Why the Paris Olympics Can Pose Cyber Threats for Any Business – and How You Can Prepare

Olympics organizers have been bracing for cyberattacks around the upcoming Games in Paris, as threat actors aim to capitalize on the high-profile global event. In an increasingly connected world, and with geopolitical tensions running high, cybersecurity experts are warning of an “unprecedented” level of attacks.

The French National Information Systems Security Agency, which works out of a secret location during the Games, is on high alert: “We are preparing for everything,” said agency head Vincent Strubel.

But it’s not just the organizers and sponsors who need to be prepared.

Don’t just react to vulnerabilities – take a proactive stance with solid intel backed by precise real-time data and autonomous power.

Besides the host city and all the entities associated with the Games, including corporate partners like Allianz, Deloitte, Intel, Omega, P&G, Samsung, and Visa, among others, online attacks might also affect companies not directly associated with the event, say cybersecurity experts.

In its new report on the threats facing the 2024 Olympic Games, released this month, security company Recorded Future warns that attacks could affect companies indirectly supporting the event in sectors including transportation and logistics, healthcare, hospitality, and public service. These companies face more pressures in the run-up to the games, it warns.

But threat actors can have a wide range of reasons for targeting during this time, so even companies neither directly nor indirectly associated with the Games should be on alert. Here are some of the risks.

The top Paris Olympics cyber threats? It starts with politics…

The Paris 2024 Olympic and Paralympic Games, to run July 26 through August 11, is being touted as the biggest event ever organized in France. Throughout its history, the Olympics has weathered political strife and this year, experts warn, unrest in various hotspots globally and in France could mean trouble. Hacktivist groups or nation-states with a grievance against France might seek to disrupt companies headquartered there. And around the world, geopolitical tensions are at historical highs, notes Jérôme Warot, vice president of technical account management at the cybersecurity-solutions firm Tanium, the leading provider of Converged Endpoint Management (XEM) and publisher of this magazine.

If IT service providers related to the Olympics are targeted or taken offline in some way, then it’s likely that all their other customers suffer to a certain extent as well.

“You have the Israeli-Palestinian conflict, the Russia-Ukraine conflict, and the presidential election for the U.S.,” says Warot, who is based in Paris. “And you also have right now a big political crisis in France,” after the far right trounced President Macron’s party in the EU parliamentary elections. Macron’s unexpected call for a snap election in July has heightened tensions in the host country.

A bad actor trying to make a political statement would see the Olympic Games as a prime opportunity. That also includes nation-states such as Russia. Microsoft says the country is still smarting over the International Olympic Committee’s decision following the Russian invasion of Ukraine not to let Russian athletes compete under their flag in the Games, and it has long participated in cyberattacks and disinformation campaigns around Olympic events. This spring, Russian actors carried out an online misinformation campaign aiming to provoke fear of terrorism at the Paris Games. In 2016, the World Anti-Doping Agency attributed an attack on its systems to Russia’s APT 28 hacking group, after the agency called for Russia to be barred from the Games in Brazil that year. The U.S. also blamed Russia – which was still barred from competing under its own flag – for the 2018 attack on the Pyeongchang Games.

Critical infrastructure companies should be especially wary around the time of the Olympics, warns Jonathan Ong, senior cybersecurity analyst at research company Omdia. Power and water grids, transport and communications, and finance and healthcare systems will all be at risk. “The increased dependence on these backbone systems during this period makes them a prime target,” he says.

[Read also: Feds have already warned of a hacking wave on water systems – here’s our roundup of cybersecurity services]

An attack on an organization associated with the Games, or a French organization, could have broader implications, he warns.

“If a particular supplier is targeted, then it can have an impact on all of their customers, whether they’re related or not,” he adds. “If IT service providers related to the Olympics are targeted or taken offline in some way, then it’s likely that all their other customers suffer to a certain extent as well.”

Ong warns that this effect on the supply chain might be more targeted than incidental. “The nth degree (4th, 5th…) supply chain enabling these sectors will likely be probed for vulnerabilities,” he says.

Phishing pros go for gold at the Paris Olympics

The Olympics is also an ideal opportunity for attackers to break into any company whose employees want to know about the Games, Ong points out.

We could see a rise in phishing attacks targeted at credential harvesting,… fueled by the interest in the Games and augmented by the democratization of AI tools.

“One of the ways to gain unauthorized access would be through identity-based vectors. This means we could see a rise in phishing attacks targeted at credential harvesting,” he warns. “This is further fueled by the interest in the Games and augmented by the democratization of AI tools. Phishing emails are now more sophisticated and error-free, and deepfakes have thrown traditionally safer verification methods like video and speech into doubt.”

