The cost, scale, participation and international audience all make the Olympic Games a prime target for a myriad of nefarious actors. In fact, McAfee has already discovered a spear phishing campaign in advance of the 2018 Winter Games, which take place from Feb. 9 to Feb. 25.
Over the last decade, the number and severity of cybersecurity events pertaining to the Olympic Games has steadily increased. The timeline below shows just how synonymous hacking and the Olympics have become. Analyzing the actors that pose the greatest threat to next month’s games provides a framework to best judge the risk facing the event and understand any incidents that do occur.
.png?width=752&name=Olympic_Timeline%20(3).png)
North Korea: On their best behavior
Noticeably absent from the list of contenders most likely to disrupt the upcoming games is North Korea. The recent thaw in tensions between North and South Korea was a policy decision that predated the delivery of Kim Jong Un’s 2018 New Year’s speech. This tactical shift of attempting to fracture the South Korean and U.S. alliance through improving relations on the peninsula will extend into cyberspace.
Additionally, North Korea’s agreement to send a delegation to the games makes it unlikely that they will harass computer networks; their presence alone is a propaganda and reputational win. The regime is unlikely to undermine this accomplishment unless negotiations between the North and South break off, or the U.S. government carries out an impulsive act.
Russia: But they did it too!
The 2016 Rio Summer Olympics was the first time we saw confirmed nation-state activity targeting the International Olympic Committee and the Olympics. Russian cyberactors retaliated against what they perceived as an unfair affront to their national pride by leaking the medical records of athletes, most notably Simone Biles and Venus Williams. While politics at the Olympics is nothing new, this was an unprecedented step for a nation to take. It appears that the sanctity of the games has lost its luster and is sinking back into the politics by other means category.
Given Russia’s track record of going after the Olympics in the past, as well as their recent foray against FIFA for banning the Russian team from the World Cup, it is likely that any leaks at these Winter Olympics associated with athlete doping, treatment and health will come from Russia. The recent banning by the IOC of Russian athletes from competing in South Korea will only further inflame Moscow.
Russian athletes will be allowed to participate under the IOC’s neutral flag after they have undergone stringent drug tests. This increases Russia’s desire to undermine the credibility of other major players at the Olympics. On Jan. 10, Russians began a campaign to discredit the IOC and the World Anti-Doping Agency by releasing new leaked documents. This opening salvo is likely the start of a propaganda campaign that will last until the start of the games. The efficacy of capturing the news cycle with these leaks will determine whether the Russians undertake more drastic and invasive operations.
Non-state actors: Time to make a mark
The largest cyberthreat to the Winter Games comes from non-state actors. Hacktivists, cyberterrorists, and fame seekers all see the Olympics as a great venue for their personal cause, whether it’s personal fame, the propaganda of a political message or harm for a political purpose. This category of threat is the most concerning and the hardest to model accurately. These threats are often understood the least and the most likely to come from obscurity. And the way the attackers choose to strike is often on the periphery of how most security services think about the integrity of networks.
Since the 2012 Summer Olympics in London, the games have faced some level of DDoS by hacktivist groups. The 2018 games won’t be any different. For the most part, this type of interruption will be dealt with swiftly with no noticeable interruption to the games. However, more concerning is the recent proliferation of advanced hacking tools bent towards destructive attacks we witnessed in 2017.
Carrying out a disproportionate amount of damage is now incredibly easy for low-skilled actors. The tool kits that are floating around the Web that haven’t been well publicized or used in high-profile attacks are still incredibly dangerous and have the potential to cause a single, massively disruptive event during the games.
One possible attack blueprint involves packing a legitimate software update with malicious code that also has the capability to self-propagate a la NotPetya and combining it with a TV5Monde-type payload that focuses on destroying broadcast networks. The impact could bring down the entire broadcasts of the games, causing massive disruptions and, more importantly, costing broadcasters revenue.
Organized crime: Using the games to show me the money
A burgeoning threat to the Winter Olympics is organized crime. Match fixing, traditional point shaving and judging scandals have always been a concern in the Olympics. With the parallel increase in gambling and the use of technology in the Olympics, there is increasing economic incentive to manipulate the outcome of events. Some events are decided by hundredths of a second, making it conceivable to change the outcome of an event by simply delaying the trigger of a timing mechanism beyond the capability of the human eye to detect. This type of scenario would allow organized crime syndicates to increase their profits while reducing the number of people involved, and lowering the probability of discovery and prosecution. Thankfully, while this type of threat can’t be completely ignored, it represents a low risk to the games.
ThreatS abound, but what is the real risk?
South Korea is no stranger to cyberthreats. Their capability to deal with these types of intrusions far exceeds that of Brazil during the 2016 Rio games. From a vulnerability and defensive capabilities standpoint, the overall cyberinterruption to the 2018 Winter Olympics should be low compared to previous games.
However, given the onslaught of high caliber tools and exploits released over the last year, the ability of the security teams to keep up with all of the needed patches and other security controls will still be a big challenge for South Korea and will be more difficult than in past years.
From a defensive perspective, the greatest cyberrisks will come from the third-party ecosystem that must work together to successfully run the games. The sprawling networks needed to successfully run the Olympics requires giving access to subcontractors, international journalists and TV networks, international delegations and, in some cases, throngs of tourists. The network security teams will manage millions of network events a day over disperse networks with unique protocols and traffic patterns over systems that include: broadcast networks; industrial control systems; tickets, merchandise and other payment related systems and operational networks related to the running and scoring of the games themselves.
The spear phishing campaign targeting South Korea, while novel in its technical details, is unlikely to succeed on a larger scale. However, a path of less resistance for hackers would be the press pool from countries that have less than stellar cyberdefense and detection capabilities.
Another thing helping the South Korean defenders is time. The short duration of the games means that anyone attempting to disrupt them must move with a sense of urgency. Low and slow intrusions that are hard to detect will not work given the time span of the games. This means that hackers are likely to move fast, take more operational risks and are more likely to tip off defenders to their presence.
The race is set and the South Koreans will have their hands full given the myriad of threats they face. The ever increasing and pervasive nature of technology only stretches a thin defensive capability thinner. However, removing the North Korean threat from the board, coupled with the overall low profile that South Korea maintains on hot button social and political issues, means that they will likely be able to handle whatever the Internet throws at them.
Ross Rustici is Cybereason's Senior Director of Intelligence Services.
The research findings highlight a disconnect between the risk ransomware poses to organizations during these off-hour periods and their preparedness to respond during weekends and into the holiday season...
Dawn-Marie Hutchinson, CISO at BAT, has navigated organizations during crises with a “play like you practice” Incident Response approach - check it out...
