Safeguarding the Paris Olympics: Unveiling the hidden cyber risks

The Olympic Games is a major sporting event that captivates billions of spectators around the globe. It’s a chance to witness world-standard athletes, discover different cultures, and celebrate everything that makes us human.

But it’s also a cybersecurity minefield, and attacks are on the rise.

The 2020 Tokyo Olympics faced 450 million attempted cyber attacks, which was 2.5 times more than the number seen at the 2012 London Olympics. We can only expect these numbers to rise in the coming years.

With France’s Paris 2024 Olympics and Paralympic Games fast approaching in Europe, it’s time to examine  potential vulnerabilities and devise strategies to ensure a secure environment for the upcoming events.

___________________________________________________________________________________

1. Why is the 2024 Summer Olympics a target?

Cyber risk refers to the chances of an industry being infiltrated by people with malevolent intentions.

The Olympics and Paralympics, with their huge digital presence, are especially attractive to cybercriminals—and sometimes countries—who want to extort, spy on, or disrupt the proceedings. And because it’s a global event, the impact can be astronomical.

Cybersecurity incidents can come in different forms, including:

• Data breaches: When personal data is stolen, using techniques such as phishing, hacking, or scams via fake websites or social media
• Ransomware attacks: When digital systems are infiltrated and encrypted until the victim pays a sum of money
• Intellectual property theft: When information systems are hacked to reveal (and steal) digital property

Cybercrimes can severely damage the reputation of major international sporting events, affecting brands, countries, organizations, providers, and end customers, amongst others.

For example, compromised cybersecurity can lead to:

• Disrupted operations and supply chains
• Blocked ticket sales
• Compromised athlete data
• Manipulated event results
• Poor diplomatic and geopolitical relations
• Lost public trust

What makes the Paris Olympics particularly vulnerable?

Many events will take place in iconic, open venues that are difficult to secure, such as the opening ceremony on the banks of the Seine. Everything will be digitized, from access badges to surveillance and broadcasting, and therefore susceptible to cybercrime.

In addition, France’s open support of Ukraine, and the fact that Russian athletes will only be allowed to compete as neutral athletes, could make it the target of cyber attacks from Russia and/or Belarus.

It was also recently targeted by a disinformation campaign by Azerbaijan, which wanted to undermine Paris’ ability to host the Games. Geopolitical relations have been tense between Paris and Baku in recent months.

___________________________________________________________________________________

2. Previous cybersecurity incidents at the Olympics

Let’s take a look at some previous cybersecurity attacks at other Olympic events around the world, along with some success stories of cyber attacks that were stopped in their tracks.

2008: Beijing Olympic Games, China

Over 5 years, a sophisticated hacking operation called “Operation Shady rat” stole government data, legal contracts, email archives and more.

It targeted over 70 private and public organizations across 14 countries—including Olympic committees in 3 countries, and the International Olympic Committee (IOC) itself.

They were specifically targeted in the run-up to the 2008 Beijing Olympics. Some sources also claimed that at one point, the English language version of the website was also hijacked by a company based in the US.

2016: Rio Olympic Games, Brazil

In 2016, a group of Russian hackers known as “Fancy Bear” illegally gained access to an International Olympic Committee (IOC) account.

Through this breach, they were able to access files from the World Anti-Doping Agency and leak the private health data of 29 athletes—including Serena Williams and Simone Biles.

Many of Russia’s athletes had been banned after a doping scandal, and it was suggested in The Washington Post that this was a retaliatory move to spread doubt about other athletes’ integrity.

2018: PyeongChang Winter Olympics, South Korea

During the opening ceremony of the 2018 Winter Olympics, the online system suffered a malware cyber attack to disrupt services including WiFi, broadcasting drones, and telecasting.

The PyeongChang website went offline, and spectators couldn’t print out their tickets to attend the opening ceremony, leading to many empty places at the event.

This “denial of service” /DDoS attack became known as the “Olympic Destroyer”, and was suggested to have been used as a political message.

