The Summer Olympics are upon us as the city of Paris, France is gearing up to host the 33rd Olympiad. For the first time since 2020, spectators have been admitted to the games with an expected influx of 15 million attendees. Yet as viewers across the globe tune in to watch their countries compete in the likes of gymnastics, swimming, and volleyball, the threat of a cyberattack remains ever-present.
Why Threat Actors Go After Sporting Events
The Olympic Games are no stranger to cyberattacks. In 2018, the Pyeongchang, South Korean Olympiad was impacted by Olympic Destroyer, “malware [used] to render infected computer systems inoperable” (MITRE). Russian threat actor, Sandworm Team, was found responsible for the attack that, “shut down Wi-Fi hotspots and telecasts and stopped spectators from attending the event” (WeLiveSecurity).
Whether motivated by financial or geopolitical interests, threat actors are reward-seeking by nature. For the average organization, risk does not always equal reward, which skews company operations toward a risk-averse approach. For cybercrime groups, however, the opposite holds true.
“Threat actors go where the targets are, capitalizing on opportunities to launch targeted or widespread, opportunistic attacks. This extends into high-profile sporting events, especially those in increasingly connected environments, introducing cyber risk for organizers, regional host facilities, and attendees” (Microsoft).
The Parisian Olympic Games are set to be the biggest sporting event of 2024, with their magnitude eclipsing the upcoming Australian Open and UEFA Euro. According to the UK’s National Cyber Security Centre (NCSC), “70% of sporting organizations are hit by at least one cyberattack annually, a testament to the vulnerability of the sports industry in the digital age” (Checkpoint). The New York Times cited an estimated 450 million attempted cybersecurity intrusions during the 2021 Summer games in Tokyo, Japan. Franz Regul, leader of this year’s Olympiad cybersecurity team, noted, “Paris expects to face eight to 12 times that number” (New York Times). Sports, it seems, are in target.
How To Protect Yourself
Traditionally, threats facing sporting events, concerts, and other large-scale venues were physical in nature. With cameras, security guards, and metal detectors stationed at stadium entry and exit ways, physical security protections have been widely implemented across the globe. And while physical security threats still loom, cyber threats are far less predictable, making it difficult for cyber experts to stay ahead of bad actor activities.
Mr. Regul equips his team with strong configuration and tooling capabilities, training against phishing attacks, and awareness of previous attack targets and methods. Even still, spectators and game sponsors alike are left to wonder: what can or should I do?
Social Engineering
Social engineering aims to trick targets into divulging personal information through methods like impersonation or pretexting. The most common form of social engineering is phishing, a technique that leverages fraudulent emails to gain confidential information. According to StationX, “an estimated 3.4 billion emails a day are sent by cyber criminals, designed to look like they come from trusted senders. This is over a trillion phishing emails per year” (StationX). While phishing is used most often, other types of social engineering attacks are now prevalent, include smishing (phishing via text) and vishing (voice phishing).
Awareness is the key defense against these attacks. Some common behaviors that can assist with identifying a social engineering attempt include, but are not limited to:
- Suspicious sender address (ex: olympian81990@yahoo.com)
- Sense of urgency (ex: your tickets to the Olympics are about to expire!)
- Request for personal information (ex: please enter your SSN)
- Poor spelling and grammar (ex: ar you redy for paris?)
- Unusual requests (ex: send me $10,000)
- Generic greetings (ex: hi, hello)
As a rule of thumb, if you’re not sure, don’t open it.
Password Security
Another cybersecurity attack type that can result in account compromise is credential stuffing, “a cyber attack in which credentials obtained from a data breach on one service are used to attempt to log in to another unrelated service” (Cloudflare). The assumption that makes credential stuffing a successful technique is based on users’ tendencies to reuse passwords. In recent years, companies like CapitalOne, MOVEit, and Marriott International experienced data breaches that thieved the information of thousands of customers. So, for those whose Marriott Bonvoy membership password is the same as their banking password, credential stuffing is a real, potential threat.
To better protect yourself against malicious tactics like credential stuffing, password differentiation is key, especially when creating accounts for any Olympics-affiliated sites or applications. Password managers, such as 1Password, assist with diversification by storing passwords, easing the burden of having to remember which password fits with which account. Remember, passwords should never be shared or written down – you never know who is looking!
Patching and Device Updates
Ensuring your devices are kept up to date is another important aspect of defending yourself from cyberattacks. Whether visiting Olympic-related sites virtually or in person, updating your system could be the difference between a realized threat or not. Keeping your device’s operating system (OS) current ensures timely installation of patches, “modification[s] to a program to improve its security, performance, or other features” (HYPR). Security teams and developers alike work tirelessly to ensure their customers stay protected, a feat that begins with securing devices against potential threats.
Let’s look at Apple’s Support page, About iOS 17 Updates. iOS 17, the 17th release of Apple’s iPhone OS, was released in September of 2023. Since its release, iOS 17 has updated fifteen (15) times. Now on version iOS 17.5.1, each update has come equipped with either “security updates” or “bug fixes” meant to address known vulnerabilities. So, while updating your phone might come with new and exciting features like a mushroom or lime emoji (iOS 17.4), it will also bring you added security against malicious actors attempting to exploit said vulnerabilities.
Faster, Higher, Stronger – Together
The security tips outlined above will offer a shield against hungry threat actors seeking avenues for disruption, even beyond the Olympics. By enhancing your awareness of adversarial methods, ensuring passwords don’t go stale, and updating your devices, you equip yourself with the tools needed to help keep your information secure. For an added layer of protection, it is also recommended to keep updated with the latest cyber news and insights as new vulnerabilities, threats, and attacks are reported. Knowledge shared within the cybersecurity community allows us to stay a split second ahead, like Phelps to Čavić.
As the games aim to spread peace, hope, and friendship between peoples and nations, malicious actors lay await in the wings. With just weeks remaining until the torch is lit, cyber defenses are being fortified across the globe – and hopefully in your pockets.
Subscribe
Stay up to date with cyber security trends and more