The 2024 Summer Olympics are set to begin on July 26, 2024 in Paris, France and conclude on August 11. Based on ticket sales, Paris is estimating that at least two to three million people will attend the Games during its thirteen-day run, generating billions of dollars in revenue. Historically, the Olympic Games have always been a target. Whether terrorism, activism, or cyberattacks, the high-profile nature of the games provide an event where any sort of disruption will have millions of views worldwide. The aim of this paper is to cover some examples of what has been observed at prior Games, provide context on unique aspects of this years’ Games, and provide some examples of what Intel 471 has observed thus far.
While threats of physical attacks to the Games have been around for decades, cyber attacks have increased in prominence since the 2000s. In 2016, before the Rio Olympics began, the official Rio Olympics website and websites of associated organizations were targeted by a prolonged distributed denial-of-service (DDoS) attack. Later, in September 2016, the Russian threat group Fancy Bear AKA APT28, Forest Blizzard, Sofacy Group, and STRONTIUM posted athlete medical data to their website that they allegedly stole from the World Anti-Doping Agency (WADA), stating that it was part of an Anonymous hacktivist group #OpOlympics campaign.
The 2018 Olympic Games, which took place in Pyeongchang, South Korea, suffered a significant cyberattack during their opening ceremonies. The malware, later dubbed OlympicDestroyer, caused disruptions to the internet at the colosseum, to broadcast systems and to the Olympics website and ticketing systems. Subsequent analysis of the malware sample resulted in the industry-wide assessment that the attack was conducted by Russian hackers, who planted false flags in an attempt to masquerade as North Korean or Chinese threat actors.
The 2020 Tokyo Olympics, while delayed due to COVID-19, suffered no major cybersecurity disruptions. However, NTT, the telecommunications and network security provider for the games, claimed there were 450 million attempted attacks, more than double the number seen in London in 2012. That figure should be viewed with caution, however, as extremely high attack figures released to the media often encompass automated activity such as scanning, failed login attempts against internet-exposed assets and minor DDoS events. However, NTT said attacks ranged from the Emotet malware to email spoofing and phishing and fake websites.
Similarly, there were no major cyberattacks reported during the 2022 Beijing Olympic Games. However, there were enduring concerns for the data privacy of athletes, diplomats, politicians and other visitors who flew to China for the Games. One such point of controversy was the MY2022 (冬奥通) application, which was required to be installed by all attendees to the Games, including audience members, members of the press, and competing athletes. Analysis of the application found several vulnerabilities: encryption could be bypassed easily, providing access to users’ files. Such files could be audio files or health customs forms, which included sensitive medical personally identifiable information (PII).
Logistically, the attack surface of the Games is large, with multiple venues, facilities, and digital platforms, all with potential vulnerabilities. Vincent Strubel, the head of France’s cybersecurity agency, ANSSI, said in an interview that the Olympics faced threats from adversarial countries, criminals wielding ransomware and Russian-aligned “hacktivists” who use their computer skills to further their political messages.
For the last two years, French authorities have been preparing and working with stadiums, sports federations and other stakeholders regarding the physical and cyber security of the Games. Such preparations have included cyber awareness courses, red teaming exercises and infrastructure creation. French authorities and private sector partners have set up a Technology Operations Center (TOC), a Cybersecurity Operations Center (CSOC), and the National Strategic Command Center (CNCS). They have created over 100 applications, which include an Olympic Management System (OMS), which manages access to events and the Olympic Diffusion Systems (ODS), which combats misinformation by disseminating real-time information to attendees.
France is also ramping up the physical security of the games, creating command centers, hiring security guards, and recruiting over 2,000 police officers from around the world. France is also using specialty teams, such as sniffer dogs and artificial intelligence (AI); the Games will utilize a video surveillance system that includes AI-powered cameras to flag potential security risks.
From June 6 to 9, 2024, the European Union (EU) held their Parliamentary elections. France’s rightmost party, the National Rally (RN) party, took first place with about 31% of the vote. The RN is led by Marine Le Pen. Emmanuel Macron, the President of France, leads the Renaissance Party, which came in second to the RN, with about 14% of the vote. Shortly after these results came in, Macron dissolved the National Assembly and called for a snap election. The National Assembly is one of the houses of Parliament in France. The National Assembly is elected directly by the people, and has 577 seats, with 289 needed for a majority. Two rounds of voting were held on June 30 and July 7. After the second round of voting, the leftist coalition New Popular Front gained the most seats in parliament, but far short of a majority. Macron’s centrist Ensemble alliance came in second with the far-right National Rally coming in third. As no group gained a majority of seats, the parties and coalitions will undertake what are expected to be difficult negotiations to form a government. Because Macron was unable to win enough seats for a majority, he must appoint a new Prime Minister. It is possible that the presidency and the National Assembly could represent opposing political parties. Macron’s term ends in 2027, and he has indicated he will not resign.
