Read more about cyber threats targeting the Olympics:
- Paris 2024 CISO Reveals Cybersecurity Plans for the Olympics
- Paris 2024 Olympics Face Escalating Cyber-Threats
As the world's eyes converge on France for the Olympic spectacle, a darker competition is unfolding in the digital realm.
Cybercriminals are poised to capitalize on this famous global event, with the Games facing an “unprecedented” level of cyber threats.
With 15,000 athletes competing in 878 Olympic and Paralympic contests across 54 sports, the Paris 2024 Games are expected to sell over 13 million tickets and attract over 15 million spectators.
Cisco, an official partner of both the Tokyo 2020 and Paris 2024 Games, said the event in Japan’s capital faced “450 million cyber-attacks,” the French edition should experience “eight times more.”
Infosecurity researched several threat intelligence reports and spoke with cyber threat intelligence analysts to gauge the most pressing cyber threats to the 2024 Olympics.
We also spoke with French cybersecurity agency (ANSSI) and Franz Regul, the Paris 2024 CISO, to explore the four-year effort conducted by the International Olympic Organization (ICO) and the French authorities to ensure the event's digital security.
Finally, we investigated who organizations operating in France can turn to in order to mitigate threats associated with the Games.
Expected Threat Landscape Ahead of the Olympics
When discussing his cyber threat expectations, Regul, the CISO and managing director of cybersecurity of the Paris 2024 Organizing Committee (COJOP), erred on the side of caution when discussing number of potential cyber-attacks.
“At the COJOP, we tend to be cautious and avoid announcing figures, because the lines between a cyber-attack, a cyber incident and even an attempted but failed malicious campaign can be blurry. However, one thing is sure, we will be attacked,” he said.
Jack Chapman, SVP of threat intelligence at KnowBe4’s Egress, explained, “If we’re talking about malicious campaigns, these [CISCO] numbers are most likely inflated. However, if we’re talking about individual network requests to try and bypass security measures, it would match what I would expect for the scale of this event.”
The Main Cyber Threats to the Paris Olympics
In the context of heightened geopolitical tensions, the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism and information operations.
Most threat intelligence analysts Infosecurity spoke to do not seem most concerned with nation-state destructive attacks, such as the wiper malware campaigns experienced during previous Games including at the Pyeongchang 2018 Winter Olympics in South Korea and the Tokyo 2020 Summer Olympics in Japan.
“Modern Olympic Games are primarily technology events.”Franz Regul, CISO, Paris 2024
Other threats, like fraud and hacktivism, are bigger concerns. This is corroborated by threat intelligence reports by Google’s Mandiant, Sophos, Fortinet’s FortiGuard Labs, Palo Alto Networks’ Unit42, Cyble and SpecOps.
The top three most pressing cyber threats include:
- Hacktivism, notably through distributed denial of service (DDoS) attacks
- Cyber fraud, notably through phishing, social engineering techniques and fake websites leveraging brands related to France or the Olympics
- Possibly ransomware
Hacktivism at the Olympics
Speaking to Infosecurity, Richard Cassidy, CISO at Rubrik, said that his investigation into dark web forums indicated that political groups, not necessarily backed by a nation-state but generally aligned with one, are preparing to “make a statement” during the Games.
Cyble researchers found in an early July 2024 report that two Russian hacktivist groups, “People’s Cyber Army” And “HackNeT” launched trial DDoS attacks on French websites before the Games.
In another report, FortiGuard Labs also found increased activity from hacktivist groups over the past few months and a staggering 80% to 90% rise in dark web activity targeting French organizations in the second quarter of 2024.
Financially Motivated Threat Actors
Financially motivated actors are also gearing up for the Games, although there is little evidence leading to assess the ransomware threat in relation to the event at the time of writing.
Cassidy said he thinks malicious hackers will start using more sophisticated ways to conduct phishing and social engineering campaigns, including toying with generative AI to deploy deep fake schemes.
On the other hand, Egress' Chapman fears that many of threat actors will target QR codes, which will be omnipresent across Paris over the summer – and even compulsory in order to park in the capital.
Mandiant and Palo Alto’s Unit42 assessed with high confidence that Russian threat groups will pose the highest risk to the Olympics, while China, Iran, and North Korea state-sponsored actors will pose a moderate to low risk.
Malicious Campaigns Started Before July
Some of these threats had already materialized before the Olympics, said Regul.
For instance, the French government warned in March 2024 that several government agencies experienced a DDoS attack “conducted using familiar technical means but of unprecedented intensity.”
In early July, threat intelligence provider QuoIntelligence detected a network of 708 fraudulent web domains used to sell fake sporting and musical events tickets, primarily to a Russian-speaking audience.
Some of these domains host convincing websites that seemingly allow users to purchase tickets for their preferred events during the upcoming Olympics and choose accommodation in Paris.
Inside the Paris 2024 Cyber Apparatus
Cyber Troop Review: A Militaro-Civilian Task Force
According to COJOP’s Regul, modern Olympic Games are “primarily technology events.”
“Yes, it’s a sporting event and contests happen in the physical world, but the whole organization relies on digital technology. This means securing our online systems is as important as the security of our physical infrastructure,” he added.
