Next week the FIFA World Cup kicks off in Qatar amid significant off-pitch controversy. Unfortunately, Italy didn’t qualify for the tournament, so in the run up I have had more conversations about the potential cyber-threats it could unleash than I have had about any upcoming sporting prowess.
We have seen in the past that international sporting events are an attractive target for attackers looking to cause very public disruption, and this appeal to attackers only grows with every new controversy around the event.
Who Would Target the FIFA World Cup?
While I was disappointed that Italy didn’t make it into the Finals, sporting losses probably aren’t enough to motivate any serious threat. More likely, we could see activity coming from Russian attack groups motivated by FIFA’s suspension of the Russian national team following the country’s invasion of Ukraine. Kenya and Zimbabwe were also suspended this year, but they don’t have the same sort of resources available to them in the form of a highly skilled and organized attacker community. Perhaps the other highly skilled and disgruntled nation to watch will be Iran. The country also has highly skilled cyber operators within its population, and its participation is being questioned given its apparent non-compliance with certain standards requirements that FIFA sets out.
This year we have also seen a significant number of ‘hacktivist’ attacks motivated by a huge range of political disputes, so there is a chance that skilled individuals and organized attack groups may use any number of controversies surrounding this tournament as motivation to cause disruption.
Is This Something That Has Happened Before?
During the 2018 Winter Olympics – another event from which Russia was excluded due to its systematic team use of banned substances – we saw the Russian threat group Sandworm attempting attacks using its ‘Olympic Destroyer’ wiper malware.
In the early qualifier rounds of this year’s World Cup, we also saw an attack on the game between Wales and Ukraine. This attack interrupted broadcasts and was reported by Ukrainian reporters at the football fan site Tribuna.
These sorts of sabotage attacks are a definite possibility, with such a high-profile global sporting event likely to attract huge audiences and ensure publicity for a successful attack group.
What will Attacks Look Like?
Recently, ransomware has dominated the headlines in cyber threats, but I think it is wiper malware – which aims to make computers unusable – that we might see targeting organizations during the Qatar FIFA World Cup. This is the same sort of attack that was unleashed in 2018 with Olympic Destroyer. It’s worth noting that it has been relatively popular since then, outside of sports too. Sandworm is considered to be responsible for at least three recent destructive attacks against Ukraine carried out via different wiper malware strains dubbed FoxBlade (also known as HermeticWiper), CaddyWiper, and Industroyer2.
What Should I Do?
Vigilance and care around digital security should be taken at all times, not just during major sporting events. Users should be continually reminded never to click a link they have been sent, instead inputting the URL manually and following site navigation – or using their own established bookmarks.
For enterprises, the best defense starts by reducing all the possible entry points for attackers and limiting the potential attack surface to prevent the injection of destructive malware. This means adopting a pervasive security solution that protects users anywhere, on any device, and educating users on responsible behaviors (‘think before you click’). In addition, every system (servers, endpoints and network devices) must be kept updated with the latest security patches, and all security solutions at the network and endpoint level must be updated with the latest releases, signatures and threat intelligence feeds released from security vendors.
Enforce multi-factor authentication for every internet-facing system and consider a zero trust approach to publish internal applications securely. Constantly monitor the network and application infrastructure for anomalous accesses and implement an incident response plan.