The Paris Olympic Games kick off on July 24th, and it’s not only the athletes who’ve been preparing: Head of IT Security for Paris 2024, Franz Ragule has said he expects at least ten times the number of attacks launched against the Tokyo Games in 2024 – and that was an estimated 450 million.
Based on what we’ve learned from attacks on previous high-profile events, as well as comments from French authorities, Securin experts Kiran Chinnagangannagari and Aviral Verma gave their insights into some of the threats and approaches to expect…
What Types of Attack are Expected?
Phishing: Attackers will seek to compromise everything from government agencies to event sponsors, official websites, ticketing and infrastructure that supports the event. Phishing attacks exploit a combination of human error and software vulnerabilities to gain a toehold into wider systems, from where further attacks and malware can be launched. On the one hand, we’ll likely see scammers trying to commit credit card fraud or steal data, on the other, we can anticipate state actors seeking to access systems to disrupt. Phishing also plays a key role in ransomware attacks.
Ransomware: ANSSI Director Vincent Strubel believes that ransomware attacks will be more intense around the Games, as cybercriminal groups believe organizations will be more likely to pay up to get things back on track as soon as possible. We’re almost certain to see attacks targeting ticketing systems, networks for venues and results systems. And don’t forget critical infrastructure like transport systems – at crucial times like these, threat actors would see an opportunity to cause maximum disruption and damage. Water, gas, electricity, mass transit, medical and emergency ecosystems are connected and are all potential targets.
DDoS: France has already weathered multiple DDoS attacks on French government websites in recent months, it seems likely that we’ll see more of the same during the Games.
Third Party Leverage: A massive event like the Olympics involves orchestrating and co-ordinating disparate systems – contractors, sponsors, sponsor sites connected to the broader network etc – that’s one big supply chain risk to manage – and cyber attackers (be they nation states, hacktivists or cybercriminal gangs) will be probing and testing and trying to exploit and weakness in that. The same holds for IoT devices and systems – e.g. surveillance devices like cameras, sensors, fire alarms – these should not be ignored as they can be an attack vector into sensitive networks and command and controls. They can also be used in DDoS attacks.
Misinformation and Social Chaos: Attacks on information systems and use of deep fakes are important things for public safety leaders to pay attention to at large events. For example, the French Sports Minister’s Twitter/X account was hacked last week and used to send phishing messages. It’s unclear whether this was a random/lucky attack or something more serious, but it serves to underline the dangers.
French President Emmanuell Macron has said he has “no doubt” that Russia will target the Paris Olympics, with ANSSI Director Vincent Strubel pointing to the threat of state-orchestrated sabotage – and a potential flood of smaller scale attacks to distract from a larger one on critical infrastructure. In the past, we’ve seen DDoS attacks used in this way – attempting to distract and divert resources to create space to launch more serious attacks. All of the attacks mentioned above will be 100 fold because of AI and the increased attack surface from all of these devices and services coming online for a large event.
Is this Type of Training France Experts are Doing on the Right Track? Should They Focus on Something Else?
If they’re preparing for 10 times the number of attacks as Tokyo, you can be sure they’re looking at absolutely every scenario. The head of IT security for the Games, Franz Regul has made it clear that they’re focusing on sabotage operations – and that significant resources, training and scenario planning/simulations have gone into that – including keeping the location of their SecOps center secret. . There are reports of extensive training and simulation exercises to deal with ransomware and DDoS, with the country drawing on the services of ethical hackers, pentesters and auditors to seek out and expose any gaps. They’re also using AI to run simulations and triage. All of this constitutes good strategy – the fact that this is being augmented with extensive training and distribution of clear written guidance for all participants and organizers adds the extra layer of dealing with human weakness.
Hosting the Rugby World Cup last year – and experiencing and mitigating attacks during that time – will have given them valuable insights and experiences, as well as the opportunity to test out any strategies developed with an eye on Paris.
How can International Agencies Support France in this Aspect?
There’s already co-operation with the USA – French officials have visited Washington to consult on security. From a broader industry and defender perspective, we can all contribute through continuous asset discovery and exposure of all assets connected to the internet. Avoid the low-hanging fruit that makes life easy for attackers: known vulnerabilities, default configurations, missing authentications, default passwords. And have rapid response teams on standby to recover and restore if and when an attack happens.