After spending four years setting up the network infrastructure for the Games in collaboration with Cisco and Atos’ Eviden, the official technology partners, Regul now leads a team of about 15 people fully dedicated to cybersecurity, out of 3000 COJOP staff members.
An additional pool of tens of thousands of volunteers supports Regul’s team.
While the COJOP’s mission is to secure the IT systems critical to the Olympics, the French government must also ensure that other organizations are secured – or are supported when facing a cyber threat.
ANSSI was assigned this mission in July 2022.
Since then, the cybersecurity agency has acted as the COJOP cyber team’s single point of contact within the French government agencies and as the coordinator of a civilian task force called the National Coordination for the Security of the Olympic Games and Other International Sporting Events (CNSJ).
ANSSI and the CNSJ collaborate with a military task force, the National Center for Strategic Command (CNCS), which includes the National Cyber Unit (UNCyber), France’s military cyber command, previously known as ComCyberGend.
ANSSI’s teams have expanded to 630 staff members susceptible to being mobilized during the Games, while UNCyber officers have grown from 330 to 1000.
A Five-Fold Cyber Strategy
The ANSSI told Infosecurity that agency’s cyber strategy for the Olympics was built around five pillars:
- Strengthen cyber threat intelligence in relation to threats targeting the Games
- Secure critical IT infrastructure
- Protect sensitive data
- Raise awareness about cyber risks and threats
- Prepare for incident response in case of a cyber-attack in relation to the Games
At the core of this security apparatus lies a 24/7 cybersecurity operations center (CSOC) that involves 15 permanent positions filled by rotating COJOP staff members in a confidential location and twice as many people working remotely.
COJOP, ANSSI and other French state agencies are also using a reinforced system for monitoring, alerting and handling IT security incidents, which “includes a specific posture designed to support increased operational activity,” said ANSSI’s spokesperson.
Regul also noted that there is extensive threat intelligence capabilities and information-sharing mechanisms with all partners.
Cyber Focus on 700 Organizations
Together, ANSSI, CNSJ and France’s Ministry of the Interior have identified 700 organizations that needed to be supported and divided them into three categories:
- Entities that are critical for organizing the Olympics (ticketing portal, logistics platforms and solutions, athlete access systems to accommodation and sporting infrastructure…)
- Entities that are particularly sensitive, such as infrastructure operators (transport, hospitals, administration, sporting infrastructure…)
- Other organizations associated with either the Games or France (sporting providers, companies operating in France…)
Approximately 80 organizations are considered critical and fall under category one. ANSSI has audited their systems and provides them with technical support. During the Games, COJOP is responsible for their cybersecurity.
Almost 100 entities are considered sensitive under category two. Their security falls under both COJOP’s and ANSSI’s responsibility.
Additionally, they have benefitted from a specific cybersecurity support program. This scheme was allocated a €10.1m budget ($11m) and was led by ANSSI. It was built around three axes:
- Diagnostic: Identifying vulnerabilities and building securitization plans
- Securitization with technical support
- Detection and response: Deploying endpoint detection and response (EDR) solutions and intrusion detection systems (IDS) for IT and OT systems when missing
Finally, almost 500 organizations, including host communities, transport operators and certain media outlets, fall under category three.
“The failure [of these entities] could have an impact on France's image, without destabilizing the smooth running of the event. These entities are subject to awareness-raising actions and are encouraged to deploy ANSSI's automatic auditing tools,” explained an ANSSI spokesperson.
Raising Cyber Awareness Before, During and After the Games
Another mission for Regul’s team in the run-up to the Games was to run awareness training and campaigns.
The ANSSI spokesperson told Infosecurity that an awareness workshop hosted by the agency on July 5, 2023, kicked off a months-long broad awareness campaign for several hundreds of entities involved with the Olympics. The campaign was still running a few days before the opening ceremony.
Additionally, in August 2023, the agency published a threat intelligence report dedicated to identifying the most concerning threats to large sporting events.
This document aimed to present the main threats to information systems used during sporting events organized in France including the Rugby World Cup 2023 and Olympic and Paralympic Games 2024 and to provide concrete examples of attacks carried out against the sector in France or abroad, the ANSSI explained.
Finally, ANSSI offers free “security exercise kits” as well as security recommendations, guiding principles, and best practices for all organizations operating in France or in relation to the Games.
Conclusion
While the Olympics and Paralympics started on July 26 and end on September 8 for most people, Regul and his team's Olympic adventure is a much longer endeavor.
The COJOP CISO was present as an observer during the 2020 Summer Olympic Games in Tokyo. In return, and continuing the cybersecurity effort for all Olympic games, the COJOP has invited representatives of the 2026 Milano Cortina Winter Olympics and the 2028 Los Angeles Summer Olympics to join his team during the summer.
“Although we are aware of how unique the COJOP’s cyber mission is in that we must secure systems for a short period of time – systems that will be dismantled once the event is over – our job is also in part similar to implementing security controls in a cyber-mature large enterprise,” he told Infosecurity.
Just like in any enterprise, the departing CISO is responsible for his successor’s onboarding. The next few weeks will tell how much incident response he can share with the next generation.
Image credit: kovop / Shutterstock.com