By Ippolito Forni, Threat Intelligence Analyst
The 2020 Tokyo Summer Olympics is drawing ever nearer and just as organizers and athletes have been preparing for the event, so too have malicious actors. As the most popular and widely followed event in the world, it makes for a clear target for adversaries to maximize the impact of their operations by creating associated campaigns.
This is nothing new. The PyeongChang 2018 Olympic Winter Games were disrupted by cyber attacks, and so were other Olympic events since Athens 2004.
In this post, we will examine historic attacks at Olympic Games, possible adversaries including their goals and modi operandi, and what Japan is doing to prepare against cyber attacks.
ANALYSIS
Let’s start with a look at who would be interested in disrupting the Olympic Games. The following lists groups of actors in terms of severity, from highest to lowest.
- Foreign intelligence services: These are the most dangerous actors due to their level of sophistication and budget. They are motivated by ideology and political gain. Their goal will likely focus mainly on data theft, but it could also include causing embarrassment – as well as damage – to the host country.
- Cyber terrorists: While most terrorist groups are still not very advanced in terms of cyber operations, a properly coordinated attack toward ICS systems could combine physical and cyber damage.
- Cyber criminals: This is likely going to be the most active group. Their goal is financial gain. They will use the Olympic Games to lure users into clicking on malicious links, typically promising free or discounted tickets. While targets and goals are not directly linked to the Olympic Games, the exposure given by the event will allow them to maximize the victim pool.
- Hacktivists: This group is ideologically motivated and will likely execute operations to embarrass the host nation. They will likely target Japan based on different ideological positions. Their level of sophistication tends to be low, so DDoS or website defacements are the most likely outcomes.
CYBER ATTACKS AND DISRUPTION AT PYEONGCHANG 2018 OLYMPIC WINTER GAMES
The previous Olympic Games can provide an insight into the possible threats faced by organizers of the event.
South Korea hosted the XXIII Olympic Winter Games, commonly known as PyeongChang 2018 Olympic Winter Games. While the South Korean authorities were on high alert about possible cyber attacks and related disruptions, they did not manage to prevent a major cyber attack taking place during the opening ceremony, which was cause for great international embarrassment.
Shortly before the opening ceremony, the official PyeongChang 2018 website stopped working. The site was providing access information and tickets for the event. However, South Korean authorities had to shut down the site and users were unable to print their tickets. The authorities managed to bring the website back online about 12 hours later. At approximately the same time, the WiFi network at the Pyeonchang Olympic stadium also stopped working, along with televisions and internet services located at the main press center. Other minor systems were also affected.
South Korean authorities investigated the incidents and confirmed the cyber attacks. But they did not provide much information as to what TTPs were used and refused to make any claims about the malicious actor (or actors) behind the attacks. Many people in the cyber security community considered this was likely the work of Russian state-sponsored hackers, acting in retaliation for the banning of the Russian Olympic committee the previous December following state-sponsored doping at the Sochi 2014 Winter Olympics.
While these attacks did not cause any major, long-lasting disruptions, the embarrassment caused to the host nation was visible. The opening ceremony is, in fact, the most-followed event of the Olympic Games. A well-coordinated cyber attack occurring during this time window has a good chance of maximizing the impact and related embarrassment.
SITUATIONAL AWARENESS AND PREPARATIONS FOR TOKYO 2020
Japan, and Tokyo in particular, prides itself on being the most advanced urban technology metropolis in the world. This makes Tokyo a target-rich environment, particularly during an event of such importance expected to bring an estimated 15 million visitors to the country.
Japan has been developing and strengthening its cyber security strategy for a long time. A report from the Japanese National Police Agency analyzed statistics about the ongoing trends ahead of the upcoming Games. The trend showed a major improvement in the Japanese security posture.
The report shows an increase in scanning activities toward IoT systems. IoT systems have become a reason for concern. Many devices are not properly secured and can be easily found and exploited by malicious actors. In early 2019, the Japanese government executed a country-wide scan to find vulnerable IoT devices. This effort, even though executed with the best intentions, raised quite a few eyebrows due to the intrusiveness of the exercise. This is because no permission was asked from the owners of the devices.
Another finding was an increase of spear phishing attacks. Spear phishing has become one of the most popular attack vectors for malicious actors. While infrastructure can be (mostly) secured, the human element is always vulnerable to social engineering attacks. The Olympic Games will provide adversaries with countless potential lures to get people to click on malicious links and open damaging attachments. They will likely offer free or discounted tickets and Olympic merchandise. Even if the attacks are not targeted, massive malvertising campaigns are likely to affect a significant number of victims.
Japan has also experienced an increase in general cyber crime cases. This is due to the profitability and ease by which many attacks can be carried out. The banking industry, which has been suffering many years of attacks targeted toward its users, has been implementing one-time password and two-factor authentication policies resulting in a decrease in online bank thefts.
Simultaneously, the emerging cryptocurrency ecosystem is repeating the same mistakes made previously by the banking world by not forcing its users to use 2FA or one-time passwords. As a result, the sector has suffered many credential theft attacks resulting in the theft of cryptocurrencies.
