By Caitlin Huey, Senior Threat Intelligence Analyst
High-profile events like the 2018 Winter Olympics in Pyeongchang, South Korea, earlier this year are a hot-spot for potential cybersecurity threats. Cyber criminals often use these large gatherings of people and technology as a means to steal personally identifiable information (PII) or harvest users’ credentials for financial gain, deface or disrupt a local government or event sponsors’ web presence, threaten physical harm, and more.
In recent times geopolitical factors have started to play a bigger role as well, which can increase tensions between some of the countries participating in this event.
In only a couple of days the FIFA World Cup will kick off in Russia and many observers are expecting to see cyber-attacks targeted at this event to take place. So far Hacktivism around #2018FIFAWorldCup is significantly lower and less threatening this year than it was for the 2014 World Cup in Brazil. However, in April 2018, ISIS-affiliated members and supporters issued physical threats to Russia and the West.
A Look Back at Recent Years
Attempts to disrupt large world events like the World Cup have been made in the past in an effort to make a political or ideological statement about the organizations or countries involved. Surrounding past events, the analyst community had observed that a diverse set of threats were made leading up to the 2014 World Cup in Brazil to the 2016 Summer Olympics also in Brazil in Rio de Janeiro.
Some of these threats included:
- Mobile malware and WiFi hotspots
At the start of the 2014 FIFA World Cup in Brazil, hackers attacked dozens of websites to protest the corruption around having the event held in Brazil. Online and offline protests took place to object the money that was being diverted to the tournament. Hacktivists defaced and conducted denial of service (DoS) attacks against websites of the Military Police of Sao Paulo, Brazil’s Department of Justice, Hyundai, and the Emirates Group, among others. Targets of these web defacement or DoS attacks tended to be government departments or large organizations sponsoring the event.
At the summer Rio Olympics in 2016, Brazil and the Olympic Games attracted the attention of terrorists and hacktivists. The campaign, #OpOlympicHacking, targeted government organizations as a form of protest against Brazil hosting the event.
In the year leading up to the 2018 World Cup, researchers at Group-IB identified a number of domains hitting on a combination of keywords involving “FIFA”, “Russia”, “WorldCup2018”, with at least 1,500 domains designed to specifically target the 2018 FIFA World Cup in Russia. Researchers at Group-IB also identified domains blatantly using the event name, host cities, and other details around the event. Details like these have been historically successful lures for large events due to the media and global coverage around an event like this.
In terms of online fraud, Group-IB researchers also identified approximately 200 active groups on Russia’s popular social media site, VK.com, which abuse the 2018 FIFA World Cup brand or attempt to sell counterfeit World Cup merchandise.
As mentioned above in the section about historical threats posed, analysts identified that threats posed by hacktivism this year do not appear to have gained much traction on social media. Key Twitter handles from the World Cup 2014 hacktivism campaigns, like #OpHackingCup and #OpWorldCup, have not garnered the followers nor the negative chatter that they once did back in 2014. Analysts suspect that the decrease in chatter around this year’s event is corroborated by the belief that hacktivism campaigns around world events like this is motivated by three main factors:
- the country hosting the event
- geopolitical affairs surrounding the host country
- how successful prior campaigns were in dispersing messages and materializing online/offline support
At the time of the 2014 World Cup and 2016 Summer Olympics, Brazil is and was vastly different to Russia today. Another potential reason for the decrease in hacktivism-related campaigns this year is the increased effort by Russia to monitor communications within Russia, especially those taking place on Telegram and other social media sites.
EclecticIQ Additional Analysis
Our analysts identified potentially malicious activity based on keyword searches for FIFA and other World Cup organizations. From those keyword searches, analysts observed a low-medium presence of potential phishing and credential theft malware using file names with FIFA specific lures.
Analysts identified this domain http://fifa-ews.com/ . The domain, fifa-ews[.]com, is a legitimate domain that was set up in 2005 as an Early Warning System (EWS) founded by FIFA. Searching on Virus Total for fifa-ews[.]com, analysts noticed that until May 8, 2018, Virus Total had not scanned files that had communicated with that domain since June 2017. Analysts suspect two possibilities: that this is a rejuvenated sample and may indicate a new campaign; or that it has impacted victim organizations or researchers who have uploaded the malware for identification.
On May 8 however, malware sample did communicate with the fifa-ews[.]com domain: 1c211064b40aa51849e78008547526286d99357b805a841e3e5027aa7d6aee02 .
This file hash has several AV detections identifying it as related to Malware: Cutwail . Cutwail is a spam botnet that has been around for at least 10 years. Cutwail samples using file names with FIFA phishing lures is an interesting and low-level TTP for adversaries to conduct credential theft. This also corroborates findings from Group-IB above, who stated an increased emergence of FIFA-related lures attempting to steal user credentials.
As was stated above, the 2014 FIFA World Cup is an example of when a hacktivist threat against the Olympic Games successfully materializes. The 2016 Rio Olympics is yet another example of when adversaries attempt to develop malware and tools to disrupt the event based on ideological or political beliefs. This year’s game will likely see some low-level activities similar to what has been seen from 2014 and 2016. What this year’s games bring is a blend of rather tenuous geopolitical tensions.
You can read the full analysis, with an elaborate look at the geopolitical tension along with STIX entities for free at https://www.eclecticiq.com/resources/eclecticiq-analysis-fifa-world-cup-2018-threat-landscape?type=intel-report
We hope you enjoyed this post. Follow our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.