With cybercriminals already reportedly registering domain names that look related to the Olympics, we can expect a flurry of emails pointing consumers to fraudulent online locations supposedly related to the event or distributing malicious attachments using the Olympics as a hook, just as we’ve seen in the past. Phishing attackers scooped up ticket holders’ information during the 2020 Tokyo Olympics using a fake website.

[Read also: CISO success story – how LA County trains (and retrains) workers to fight phishing]

“The authorities must be very clear in terms of pointing people toward the official websites for tickets, directions, and other information,” says Richard Absalom, principal analyst with the research team at the Information Security Forum.

Corporate activity breeds business email compromise

The natural evolution of spear-phishing scams is business email compromise (BEC). The flurry of corporate activity leading up to the Olympics is the perfect breeding ground for these attacks, in which criminals impersonate high-ranking individuals within target organizations, warns Absalom. Even companies not directly organizing the Games might be coordinating Olympic-related activities ranging from marketing initiatives to executive Olympic trips, and not all of them will communicate well internally. That opens gaps that criminals can exploit with fake invoices or even fraudulent ticket requests.

“There’ll be someone who is organizing trips, someone looking after ticketing, someone responsible for transport and policing, some making sure that the VIPs get to their seats,” he explains. “Could you impersonate them or the people that look after them?”

When disruption of service hits downstream

Attackers can launch a range of attacks on companies, gaining access to their networks via phishing attacks or via credentials gleaned from initial access brokers (criminal groups who hack targets and then sell access to the highest bidder). These technical attacks include ransomware, which can have significant effects on downstream customers.

This has created an imbalance in supply and demand.

For example, a July 2021 attack on U.S.-based network management company Kaseya took hundreds of grocery stores in Sweden offline. There’s no clearer example of how an attack on one company can damage others half a world away.

A foothold inside a victim’s network isn’t necessary to wreak havoc. A simple denial-of-service attack can be launched via a botnet (a network of malware-infected computers), or by multiple hactivist participants around the world, or using a reflection attack that triggers large amounts of internet traffic to bring down an online service. These could also disrupt services to customers overseas. Denial-of-service attacks targeted websites for organizations affiliated with the 2016 Rio de Janeiro Games for months prior to the event.

An old-school cyber threat – corporate espionage

Another related risk is espionage. Recorded Future raises the specter of a nation-state mining victims’ networks for information about sensitive or high-level officials that travel to the Games. Such attacks could target travel companies that are arranging Olympic-related trips.

How to prepare for Paris Olympics cyber threats?

How can enterprises – whether in the Games’ immediate vicinity or farther afield – prepare for these risks? It might prove difficult due to a lack of resources, warns Warot. IT and cybersecurity services companies are already overburdened serving large enterprises that are concerned about Olympic-related risks, he says.

“This has created an imbalance in supply and demand,” Warot warns. Consequently, smaller companies are finding it harder to source third-party expertise to help them harden their own security posture.

Dig down into your key critical suppliers (especially those based in France) and who else they do business with. Are they exposed in any way when it comes to the Games?

Nevertheless, there are some best practices. Companies should treat the Olympics threat as a risk management exercise, prioritizing the biggest risks and focusing what resources they have on mitigating these.

“Dig down into your key critical suppliers (especially those based in France) and who else they do business with,” Absalom says. “Are they exposed in any way when it comes to the Games?”

Risk management at a technical level also means prioritizing patches for the most vulnerable flaws on your most valuable systems, adds Ong. He also advises companies to harden their systems through measures such as multifactor authentication, access control reviews, and closing any gaps in password management.

[Read also: Learn the latest tactics, techniques, and procedures utilized by threat actors by using the MITRE ATT&CK framework]

He also advises organizations to prepare their people as much as possible. This includes raising awareness around heightened risk and common attack methods like phishing, updating their incident response playbooks, running tabletop exercises, and even conducting breach and attack simulations.

The final internal defensive layer is detection, Ong says. This includes the use of threat intelligence to identify the tools, techniques, and procedures (TTPs) used in previous sporting attacks, along with the latest industry-specific threats. Companies should work with their security tools vendors to tune their detection engines accordingly.

All experts agree that sharing information around threat intelligence and attempted attacks is a valuable practice around large events like the Olympics, and Warot already reports increased knowledge transfer – such as reports of elevated attack activity – inside the cybersecurity community in the run-up to the Games.

Global events increasingly require global (or at least collaborative) responses. And that will hold true for those closest to the charged environment in Paris this year, and those on the other side of the world.