A new strategy currently popular combines both banking online and cryptoexchange theft. This consists of transferring stolen national currency funds to the deposit accounts of cryptocurrency exchanges. Currency is then converted into cryptocurrency and its final destination hidden via cryptocurrency shuffling. This helps to anonymize the final ‘cash out’ step.
In recent years, there has been an increase in cooperation between the public and the private sectors, an effort championed by the Japanese government. This effort has led to the creation of a Cybersecurity Strategic Headquarters, whose members are the Chair of the National Public Safety Commission, representatives from the National Police Agency and cyber crime ministers from the Ministry of Internal Affairs and Communications, Ministry of Foreign Affairs, Ministry of Economy Trade and Industry and Ministry of Defense. The body coordinating these efforts is the National Center of Incident Readiness and Strategy for Cybersecurity. The Government Security Operation Coordination Team takes care of relations between governmental bodies, ministries related to critical infrastructure and private entities and individuals.
Japanese authorities have also increased the monitoring of dark web sites where malicious actors purchase and sell malware, but also discuss possible targets and operations. Cooperation with international law enforcement agencies has also become an integral part of the Japanese cyber security effort along with training of staff. This has resulted in a higher number of malicious infrastructure closures and prosecutions by the authorities.
The National Police Agency also performed a terrorist attack simulation at the Makuhari Messe convention center. The Makuhari Messe convention center was opened in 1989 to host high-technology events and will be used during the Tokyo 2020 Games. The drill was based on a hybrid cyber and physical attack.
In this simulation, terrorists had planted explosive devices at Makuhari Messe and had shut down the power supply control systems via cyber attacks. This is a scenario that has not yet been seen in the wild but it is possible that threat actors could use cyber attacks as a force multiplier for conventional terrorist attacks.
THREAT ACTORS
While there are multiple threats potentially impacting the Tokyo 2020 Olympics, it is difficult to guess the specific actors that will likely impact the Games with cyber operations.
As far as hacktivism goes, it is possible that state-run groups out of China and North Korea could take the opportunity to execute cyber operations to embarrass the host nation under the guise of hacktivism. Given the history of Japanese colonial rule of Korea in the first half of the 20th century, it is also possible hacktivist groups out of South Korea will take this opportunity to remind the audience about war crimes committed by Japanese Imperial Forces on the Korean peninsula during World War II. Political disputes related to the Senkaku Islands could play a role as well. Hacktivists from other countries could also target the Games to bring attention to dolphin and whale hunting, a practice common in the Japanese maritime but heavily criticized in many countries around the world.
Cyber criminal groups are likely going to be the group causing more damage. Malvertising campaigns are likely to feature prominently. The nature of the malware will probably consist of credential-stealing Trojans with the credentials being weaponized for financial gain. Other cyber crimes will likely involve ATM skimming fraud, point-of-sale malware, man-in-the-middle attacks on public WiFi networks and malware targeting mobile devices. Japan does not have a very mature native cyber crime community, but criminal gangs from around the world will likely view the Olympics as a rich opportunity and launch multiple campaigns. At this point it isn’t possible to determine which cyber criminal groups will be most active, but the unique opportunity of the Games, bringing such a high exposure, will be capitalized on by many international criminal groups.
Nation states are also likely to conduct cyber operations. It is to be expected that the main goal of these will be espionage rather than destruction. These groups will capitalize on lures and phishing techniques that weaponize the event by sending malicious links and attachments in emails with an Olympic Games theme. For nation-state APT groups, it is possible to list a number of actors which, given their previous records, are likely to launch attacks.
The following is a list of actor groups by countries that have shown interest in espionage campaigns against Japan.
China:
- APT10 (Menupass)
- APT12 (Calc)
- APT17 (Tailgater)
- Termite Team
- Tonto Team
- DragonOk
- Tick
- Toucan
North Korea:
- APT37
Russia:
- APT28
LURES AND INDICATORS IN THE WILD
Some indicators of malicious infrastructure created in preparation for Tokyo Olympics-related cyber attacks can already be found in the wild. A search on https://hybrid-analysis.com gives positive results for suspicious domain names and documents with Tokyo 2020 as the main theme.
Many domains with the Tokyo 2020 name in them have already been registered, as can be seen on https://urlscan.io. While many of these sites are likely legitimate, the weaponization steps will occur right before the Games. The registration of a domain is normally a first step in the preparation work related to the malicious infrastructure that will be used for malicious cyber operations.
CONCLUSION
Japan has raised its security posture in the previous years, with notable success. Cyber security is being taken very seriously by the Japanese government, which has allocated considerable time and resources for a major collaboration between the public and private sectors, training of staff and implementing new security measures ahead of the 2020 Games.
Japan intends to make these Olympic Games the most technologically advanced event the world has ever seen. This will inevitably increase the cyber attack surface. Multiple security drills have been conducted and more are scheduled for the near future. And the Rugby World Cup starting in September 2019 will be a perfect testing ground to vet Japanese security preparedness.
Meanwhile, security analysts will continue to monitor threats against Tokyo 2020.
We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.