Paris Olympics Cybersecurity at Risk via Attack Surface Gaps
Web applications and other Internet-facing assets related to the 2024 Summer Olympics in Paris appear to be better protected against cyberattacks than previous major sporting events, such as the 2022 FIFA World Cup in Qatar.
But a few gaps persist that could prove troublesome, given the enormous interest in the event among hacktivists, cybercriminals, nation-state groups, and other attackers. During the 2021 Olympics in Japan, for instance, such bad actors launched a startling 450 million attacks on online infrastructure related to the Games.
Troubling Olympics Security Gaps
Researchers at Outpost24 recently mapped the entire Internet-facing footprint associated with the 2024 Olympic Games. This included looking at all domains, subdomains, hosts, Web applications, and third-party cloud resources. Their evaluation concluded that the Olympics’ external attack surface is more secure against compromise compared to what they discovered when performing a similar assessment before the 2018 FIFA World Cup soccer games in Russia.
The gaps they found in the Olympics’ infrastructure included a handful of open ports, SSL misconfigurations, security header issues, domain squatting, and some privacy issues like cookie consent violations. The issues give threat actors an opportunity to break through what otherwise appears to be a relatively well-protected attack surface, says Stijn Vande Casteele, CSO of Outpost24’s external attack surface management group.
When attackers find a website with an expired certificate or returning a 404 error indicating a broken URL, for instance, they are likely to enumerate them for other flaws.
“Not having basic IT and cyber hygiene under control draws the attention [of attackers] and could indicate potentially more severe opportunities for threat actors” to explore, Vande Casteele says. Similarly, the domain squatting issues that Outpost24 discovered could portend an uptick in Olympics-themed phishing campaigns for credential theft and other malicious reasons.
“The Olympic Games are a high-profile event and the biggest sport competition in the world,” says Vande Casteele. It presents an enormous target for attackers. “As an organization, you want to discourage them by running a tight, super-secure digital footprint.”
Vande Casteele says the Paris 2024 Olympics organization operates more than 700 domains and 800 external Web applications residing on more than 16 different cloud providers. Systems connected to the Games currently are located across nine different countries in the EU, Asia, and North America.
“[Given] the volatility and dynamic character of an attack surface with this complexity, keeping all of this on the radar is a real challenge for the organization’s risk and security stakeholders,” he says.
Cyber a Top Concern
Cybersecurity is a top-of-mind concern among Olympics officials in France, just as it has been for organizers of other major sporting events, such as the Super Bowl.
In a recent article, Politico described France’s primary cybersecurity agency — ANSSI — as starting preparations for the event two years ago and, among other things, conducting extensive penetration tests and awareness-raising campaigns. The director of ANSSI told Politico the goal is not to block 100% of the attacks that are sure to happen when the Games begin, but to block most of them. Officials do not want a repeat of what happened at the 2018 Winter Olympics in Pyeongchang, South Korea, when suspected Russian attackers used a malware tool dubbed “Olympic Destroyer” to massively disrupt Wi-Fi and other communication services during the opening ceremony.
Also of concern is the threat of a coordinated terror and cyberattack to take out crucial security and surveillance systems around the Games. During the 2021 Olympics in Tokyo, threat actors launched a staggering 450 million attacks at various Games-related targets. In comments to The New York Times earlier this month, Franz Regul, the individual responsible for cybersecurity at the Olympics, said his team expects to face between eight and 12 times that number of attempts at this year’s Games.
As part of their preparations for the attacks, Regul’s team has conducted numerous war games in collaboration with technology partners and analysts at the International Olympic Committee. They also have put in a place bug bounty program that rewards researchers who find exploitable vulnerabilities in the technology infrastructure supporting the Games, the Times reported.
Diverse, Sophisticated, and Persistent
It’s anybody’s guess how effective these measures will be once the Games start. Steven Baer, vice president, field sales and services at NetWitness, fully expects the cybersecurity team at the Paris Olympics will have implemented a course of action and an attack kill chain to stop and contain known threats as they happen. Their threat intelligence efforts would likely be focused on new and emerging trade craft, and incident response teams will be standing by and ready to swing into action when needed, says Baer, whose company played a role in helping secure the 2022 FIFA World Cup soccer games in Qatar.
“I would anticipate that the cybersecurity threats targeting the 2024 Olympics in Paris will be diverse, sophisticated, and persistent,” Baer adds. “I would expect to see cyberattacks aimed at stealing sensitive data, disrupting critical infrastructure, sabotaging operations, extorting money, or spreading propaganda and misinformation.
“The Games are a prime opportunity for cybercriminals, nation-state actors, hacktivists, and terrorists to exploit the vulnerabilities of a high-profile event with a global audience.”
Geopolitics is another factor, says Vande Casteele. The Israel-Palestine conflict and the war between Russia and Ukraine both will likely influence the nature of threats that state-sponsored cyber actors present to the Games. “It is worth highlighting, for instance, that Russia has been banned from this edition of the Games, which inherently poses a significant threat to the host and the Olympics’ [infrastructure],” Vande Casteele says.
Phishing campaigns targeting the general public, DDoS attacks on organizations, and espionage against high-profile individuals/institutions are other common occurrences during high-profile events like the Olympics, he says. “One thing is certain: These events enlarge the attack surface and provide the perfect timing for attacks, be they politically or financially motivated.”
Vande Casteele likens the challenges associated with securing the constantly changing digital footprint of the Olympic Games to building and keeping a gigantic house secure in a relative short period of time.
“Every day new floors are added, windows and doors are created,” he says. “Many different people are involved, so after a while they lack the oversight, and they forget how many windows and doors there are.”