Comment: The French elections have already been on the receiving end of Russian- and Iranian-affiliated disinformation campaigns, as have the Olympics. It’s possible that the election-focused groups will pivot towards spreading disinformation about the Olympics once the elections have concluded. It is also possible, though unlikely, that the outcome of the election results in physical protests at the Games, due to the event’s high visibility.
From February 2022 to December 2023, France provided €2.615 billion in military equipment to Ukraine, and has continued its support in 2024. In addition to supplies, France has provided military training to Ukrainian troops in Poland and in France. Meanwhile, Russia has been banned from the Games, and Russian athletes are not allowed to compete under their country’s flag. This has made France a repeated target from pro-Russian hacktivist groups since 2022. In February 2023, the pro-Russian hacktivist group NoName057(16) conducted a campaign in which they conducted DDoS attacks against entities in countries threatening to boycott the 2024 Olympics if athletes from Russia and Belarus are allowed to compete. Countries targeted included Austria, Latvia and Estonia.
On June 23, 2024 the pro-Russian hacktivist group Народная CyberАрмия (Eng. People’s CyberArmy) posted a claim that Russian hackers would take place in a “new'' Olympic sport: DDoS attacks. They posted an image alongside the claim, which was the Eiffel Tower on fire, with the Olympic rings, and claimed to be partnering with NoName057(16). In a message accompanying the image, they stated they were in “the final stage of training before participating in the 2024 Olympic Games.” The exact same message was posted in the RCAT чат 🇷🇺🇷🇺🇷🇺 and 🇷🇺Народная CyberАрмия🇷🇺 Telegram channels as well. On the same day, the pro-Russian hacktivist group HackNeT claimed to join People's CyberArmy and NoName057(16) in attacking France, and allegedly DDoSed the website for France’s Grand Palais, a museum and historical site. The next day, People's CyberArmy launched an attack on the French Film Festival.
France has been the alleged target of other hacktivist collectives as well. On July 31, 2023, the pro-Sudanese hacktivist group Anonymous Sudan threatened to carry out a distributed denial-of-service (DDoS) attack campaign against France-based entities following a warning by the French president's office to retaliate if its citizens are attacked in Niger during the ongoing anti-French protests.
Comment: Pro-Russian hacktivist collectives will almost certainly continue to attack French entities ahead of and during the Games, due to the groups’ dissatisfaction with both France’s support to Ukraine and Russia’s inability to compete in the Games under their own country’s flag. Hacktivists will likely target the event with similar tactics we’ve been observing, such as website defacements and DDoS attacks. These types of incidents can lead to temporary service interruptions, which could affect event attendees, officials and participants.
In October 2023, after Hamas attacked Israel, President Macron made a public statement supporting Israel, but as the war has continued on, Macron’s position shifted, now showing support to Gaza as well. Macron called for a ceasefire, sent humanitarian aid and is a supporter of a two-state solution. Israel is participating in the Olympic games under their own country's flag, which has caused some protests outside of the International Olympic Committee (IOC) headquarters.
Comment: Pro-Palestinian hacktivists likely will seek to attack French entities ahead of and during the Games, due to Israel being allowed to compete. Hacktivists will likely target the event with similar tactics we’ve been observing, such as website defacements and DDoS attacks. These types of incidents can lead to temporary service interruptions, which could affect event attendees, officials and participants. It is also possible that there will be physical pro-Palestinian gatherings in the areas near the Games, due to the event’s high visibility.
On November 13, 2023 French authorities made a statement regarding an alleged July disinformation campaign emanating from Azerbaijan that depicted fights between French police and protesters. These images were accompanied with the hashtag #boycottparis2024. In May 2024, France again made similar accusations against Azerbaijan, this time in regards to misleading photos of French police on the French-ruled island New Caledonia.
Comment: It is likely that Azerbaijan-affiliated disinformation campaigns will continue ahead of the Olympics, with similar goals to the Russia-affiliated disinformation campaigns, due to Azerbaijan’s disapproval of France’s support to Armenia.
