The Olympic world stage is not only a proving ground for athletes, but for sophisticated malware, hacks and cyberattacks ready to become household names.
While sport isn’t closely tied to cybersecurity in the popular imagination, international sporting events are highly attractive targets for cybercriminals chasing profit and malicious state actors looking to make a point, according to Doug DePeppe, co-founder and board president of the nonprofit Cyber Resilience Institute, headquartered in Colorado Springs.
It means major sporting events like the Olympic Games now give a first glimpse of newly engineered malware and the most finely tuned attacks, serving as an early warning to governments, businesses and communities before the tactics spread to other cyber corners of the world.
Sports-ISAO, a program office of CRI, spent the PyeongChang Olympic Winter Games collecting and analyzing information on those cyber threats for the Joint Operations Center at the U.S. Embassy in Seoul, in an operational public-private partnership.
Sports-ISAO, which provided cyber threat intelligence for the 2016 Olympics in Rio and the 2017 IAAF World Championships, worked on the Winter Games as a process improvement exercise, supporting U.S. government security operations.
New wave of attacks
By the time the Games ended on Sunday, Sports-ISAO had provided information and analysis on a barrage of aggressive attacks — and identified valuable information as a result.
DePeppe anticipates “a new wave of commercial attacks” spinning off from the Winter Olympics.
“Some of these tactics will now be made available; others will copycat and use them and that’s of concern because of the way they are able to evade detection,” he said. “So as we see these trends roll out for a while until defenses [emerge], it’s always cat and mouse. Now we’ll be playing the catch-up game again.”
While financial gain and attention-seeking are drivers in cyberattacks on major sporting events, the most high-profile attacks during the Winter Olympics appear to have been motivated by geopolitical factors.
“There’s a lot of money that flows; there are also organizations that want to make a splash — typically that’s social movements, hacktivists, even terrorists. They’re interested in getting notoriety from a major attack incident,” DePeppe said. “But … the one that gets the most publicity is the geopolitical piece … state actors that hide behind ostensibly a hacking organization, but they’re going about the attacks in ways that support the state interests.”
Some nation states don’t want the host nation or the International Olympic Committee to look good, he said.
“Certain nation states like Russia, like North Korea, have an ulterior motive. Russia of course is banned because of the doping controversy and it has refused to acknowledge that and has been playing its whataboutism card — so they have a motive. The North Koreans don’t ever want South Korea to have any kind of primacy or success on the international stage that would make them look better than North Korea.”
Hackers bring their A game
Another defining feature of cyber attacks on major sports events: Hackers know the stakes are high, the defenses are high, and that they need to bring their A game.
“As a result of that, the attacks have to be — and are — very well planned,” DePeppe said. “The offshoot of that, however — especially in the state-supported hacking environment — is that something that begins as a state-actor effort, after the Games transforms into a new breed of malware emerging for black market, for cybercrime use.”
In addition to conducting commercial cyber threat intelligence collection and analysis, Sports-ISAO provided reports on geopolitical implications as well as malware research and analysis, and shared that information with other stakeholders and participants in the Winter Games, DePeppe said.
The most notable attacks included GoldDragon, the pre-Olympics spearphishing campaign that took place in December and January, and the Olympic Destroyer malware attack that disrupted the internet, broadcast systems and the Olympics website during the opening ceremonies. Both attacks used stegomalware — which uses an image to embed malicious code.
“Our method involved monitoring social media, monitoring bots and fusing it with other threat indicators and data — and monitoring the geopolitical piece, we were able to detect a change in tactics where the trend of Fancy Bear [a cyber espionage group believed to be linked to Russian military intelligence] attacks coupled with social media and bot activity did not happen after the opening ceremonies,” DePeppe said.
Sports-ISAO alerted stakeholders that this decoupling was atypical.
“The Fancy Bear methodology has been, to date, embarrassment. Hacking, then using social media and publicity to embarrass their targets — to embarrass [the World Anti-Doping Agency], embarrass [the U.S. Anti-Doping Agency], embarrass the U.S. Olympic Committee — all as part of their overall strategy to undermine the West, to undermine America.
“So they’d been hacking and they used the hacked emails to cause embarrassment … they promoted it through bots and trolls and tried to get the message out about ‘Americans are hypocrites; they’re using therapeutic use exemptions too,’ et cetera.”
Suddenly, around the time of the opening ceremony, that social media activity completely fell off.
“We were alerting our stakeholders that possibly a change of tactics was occurring that seemed to imply plausible deniability.”
On Feb. 24, before the closing ceremony, The Washington Post reported that U.S. intelligence had confirmed Russian military spies hacked hundreds of computers used by authorities at the Olympics, while trying to make it appear that the attack was conducted by North Korea — a “false flag” operation.
“So I think our characterization of it was accurate,” DePeppe noted.
DePeppe said Sports-ISAO is “having talks with the government now about improving [information sharing] and extending it so that this kind of an ISAO capability is embedded in all future international sporting activities or major events like this.”
Intelligence work successful
Sports-ISAO’s threat intelligence work for the Winter Olympics was very successful, DePeppe said, “because I think we demonstrated the solution to a gap.
“The attacks are getting more sophisticated and there are greater advantages to the adversary — so you have to deploy information sharing and better situational awareness capabilities. It needs to be an information sharing community with everyone involved,” he said. “The Information Sharing and Analysis Organization approach to cybersecurity has to be adopted more universally.”
And more resources are needed: “If the adversaries are using [international sport] as a proving ground,” he said, “then we ought to use it as an early-warning vehicle.”
DePeppe said there’s still a lack of understanding of how ISAOs work, and “a reluctance to share proprietary or embarrassing information.” But attack data can be shared anonymously, he said, contributing valuable information with no connection to the organization that provided it.
Bonnie Moss, executive director of SMB iSAO [Small and Mid-Sized Business Information Sharing and Analysis Organization], agreed that information sharing is essential to successful cybersecurity.
“No one is immune to cybersecurity risk,” she said. “But we’ve found that communities who share cyber information have the best defenses against threats, hacks and attacks. So not only does information sharing reduce security breaches and the exposure of sensitive data, but it makes for stronger business and economy and a stronger nation as a whole. This is biggest benefit to joining an ISAO — it provides a safe port for communities to share.”