Olympic-Sized Outcomes: Cybersecurity in Sports

As the Tokyo Olympics gets underway, there's no shortage of cybersecurity worries for the International Olympic Committee, the Tokyo Games, or their many associated contractors.

In the lead-up to the summer games, Japan’s chief government spokesman, Katsunobu Kato, underscored the importance of every decision the committees make, stating that an ill-intentioned attack "could undermine the foundation of democracy.”

History proves Kato has good reason for concern—and so do spectators, competitors, and competing nation states.

Looking back: Sports are risky business

We don't have to look far into the past to see the evidence of risk: In 2020, US intelligence agencies and the UK National Cyber Security Centre (NCSC) ran a joint operation that uncovered a planned Russian military intelligence cyberattack on the Tokyo Olympics.

And in 2018,a cyberattack reared its head right as the Pyeongchang Olympics began, sending security teams scrambling to the technology operations building. Luckily, the symptoms were caught and the sickness eradicated—likely owing to the many years of planning that had gone into developing the necessary security and recovery measures. Still, the attack highlighted the fact that major sporting events can represent major opportunities to attackers.

The often political agendas of threat actors make the Olympics a particularly enticing target. International interest and the necessary involvement of operational technology (OT) mean the effects of a successful attack could be physically felt and experienced—and of course, highly publicized.

These types of traits make sporting organizations and events ever more popular attack targets. In a report released in 2020, the NCSC revealed that of the 57 sporting organizations it surveyed, 70 percent had experienced at least one attack per year, while the average across all British businesses was only 32 percent.

In November of that same year, Manchester United was one such organization; it saw hundreds of thousands of pounds disappear due to the effects of a ransomware attack (including lost income).

Shots on goal

So why, aside from OT and international interest and publication, are sporting organizations such popular targets?

First, they feature a lot of moving parts and players as part of the supply chain, including you, a potential remote viewer of the Olympics livestream. And, as the involvement of digital technology in sports grows, so too do the possible attack vectors, from connected camera drones to email. (See: Lazio FC's two million euro loss.)

Most sports organizations have their own marketing materials and communications platforms that can be exploited, including websites, online banking accounts, and cloud servers. From a classic SQL injection to a destructive DDoS attack, the possibilities for threat actors only seem to be growing.

It's obvious that cyberattacks can significantly impact the success of any business, and sporting organizations and events are no different—except that they're more exposed to the public, and highly politicized due to the value they can produce. But cyberattacks on the sports industry aren't just bad for business. They're a threat to fans worldwide.

Major penalties

Many fans dream of turning from spectator to player—but not when it comes to becoming an attack victim. And yet, attacks targeting the sports industry can rely exclusively on spectator participation.

As an example, consider the 2007 hack on the Miami Dolphins' website, in which Chinese hackers exploited a Microsoft flaw to serve up malicious JavaScript to website visitors. While password-stealing malware is bad enough for consumers, it's worth noting that sports fans often check on their favorite teams, including game schedules, highlights, and news, on corporate computers and laptops. If the attack initiated through that compromised code had been successful, company passwords would be compromised, opening the door to further breaches, including account compromise.

Sports fans are especially vulnerable to attacks when emotions and stakes are high, such as during or leading up to playoffs or championship games. This is a prime opportunity for hackers to launch simple but effective phishing attacks, with the ultimate goal of stealing either money or passwords. Data leaks make the hackers's job even easier, as personal information swiped from social media accounts include everything from a user's favorite team to the sport organizations the user follows.

It's not just spectatorship-as-a-vector that makes sport-related cyberattacks a threat to fans. It's also spectatorship in physical spaces.

As the Center for Long-Term Cybersecurity at UC Berkeley reported in "The Cybersecurity of Olympic Sports: New Opportunities, New Risks", historically, fears about attacks during sporting events were "cabined to digital systems (like the electrical grid) and basic computing equipment (like websites and phones)." But that was pre-IoT. Now, the physical, digital, and operational components of an event are inextricably linked. Today, an attack is much more capable of disrupting the fan experience.

Whether a stuck turnstile at the Man United game, a full shutdown of a stadium, or a significant data breach on a sports organizations, the physical effects of a cyberattack can be felt in a very real, personal, and significant way.

Game on

The 2020 Olympics had an extra year to prepare for cybersecurity attacks, but so did attackers. While we keep our eye on the security events of the summer, sporting organizations should keep their eyes on the ball: the potential for security events that exists all around them.

To learn more about how to protect against cyberattacks within your own business or your clients' business, contact Vade today.