Bonus: Foiled cybersecurity attacks at the Olympics

The good news is that not all of these global events fell victim to cyber attacks. On many occasions, the organizers were able to stay one step ahead:

• 2012 London Games: Blueprints and attack tools for the stadium were found on a hacker’s computer before they intended to cut the power
• 2016 Rio Olympics: Yes—they were the victim of some cyber attacks (as seen above), but they did manage to deflect “sustained, sophisticated DDoS attacks reaching up to 540Gbps”
• 2020 Tokyo Olympics: Organizers successfully blocked 450 million attempted cyber attacks, including phishing and fake websites

So what separates these success stories from the rest of the pack? They took cyber threats seriously, and they put systems in place to tackle them.

___________________________________________________________________________________

3. Safeguarding the Paris 2024 Olympics: FAQs

It will be the biggest event ever organized in French history, with billions of viewers across the world, 10.5k athletes, 20k journalists, and 31.5k volunteers—making it the ultimate target for cybercriminals.

Cyber threats won’t go away anytime soon, but with the right measures in place, the event can run smoothly without any disruption or compromise.

1. What is the government doing to help?

ANSSI (France’s national cybersecurity agency) has dedicated a third of its staff to ensure the Paris Olympics occur without incident.

It will prioritize the following areas:

1. Know the threats: Before we can tackle them, it’s crucial to recognize and highlight the main cyber threats that the Games face.
2. Secure IT systems: All information systems and security operations centres (SOCs) should be secured and encrypted against hackers.
3. Protect data: Personal data and sensitive information must be safeguarded with extensive security measures.
4. Raise awareness: Ensure that all partners, employees and stakeholders are educated and trained regarding cyber threats.
5. Be ready to intervene: At the end of 2023, ANSSI has overseen several crisis drills so that the organizers are fully prepared.

Five years ago, ANSSI also signed a cooperation agreement with Japan’s cybersecurity agency, NISC, to share strategies for hosting global cultural and sporting events.

Currently, it believes there are 3 main threats affecting the Paris 2024 Olympics:

• Cyber attack on the proceedings: Anything that affects event results
• Cyber attack on the symbolism: Anything that could harm France’s image
• Cyber attack via organized crime: Anything that involves ransomware attacks, for example

2. What information is available about cybersecurity for the Olympics?

Cybersecurity for the Paris Olympics is a collaborative process between governments, organizers, and partners.

The whole supply chain is in the loop. All vendors, participants, volunteers, and employees will be briefed and trained on cyber threats to watch out for—and they should all meet the required security standards.

On the official website of the games there is a helpful cybersecurity guide with common FAQs on scams, phishing, and more.

3. What about physical security measures?

Hackers won’t hesitate to take advantage of sloppy physical security measures. Physical security should complement your cybersecurity efforts. Make sure there’s restricted access to vital infrastructure, such as data centers and IT spaces, to avoid unauthorized entry.

Paris has already put measures in place, with residents near Olympic venues needing a QR code to pass police barriers, and registering visitors who might watch the events from their homes.

At the opening ceremony, there will likely be closed metro stations and “red” zones to section off parts of the city that are close to the Seine.

4. Should we think about backup solutions, too?

Implement regular backup and recovery procedures for critical data and systems. This ensures that in the event of a cyber incident, data can be restored quickly and efficiently.

Then, even if the worst-case scenario happens, you’ll have things up and running again in no time.

___________________________________________________________________________________

Looking forward

Anything that undermines the integrity and fairness of the Olympic Games must be taken seriously.

The responsibility falls upon CISOs to secure the Olympics against the formidable threat of cyber risk. The stakes are high. But ANSSI is taking the lead in ensuring that every base is covered.

We can all be assured that fortifying our digital defenses and neutralizing threats will help to safeguard the integrity, security, and success of the Games.

___________________________________________________________________________________

That’s it for this blog. Interested in reading more? Check out our CISO, Todd Carroll’s analysis, on the LockBit Ransomware gang takedown here.