms by a ransomware program in late 2016. Cyberattacks to sabotage drinking water quality, electricity generation or distribution, air conditioning systems, medical facilities, or other facilities may also be pictured. A cyberattack may affect any piece of digital equipment, even the most seemingly harmless device — even if it is not connected to the Internet. Moreover, sometimes the most critical targets are not the ones that spring to mind immediately, especially as the technical means required are not extremely complex given how unprotected some systems are.
Another category of attack targets the athletes themselves. This category includes launching smear campaigns (by posting compromising photos and/or videos of them, the contents of their inboxes, etc.), stealing information on their game strategy, tampering with their performance or medical data to create illusions of doping cases, taking over scoreboards, etc.
Furthermore, since major sporting competitions generate considerable revenue, they provide cybercriminals and hacktivists alike with prime targets: sponsors, derivative products, broadcasting rights, players’ salaries, stadium tickets, legions of fans eager to spend, etc. Yet again, a multitude of attack scenarios may be envisioned. Television networks might be attacked to prevent broadcasting. Tickets might be purchased through botnet networks, then resold on the black market. DoS attacks might disrupt ticket purchases on official competition websites or operations on betting websites. Trapping might be done on payment terminals and ATMs near stadiums. These are but a few examples.
Finally, attacks may also target the IT systems of the host State, whose government is responsible for visitor arrival and entry, event security and legality, communication and transportation, information access, and more. Attacks might, for example, take the form of visa scams, system disruptions due to DDoS attacks or defacement of government websites. They might even consist of stealing confidential data or the contents of officials’ inboxes and disclosing them or using them for intelligence purposes.
It is essential to properly prepare for risks before competitions take place. The specifications of the equipment used must incorporate cybersecurity by design, and vulnerability testing must be performed before any equipment is put into use. In advance of the event, it is a good idea to establish a cyber threat intelligence unit capable of identifying all external vulnerabilities in real time, as well as one or more security operations centres to coordinate all digital security efforts. During the competition, a large enough team of “digital firefighters” (a CERT or a CSIRT) must be available to all organisations involved. In the event of a blocking attack, a business continuity and recovery plan will aid in dealing with the crisis. As these processes involve a great many players, a centre dedicated to sharing security information like the Information Sharing and Analysis Organizations (ISAOs) in the United States can monitor, analyse and respond to cyber risks specifically linked to sporting events. In general, States and sporting organisations must improve their cooperative efforts in this regard within organisations such as the IOC, FIFA, Rugby Football League, UEFA, American Leagues, and CAN. Indeed, in view of the financial and human challenges at hand, the various organisations involved must better cooperate and join forces so that major sporting events may continue to enjoy as much success and popularity as they do today.
Download the complete article here : https://ceis.eu/fr/note-strategique-securite-des-grands-evenements-sportifs-janvier-2018/