(Editor’s note: This is the second in a two-article series about the physical and cybersecurity challenges the security industry is tackling at the Paris Olympic Games.)
More than 10,000 athletes and tens of millions of eager spectators are traveling to France for the 2024 Paris Olympic Games.
Friday’s 2024 Opening Ceremony, which will be held on the river Seine, is the first to take place outside of a stadium, and organizers intend to make the ceremony “open to as many people as possible,” not only through on-site venue enhancements but also by streaming the event live online and on television.
While an unprecedented security force protects the Games from physical threats, an equally challenging threat looms that can’t be seen: a robust effort by cyber criminals to perpetuate fraud, chaos and confusion.
As cybersecurity teams tasked with preparing for the Games can attest, bustling venues are not only a problem for physical security professionals. Ensuring that the event remains uncompromised both on-site and at home despite the size of its attack surface is a monumental undertaking.
Big Events, Bigger Attack Surface
While physical security teams may focus their concerns towards on-premises threats, the nature of the event places specific emphasis on the importance of cybersecurity to its every stage, from ticketing to streaming to securing the physical venue itself.
“This is an international-scale event that requires international-scale security,” says Bri Frost, Director of Curriculum, Cybersecurity, and IT Ops at Pluralsight. “Everything that touches it is just so vast.”
Because the event involves visitors, partners and vendors from around the world, teams need to respect other nation’s policies and regulations on data protection and security controls. It is also important to understand the current geopolitical climate to better keep an eye on specific organizations, countries, or critical infrastructure that threat actors might target, experts say.
One major concern is securing the Games’ official livestream, which will be broadcast globally. “Cloud-based services like streaming come with risk: all cloud traffic is encrypted to keep data safe, but 93% of malware hides behind encrypted traffic,” says Chaim Mazal, Chief Security Officer at Gigamon. “Cloud encryption is a double-edged sword.”
The accessibility of the Opening Ceremony is a major draw for threat actors as well. Because the ceremony is taking place outside of a stadium, there is much more ground for physical security teams to cover. With the rise of hybrid cloud and IoT devices, any connected security technology added to a system increases its attack surface.
If any one of these devices are compromised, a threat actor may be able to move through it to gain greater access to a network and the sensitive data within. Additionally, a coordinated cyberattack could leave on-premises security teams completely blind in the event of a perimeter breach or other incident.
“There’s a massive amount of technological infrastructure that has to be secured,” Frost says.
Cyber criminals look to AI as a partner in crime
The Olympic Games are no stranger to hostile incidents, which makes the mission to secure them all the more vital.
The 2021 Summer Games in Tokyo fielded over 450 million cyberattacks, and the 2018 Olympic Destroyer hack sent IT teams scrambling to recover moments before the Opening Ceremony. The Olympic organizing committee only expects this to get worse, citing the invention of more advanced hacking tactics, rising geopolitical turmoil, and the widespread availability of artificial intelligence (AI).
AI currently has public attention in a stranglehold, and for good reason. AI technology has become so prevalent that most people have already been exposed to some manner of AI-generated art or text that is convincing enough to fool the eye on first glance. Those concerned about the danger this technology poses tend to be louder than proponents of its helpfulness.
“AI has lowered the bar of entry for cybercrime,” says Frost. “Threat actors are coming from across the board.”
This coincides with a notable increase in dark web activity targeting France in 2023 and 2024. A Fortinet study shows an 80-90% increase in stolen PII and a spike in hacktivist activity by pro-Russian groups.
An uptick in typo squatting, a phishing technique that involves stealing credentials by using a fake website with a misspelled domain name, has also been linked to fraudulent ticket selling scams by French officials. AI has refined the effectiveness of these social engineering campaigns by making fraudulent websites and phishing messages more convincing as the technology evolves.
Low-level cybercriminals may also turn to AI to write tailored code they otherwise would not have been able to. Phishing kits have become more accessible than ever, with Fortinet noting that some kits customized specifically for use during the Paris Olympics are being actively sold on the dark web. While concerning, this is only a minor aspect of what makes AI such a threat.
“The first threat at the top of everyone’s mind right now is AI,” says Frost. “However, sophisticated advanced persistent threat (APT) groups or nation state actors aren’t using AI to write code.”
While the advent of public-use AI technology has lowered the barrier of entry for cybercrime--resulting in a wide range of low-level cybercriminals posing a significantly greater threat than before--the real threat that AI poses is found in its capability to spread misinformation, a capability that nation state actors from Russia have more than taken advantage of in recent years.
Geopolitical Challenges
Russians targeted the 2024 Olympics with a fake AI-generated Tom Cruise documentary appearing on the messaging platform Telegram criticizing the International Olympic Committee. Other misinformation efforts have targeted France, Emmanuel Macron, and the Paris Games.
