Sporting events and venues are increasingly vulnerable to cyber-attacks, a new study from Microsoft has found.
The Microsoft Threat Intelligence State of Play report highlighted the growing opportunities for threat actors to target high-profile sporting events, “especially those in increasingly connected environments, introducing cyber risk for organizers, regional host facilities and attendees.”
Research has demonstrated rising attacks on high profile sports events and organizations in recent years. For example, a report from the UK’s National Cyber Security Centre (NCSC) in 2020 found that 70% of sports organizations experience at least one attack per year.
A Vast Digital Playing Field
Microsoft supported the cybersecurity of critical infrastructure at the 2022 FIFA World Cup in Qatar. During this event Microsoft observed attackers continually attempted to compromise connected systems through identity-based attacks, Justin Turner, Principal Group Manager, Microsoft Security Research, told Infosecurity.
“What we saw was consistent, with cyber-criminals being opportunistic and seeing where they can infiltrate and find gaps between a lot of connected systems, in the context of a large event. The cybercrime economy's sheer size and low barriers to entry make this kind of opportunism a significant risk to account for in planning and having layered defenses in place,” he said.
Numerous publicly reported sport-related cyber-attacks have taken place in the past five years, including:
- January 2018: Russian threat actors carried out a range of attacks designed to disrupt and discredit the Winter Olympics in Pyeongchang, South Korea
- November 2020: English Premier League football giants Manchester United experienced a “sophisticated” cyber-attack, suspected to be ransomware.
- April 2021: US National Basket Association (NBA) side Houston Rockets were targeted by ransomware attackers, who claimed to have stolen 500 gigabytes of Rockets’ data, including contracts, non-disclosure agreements, and financial data. Internal cyber-defenses were effective in limiting the spread of ransomware on the club’s systems.
- February 2022: US National Football League (NFL) club the San Francisco 49ers confirmed it was hit by a ransomware attack one day before the Sunday Super Bowl.
- March 2022: Personal data belonging to American Major League Baseball Players and their family members were reportedly stolen during a cyber-attack on a third-party vendor.
Sporting events face unique cybersecurity challenges due to the vast digital surface that needs to be protected – with a high level of cyber-physical convergence. This means there are a range of connected devices and interconnected networks that can be exploited, alongside known and unknown vulnerabilities across different venues and arenas.
Turner told Infosecurity: “What makes the sports landscape unique is that the IT assets and operations are so different, you have a lot of mobile devices across teams and staff, and a lot of connectivity across different stadiums, training facilities, hotels and other venues. And the nature of these connections is that they stand up and down as teams complete in seasons and tournaments.”
He added that this enables threat actors to simultaneously target pop-up payment and retail systems, socially-engineer attendees, and scan for unpatched or misconfigured devices.
Security is further complicated by the numerous parties managing the various systems, such as corporate sponsors, municipal authorities and third-party contractors.
Attacker Motivations
Microsoft’s analysis noted a “diverse and complex” range of cyber-threats to sporting events and venues, carried out by both financially motivated cyber-criminals and politically inspired actors.
- Cyber-Criminals: Modern sports teams, associations and venues house a trove of valuable information desirable to cyber-criminals. This includes data on athletic performance, competitive advantage and personal information, making tactics like data breaches and ransomware tempting approaches for cyber-criminals.
- Politically-Motivated Threat Actors: Microsoft said there were a variety of motivations from nation-states to launch cyber-attacks targeting sporting events. They even seem to be willing to absorb collateral damage from attacks if it supports broader geopolitical interests. Nation-states and hacktivist groups are primarily motivated to disrupt the event and generate publicity for their cause, often using DDoS attacks for this purpose.
Cybersecurity Recommendations
Microsoft set out a range of recommendations to protect sporting events going forward, such as the 2023 women’s football World Cup in Australia and New Zealand:
- Augment the SOC team: The report emphasized the need to have “an additional set of eyes monitoring the event around the clock” due to vast threat environment.
- Conduct a cyber risk assessment: Organizers should identify potential threats specific to the relevant event, venue or nation in advance; in particular, assessing the various key stakeholders involved, such as third-party vendors, venue IT staff and sponsors.
- Implement strong access management measures: Access to systems and services should only be granted to those who need it. Additionally, personnel should be trained to understand access layers.
- Protect venue technology: Liaise with venues to ensure systems like digital signage, point of sale (POS) and infrastructure equipment are protected as much as possible. This includes patching software and developing logical network segmentations between IT and OT systems.
- Implement a multi-layered security framework: This involves deploying firewalls, intrusion detection and prevention systems, and strong encryption protocols to fortify the network against unauthorized access and data breaches.
- User awareness: Employees, stakeholders and attendees of the event should be educated on cybersecurity best practices, such as recognizing phishing emails, using multi-factor authentication, and updating software on devices.
- Close collaboration: Good communication between different entities is especially important in the sporting world. As well as co-ordinating with venues and sponsors, close information sharing practices should be set up between teams in professional sports leagues to help prepare for and quickly respond to incidents.