The FIFA World Cup is one of the most anticipated and watched sporting occasions in the world, and this year’s tournament in Qatar is no exception. Given its global reach and popularity, the World Cup is a tempting target for a variety of cyber-threat actors, from those seeking to scam money from supporters to groups intent on disrupting the occasion for political reasons, such as nation-states and hacktivists.
Sporting events are becoming more digitized, from the use of apps and websites to store tickets and sell merchandise to the growing reliance on digital technologies to run critical services used by teams and fans, and the opportunities for threat actors to strike continues to grow.
Cybersecurity has become a major component of the planning for organizers of events like the World Cup. To find out more about the threats faced, and how these can be mitigated, Infosecurity caught up with Michael Smith, field CTO at Neustar Security Services and former cybersecurity advisor for the 2014 FIFA World Cup and 2014 Winter Olympic Games.
Infosecurity Magazine: How have cybersecurity challenges grown for organizers of high-profile sporting events over the past two decades?
Michael Smith: The 2014 World Cup and 2016 Olympic Games were a good example of the threat hacktivists pose to large sporting events. There was a social cause around how the host nation was building stadiums instead of housing for homeless people. The hacktivist campaign started with attacks on local government as well the police and state, resulting in a series of data breaches, defacements and website outages.
However, from the attackers’ perspective, the campaign was a failure because it did not give them the publicity that they wanted for their cause since the press were not interested in covering hacking attacks at the state and local level. In response, the hacktivists extended their target list to the central government and recognizable brands and companies inside Brazil.
With the Tokyo Olympics, there was an existing hacktivist attack campaign for several years that followed a similar pattern to Brazil, starting with both state and local government in 2013. In 2015, the hacktivists switched to police and central government, as well other areas which would result in maximum disruption such as major airports, automobile manufacturers and other critical infrastructure.
The Qatar World Cup has its own challenges. It is likely that hacktivists will use their activities as a platform to convey whatever message it is that they are trying to get across – the more people they can reach the better. They will be looking to cause disruption and target a large audience by any means necessary.
IM: What were the biggest challenges and threats you experienced while acting as a cybersecurity advisor for the 2014 FIFA World Cup and 2014 Winter Olympic Games?
MS: We think of a large sporting event as a single target, but it is an ecosystem. It’s a large attack surface made up of multiple systems, computers and devices – live online video streams, a global ticket site, event sponsors’ websites, a volunteer portal to keep the event running, merchandising sites and even local government IT systems.
When I supported the World Cup and Olympic Games, most ‘incidents’ took the form of online attacks against websites: ticket scraping and inventory hoarding bots for ‘locals only’ tickets, vulnerability scanning and DDoS on event sponsors, and credential stuffing and account takeover directed at ticketing sites. There were a lot of DDoS-style attacks during the opening ceremonies as it would generate the most publicity for the attackers.
Then there are the in-person devices at the event. The London Olympics was the first event to have stadium-wide WiFi. Before the Sochi and Beijing Winter Games, there was a lot of conversation about leaving your devices at home because when users connect to the WiFi or even cellular network in those countries, they would be exposed to so many attacks.
Tokyo was the first Olympics where the organizers expected to have more devices in the stands than spectators. There are some protections built into Wi-Fi such as client separation, which keeps machines on the same access point from attacking each other. However, there is nothing to keep a criminal from setting up their own seemingly legitimate access point that does not have any protection.
"We think of a large sporting event as a single target, but it is an ecosystem"
IM: Which threat actors typically target major sporting events, and how do their methods/tactics differ? Do you think the types of threats will be any different for the current FIFA World Cup in Qatar?
MS: There are a wide variety of attackers, all with their respective motivations. A good example is the hacktivist threat that we discussed previously. Those attackers normally are looking for publicity for their cause or to punish the target.
Then there are the criminals such as those who attack devices at the event. They are looking to infect as many devices as they can so that when the users go home or to the office, the attackers have connections into those networks and can use that access to pivot into additional targets. That becomes a big enterprise issue as the devices come back into your corporate network. Of course, there are also the online criminals that attack websites, such as the DDoS ransom gangs or the criminals who steal data out of websites in a data breach.
The nature of large sporting events means that IT teams simply do not have a good baseline of what constitutes normal traffic for the event. It is the very definition of a flash crowd – going from zero traffic to millions of concurrent visitors, sometimes in a matter of minutes. This makes it very hard for security teams managing the network as they do not have any previous traffic to compare it to, so they must make an educated guess on what is malicious and what is not. Success here depends immensely on the amount of security operations staff or ‘blue-teamers’ you have with experience in similar situations so that they can analyse events quickly and accurately.
IM: What mitigation efforts and cybersecurity best practices should organizers be putting in place for these types of events?
MS: I think of the attack surface as two different realms – the first layer being websites and other internet-accessible services. Organizations should focus on web application protection, DDoS mitigation and DNS resiliency. The end goal is to have an architecture that has the resiliency that you need and the people who have the experience to know most of the problems that you are facing and who have that speed and accuracy in analysis.
The second attack surface is the end-user computing devices – the laptops, phones and other things that we use. Starting with phishing and other threats, CISA, the US government agency, has a set of good tips that people should read up on how to protect themselves.
IM: What cybersecurity guidance should organisers be sharing with spectators and other attendees at these major events?
MS: The first thing to determine is whether you even need your device at the event and if you need network access enabled on it. If all you need is a camera, then you can use your device in airplane mode, which shuts off all the connectivity, but especially the WiFi and Bluetooth.
Fans might also want to bring a different device that they factory-reset before they go to the event and then afterwards, move their photos and videos onto an SD card and do another factory-reset of the device so that they destroy any malware that happens to be on it. They should always keep their devices patched and upgraded. This is easy to do, as almost all devices support automatic updates. If the device is supported by anti-virus, use it, and keep it updated.