The nation’s contentious position in the upcoming Games will likely stoke tensions further, with Russian athletes able to participate but unable to represent their country following the invasion of Ukraine.
“The national security concern over Russia is very valid,” says Jessica Hetrick, Vice President of Federal Services at Optiv + ClearShark and former FBI cyber threat analyst. “The exploitation of a company to collect and weaponize personal information is a very real risk, and AI has brought a whole new dimension to disinformation campaigns.”
The two often work in tandem, with stolen personal information serving to make AI disinformation campaigns more convincing. An AI-generated phishing email may be unconvincing on its own but can have devastating security results when sent from official accounts seized using stolen credentials.
Additionally, Hetrick says cybercriminals are leveraging AI to run disinformation campaigns using fake news, doctored images or videos, and even originally generated content. They then spread this misinformation across social media to sow discord and mistrust.
According to Hetrick, networks of Russian-affiliated threat actors pursue disinformation campaigns to discredit the Games’ reputation and spread fear of imminent violence with the intended result of decreasing attendance and driving away interest. This is likely in retaliation for the International Olympic Committee’s ruling on Russian participation and explains why they are a primary target of attack.
IOC Spokesperson Mark Adams said in a recent press conference there have been no direct conversations with Russian officials about the deepfakes but the IOC has confidence in the cybersecurity plans they were briefed on several days ago.
“It’s one those things we must live with in the world, and I wouldn’t want to speculate further on what we’re going to face and what will happen,” Adams said during the press conference. “It’s part of the divisive world we live in.”
Prevention the Best Route
In light of this harrowing number of threats, cybersecurity teams protecting the Paris Olympics will have to go above and beyond to ensure a safe experience for athletes, organizers, at-home viewers, and attendees.
“All of your defenses and controls have to be driven by intelligence,” says Frost. “You need to ingest all of the intel you have on the threat actors you’ve identified: what their techniques are, what they target, what signs they look for, how they gain initial access, and the steps they take even after the fact.”
“The only way to truly state that your organization is risk-free before, during, and in the aftermath of the Games is to have 100% visibility into all data in motion,” Mazal adds. “Organizations need to spot suspicious traffic and respond quickly to avoid remediation costs, reputational damage, and loss of trust.”
He also urges teams to adopt a more tenacious mindset: once a threat actor has gotten into a system, it isn’t game over. A cybercriminal who has breached the perimeter can still be stopped before they are able to successfully exfiltrate data or compromise systems.
Hetrick emphasizes collaboration with other intelligence campaigns to paint a clearer picture. “Various threat intelligence campaigns can go on to feed different engines with new threat intelligence, indicators of compromise, and information that helps the bigger engine of detection become more effective. That collaboration is crucial, healthy, and very necessary.”
Frost also advocates for an offensive approach to security, or “preventative intelligence.” She attributes the success of the Tokyo Olympics to the team of 200 ethical hackers hired to simulate cyberattacks for security personnel. “At the Tokyo Olympics, analysts knew what to do and what to look for to identify threat actors and their techniques,” says Frost.
The Human Element
Perhaps the most important aspect of preventative intelligence, however, is ensuring that both employees and attendees are informed of the potential risks.
“Every publicized breach has occurred behind multibillion-dollar firewalls,” says Mazal. “Employees are only human and cyberattacks are inevitable.”
Monitoring employee traffic for suspicious or unsecured websites, raising awareness about social engineering techniques and malware, and informing users about the safe use of connected devices builds a strong foundation for a robust human firewall and will be valuable in guarding the Games.
Frost advises Olympic-affiliated security organizations to help educate attendees about customer-facing phishing techniques using fraudulent domains or infected links. Ticketing and other online service companies can provide security FAQs on their websites to ensure that customers can accurately verify official email addresses and messages.
Hetrick urges a different, but no less important, method of education: teaching people to “think before they click.”
“Disinformation campaigns are going to get more and more comprehensive and creative, and they’re going to get harder to differentiate,” she says. “It’s going to be more important for people to question the source of their information, evaluate it, and think critically. Does it provoke an emotional response? Is it something bold and controversial? Is this ordinary, exaggerated, distorted, or abnormal? Does it contain links that seem odd?”
In spite of the challenges facing the Paris Games, security professionals remain optimistic about their ability to combat them. A healthy dose of due diligence, education, and respect for the abilities of threat actors will go a long way.
“I’m looking forward to this being a successful year,” Frost says. “A big part of a security team’s responsibility is not just to have security measures in place, but to ensure cyber resilience as well.”
