Organisations linked to the Paris Olympics 2024 have an increased risk of cyber attacks, including ransomware, credential leaks and phishing campaigns, a study has found.
Insikt Group, the threat research division of security firm Recorded Future, has already observed posts advertising access to Games-related organisations in France and compromised credentials using “paris2024[dot]org” domains on the Dark Web.
These findings were published in a new report highlighting high-priority threats to the Games, based on an assessment of past attacks, existing threats and geopolitical context.
Companies in industries like hospitality and transportation are more likely to pay a ransom payment during the Olympics because they will be losing more business than normal during any downtime. As a result, cyber attackers will see the Olympics as a lucrative opportunity, the report claims.
“The underlying goal of a ransomware attack is to elicit a ransom payment, and you generally do that through a sense of urgency,” Alexander Leslie, Threat Intelligence Analyst at Recorded Future, told reporters in a webinar. “That sense of urgency is going to have really heightened expectations and international attention with regards to the Olympics.”
But it is not just organisations at risk, as the authors of ‘Hurdling over Hazards: Multifaceted Threats to the Paris Olympics’ say that attendees will “almost certainly” be targeted with Olympics-related phishing schemes.
TechRepublic takes a closer look at the highest priority cyber threats to the 2024 Paris Olympics identified in the report.
Ransomware attackers target companies linked to Paris Olympics
The report authors “expect to see cybercriminals take advantage of the pressures facing a host city to extort ransomware payouts.”
Companies involved in the running of the Games — suppliers, sponsors and other “low-hanging fruit,” according to Leslie — will be under increased pressure to maintain high and continuous levels of service. They will be involved in sectors such as hospitality, transportation, logistics, healthcare and government.
These companies will also not be used to the demand that will come with new visibility and the arrival of 15 million tourists, unlike primary organisers, the International Olympic Committee and International Paralympic Committee, and providers of Olympics infrastructure.
SEE: 94% of Ransomware Victims Have Their Backups Targeted By Attackers
Furthermore, the number of companies opting to pay the ransom when struck by ransomware is currently declining, with the average payout decreasing by 32% from Q4 2023 to Q1 2024. As a result, cyber criminals are highly motivated to launch a successful attack.
These two factors compounded mean that the risk of ransomware attacks for organisations associated with the running of the Games is high, as attackers will seize the opportunity for a payday.
“Whether that be disruptive or destructive, the downtime with that ransomware attack will inherently affect the operations of the Olympics,” Leslie said during a webinar.
However, while the risk of ransomware attack is high, the level of disruption will “vary based on the critical role played by the targeted organisation,” and there is “almost no chance of a complete halt of the Paris Olympics” due to a single cyber event, according to the report authors. This is because most of the organisations and processes underpinning the Games operate separately from one another, so there won’t be a domino effect of disruption.
Ransomware forms part of double extortion
Leslie told reporters in a webinar: “Given the sense of urgency and the tight time frame to elicit a ransom payment, we’d likely see additional extortion techniques going along with a ransomware campaign.”
Threat actors will not only demand payment in return for restoring access to the company’s data, but also threaten to leak it either to the Dark Web or publicly as additional leverage as part of a double extortion attack. Leaking the information could put the business and the Games at risk of further cyber attacks, financial penalties from regulatory bodies and significant reputational damage.
Other forms of extortion the ransomware attack could be paired with include website defacement, doxxing, distributed denial of service and executive harassment. The additional impacts of these double extortion attacks put even more pressure on the companies to pay the ransom.
Initial access brokers selling remote access to companies linked to Paris Olympics
The Insikt Group analysts believe the “increased appetite” for a successful ransomware attack on organisations associated with the Paris Olympic Games will lead to more activity from initial access brokers.
IABs are specialised threat actors that sell remote access to compromised corporate networks on Dark Web forums and via private communication channels like Telegram. Ransomware operators, or other threat actors, can buy access to organisations associated with the Games from IABs to stage their attacks.
SEE: Initial access brokers: How are IABs related to the rise in ransomware attacks?
Between the start of the year and April 29, 2024, Insikt Group monitored 17 threat leads for advertisements of initial access methods for French entities and 14 for Games-related industries in France. “These include sporting organisations, athletic goods manufacturers and sporting teams within countries that are participating in the Olympics,” Leslie said in the webinar.
“This is a significant increase from not only Q4 of 2023, but the previous year.”
These listings were found on the Dark Web and in forums and included access to remote desktop protocol systems, web shells, File Transfer Protocol Secure and a customer relationship manager system with administrator privileges.
Leaking of credentials affecting Paris Olympics
Insikt says that “the volume and value of credentials affecting the Paris Olympics will likely increase in the months preceding the event, to meet threat actor demand.”
Compromised credentials, obtained either from infostealer malware or Dark Web data dumps, are one of the main ways threat actors gain access to a target organisation’s system. They can be used to stage social engineering campaigns, business email compromise, spear phishing or other attacks, which, if successful, can allow lateral movement across an organisation’s network.
Between January 1 and April 29 this year, analysts identified 624 references to compromised credentials of Paris Olympics employees on Dark Web shops and marketplaces.  “This is a marked increase from last year and a significant increase in only the last month,” Leslie said.
Domains included olympics[dot]com, paris2024[dot]org and paralympics[dot]org, and the log-in information of an email account “likely related to a current employee” of the International Olympic Committee.
But it is not just companies that could be the target of a credential leak during the Games. Leslie said during the webinar: “Compromised credentials can target employees, they can target participants, they can even target spectators; people that are trying to just buy tickets for the Olympics.”
Phishing scams directed at Paris Olympics attendees and associated companies
“Olympic-themed phishing lures and scams will almost certainly target businesses and attendees alike,” the report’s authors wrote.
Attackers will disseminate malware via email and text messages that harvest credentials or other personally identifiable information. Messages will include the “use of urgent language in emails, the impersonation of executives or vendors, and the use of malicious websites posing as vendors or ticketing systems.”
SEE: Spear Phishing vs Phishing: What Are the Main Differences?
Leslie said during the webinar: “In the last three months, we’ve identified over 1,400 references to phishing domains targeting the Olympics, both within France and around the world.”
These include typosquat registrations of Olympic Games domains, where terms have been deliberately misspelt to direct those looking for a legitimate website to a scam version in the event of a spelling mistake.
Mitigation tips for Paris Olympics cyber threats
The report’s authors have provided some mitigations that organisations relating to the Paris Olympics can take to lower their risk of cyber attack:
- Ensure comprehensive visibility of the organisation’s attack surface with a threat intelligence platform. Pay attention to alerts, automate remediations and track the threat landscape.
- Identify infostealer logs and credential leaks related to your organisation and monitor IAB advertisements to prevent account takeovers, data theft, ransomware and other attacks.
- Detect and take down domain and brand impersonations that could be used to scam customers or third parties.
- Raise awareness of phishing within the company and prioritise the patching of high-risk vulnerabilities.
- Monitor the geopolitical environment for events that could alter adversarial nations’ intent to conduct cyber intrusions against the Paris Olympics.
“Organisers and associated stakeholders must focus on an adaptive security strategy that takes into account the geopolitical threat landscape as well as the capabilities of various groups,” the authors wrote.
“Monitoring the evolution of cyber and influence threat actor TTPs and adoption of new technologies ensuring robust cyber defences among all organisations involved in the Paris Olympics from the IOC to public transportation, and fostering international cooperation in intelligence-sharing will be critical to ensuring the seamless running of the Paris Olympics.”
