Cybersecurity at the Rio Olympics: Who’s Gonna Take Home the Goods?

“Cyber intelligence companies and western government officials warn that the two-week sporting festival, which began last Friday, could lead to some of the highest levels of cyber criminal activity in years.” — Financial Times

Background Check: Brazil’s Year-Round Risk Barometer

Even without its current status of the 2016 Olympics host, Brazil is one of the world’s weakest cyber victims (all year round), and has become a go-to target for online criminal activity (specifically online banking fraud). It’s even been described as “one of the most pervasive cybercrime environments worldwide”.

Between 2010 and 2015, Brazil saw a 400% increase in serious cyber attacks — with a “notable spike” aka 200% increase, in 2014 alone, while the country hosted the football World Cup.

In general, PwC considers Brazil to be in a “poor state of cybersecurity”, and among the worst in developed nations, implying that business dealings in this region come with a serious risk-level.

Brazil was ranked the 10th largest hub of cybercrime (in a 2015 Internet Security Threat Report), and the source of 2% of all detected global cyber threats in that year.

Which Cyber Risks Do the Olympic Games Bring to Rio?

Given Brazil’s characteristic weaknesses to digital security and their reputation for poorly protected corporate networks, the country as a whole is notably attractive to organized cyber crime and to the hacktivists involved.

How so?

Possible Attack Vectors:

Email

• Malicious email attachments with event guides and maps
• Phishing emails that aim to extract personal information such as credit card numbers or bank account details.

Business and Personal Assets

• Retailers and businesses “looking to capitalise on Rio”
• Smartphones and computers belonging to travelers
• Credit card cloning and ATM skimmers

Public/Tourist Facilities

• Public WiFi
• USB ports at charging stations and at airports, specifically.

Websites

• Websites with Olympic-related news
• Fake websites that offer free giveaways or try to sell tickets to alleged special events.

What’s Been Happening/Observed Until Now

• An 83% rise in phishing attempts via malicious domain names and URLs, and a 76% spike between April and June alone (Fortinet)
• One in four wireless internet access points that are meant to be used by tourists are highly vulnerable to cyber attacks (Kaspersky).
• Cyber experts have identified an underground market for SSL certificates associated with the Rio games, which have the potential to make fake websites look legitimate, via a “secure” connection between a server and a web browser.

International Olympic Committee: A Sought-After Target

The International Olympic Committee (IOC) keeps a very active Security Operations Center (SOC), which monitors (and responds to) security incidents, including phishing and malware campaigns. Many of these campaigns originate with malicious domains, and so far 230 of them have been added to a domain blacklist.

Employees of the IOC are a sought-out target for cyber criminals, largely because of the lucrative credentials that are connected to their online activity.

In February 2016, a malicious domain campaign, masquerading as the IOC’s Intranet portal, was identified. The hackers involved were aiming to steal credentials of IOC employees. See the fake website shown below:

Comparing Rio’s Threats to London’s in 2012

London 2012: “We Were Attacked Everyday”

We expect there to be approximately 4x the amount of attempts at cyber crime than there were at the London Olympics in 2012 (165 million) — a direct outcome of the increased levels of tech evolution and the growing number of people connected to the internet which have respectively blossomed since 2012.

For some perspective about these growth rates:

(source:internetlivestats.com)

How London Managed the Cyber Risks

How do the expected attack vectors of the Rio games compare to the vectors that were attacked in London in 2012?

According to the Independent, London 2012 was “the largest peacetime security operation in British history” — no small matter, to say the least.

That being said, the security operation did indeed amount to a price of £500m, with an initial struggle to recruit and train enough staff — resorting to draft in armed forces to support the massive police presence during the games.

The UK Home Office in no way denies the cyber incidents that made their way into the Olympic Village. On the contrary, they explicate what the proved attack vectors were, and how the cyber criminals targeted them;

How did they do it?

• They MINIMIZED the risk by using a content distribution network, there was no single point of weakness. This network also pushed out data, which made it harder to be hit by a DDoS, as ‘the front end was highly distributed’.
• Scenario-based testing of systems

British Telecom (BT) was responsible for protecting the London 2012 computer systems from hackers and fraudsters. CEO of BT Security, Mark Hughes, attributed the successes of the company’s cybersecurity efforts to “design, extensive testing, and having the right people”.

Thanks to one of the event hashtags, “#letthegamesbegin”, criminals were unintentionally alerting security forces when they were on the verge of executing an attack, when they tweeted messages like “let’s have a go at the website”. In cases like these, thwarting incidents came down to a matter of monitoring social media for dangerous conspiracy chatter.

Looking Ahead: Takeaways in Hindsight of 2012

Although the 2012 games were undoubtedly a prime target for hackers, hit by about 165 online cybersecurity incidents overall, the reach of online criminals is said to have grown considerably over the four year that have passed, with a growing emphasis on organized cyber crime.

Takeaways from 2012: Proactive Defense Capabilities

Intelligence

Use an intelligence-led, risk-based approach in order to react in real-time;

By using network analytics to derive intelligence; sharing cyber threat information between agencies and intelligence bodies enables targets and/or security forces to prepare their defenses prior to attack. In other words, by knowing what the adversary is doing, you can stop them from bypassing your defenses.

Personnel

Hire technologists who can work at marathon speeds (much like Olympic athletes).

Last but not least, CIO of the London 2012 Olympics, Gerry Pennell advised:

“Prior experience only goes so far…It is important to have fresh thinking for each Olympics, but it is also important that there be a preponderance of people from the host country in IT so that the IT plan reflect the unique aspects of the technology landscape in that country.”