The Games bring together many high-profile individuals from across the world: athletes, celebrities, dignitaries and politicians, which provides a unique opportunity for nation state groups to conduct espionage and intelligence gathering missions. The Games are also a prime target for disinformation and influence campaigns; Microsoft published a comprehensive report covering multiple instances of Russia’s disinformation campaigns surrounding the 2024 Olympic Games since the summer of 2023, many of which are trying to accomplish one of two goals: to criticize the IOC or to spread falsehoods regarding a threat of violent attacks at the Games. The report attributes this activity to two groups, Storm-1679 and Storm-1099 aka Doppelganger. The campaigns have mainly been observed in English, French and German and researchers identified multiple instances in which the threat actors used generative AI.
Comment: State-sponsored cyber threat actors will likely attempt to gather intelligence on high-profile individuals attending the Games, with the longer term goal of maintaining access to the target after they return home. State-affiliated actors will almost certainly continue their disinformation campaigns ahead of and during the event; while these campaigns may continue after the event, it is likely these campaigns will instead shift to a different narrative.
Financially, the Olympics are a multi-billion-dollar event, with many avenues threat actors can exploit, such as phishing, ticket scams, travel fraud, or theft of sensitive data from athletes and other attendees. Ticketing scams are a popular choice by cybercriminals. Upwards of 10 million tickets are expected to be sold. Reports of fraudulent ticket websites emerging mere days after tickets to the Games initially went on sale, with hundreds of fraudulent domains being reported as of this report. Often, these domains are appearing in sponsored searches on search engines like Google, and have domain names mentioning the games. Some examples of domains Intel 471 has observed include 2024olympics[.]shop, olympics2024[.]cc, paris-olympics2024[.]com, paris-summer-olympics-packages[.]today, paris-olympics-hotel-deals[.]today and plan-a-trip-to-paris-olympics[.]today.
Paris has implemented some sales practices in hopes of remediating the number of fraudulent tickets sold. Namely, attendees are selected in a raffle-like system, and have a limited window of time in which they can purchase tickets after being selected. In addition to the limited window, they have a limited number of tickets they can buy, to prevent reseller issues. Tickets are also entirely digital, will only be provided shortly before the event, and can only be resold on the official ticketing website.
Threat actors are also looking to capitalize on the Games in other ways, such as monetizing advertisements on illegal live streams of the events. On June 1, 2024 the actor instreamads offered up to USD $500 for a method that would bypass YouTube or Facebooks copyright detection in order to stream the Games with advertisements. On June 26, 2024, the actor hence made an offer on the crdclub forum offering to issue twelve Paris Olympics family visas at a rate of €1000 each. On July 6, 2024 the actor dank31337 posted on the XSS underground forum that they were willing to purchase anything related to the Games for USD 5000, and specifically mentioned phishing pages and initial access.
Comment: The Game’s popularity and lucrative nature mean that financially-motivated actors will almost certainly continue with many of the same schemes that have already been observed: phishing, malicious domains mimicking ticketing websites, business email compromises (BEC), malvertising, and more.
The Olympics are one of the most iconic events in the sporting calendar and considered a great privilege for any country to host. Naturally, with that privilege comes a responsibility to ensure the Games are run without issue, a fact certainly known by competing nations. As such, soft power capabilities will almost certainly continue to be plied against France and its partners in an attempt to impair positive perceptions. The use of disinformation has been well documented and likely will continue to be the tool of choice. Additionally, hacktivists will rely on their tried and tested forms of disruption in DDoS and defacement, which are likely to ramp up in the coming weeks. Furthermore, threat actors will almost certainly not just target the Games themselves but other essential infrastructure, such as transportation networks or supply chains or local businesses around the event, especially within the travel and hospitality sectors. The scale of the Olympics, which is the world’s largest ticketed sporting event, offers many opportunities for financially-motivated threat actors to conduct payment card, travel and ticket-related scams. However, French officials have been diligently preparing for this event, so it is entirely feasible that a large number of these attempted attacks will be unsuccessful or in the unlikely event an attack slips the net, the diligence France has demonstrated into preparing for the event will be put to the test.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
Pro-Russian hacktivism campaigns continued to be directed at countries and entities supporting Ukraine. Here's a briefing about new hacktivist groups and the risks the groups pose.
The leader of the Black Basta ransomware group employed a trusted, experienced cybercrime actor nicknamed Tinker who he relied on for phishing content, call center management and negotiation skills.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.