The non-sporting challenge of the Paris Olympic and Paralympic Games:
The cybersecurity race
Introduction
France is preparing to host the world in a few months for one of the most globally watched sporting events. Organized across more than 35 venues in over 20 cities in mainland France and its overseas territories, the Paris 2024 Olympic Games will highlight France’s historical and cultural heritage, especially Paris. The opening ceremony, set on the Seine, promises to be unprecedented and will mark the beginning of the Games.
This popular sporting event will feature 45 Olympic sports. However, somewhere between boxing, the marathon, and chess, the training for a 464th discipline has been underway for several years. It won’t be televised, but it slips into the competition at every edition: the IT protection of the entire organization.
Context of cyberattacks at the Olympic Games
Before delving into the ecosystem of Paris 2024 and its risks, it’s important to look back at the cyber threats faced by recent editions of the Games to better understand those of 2024.
Timeline
- Beijing 2008 – existing threats
- Vancouver 2010 – existing threats
- London 2012 – significant threats
- Sochi 2014 – significant threats
- Rio 2016 – significant threats
- PyeongChang 2018 – crisis situation
- Tokyo 2020 – significant threats
- Beijing 2022 – existing threats
The history of cyber threats and incidents at various Olympic Games editions really began to manifest in 2012 in London. Authorities had been warned of a potential attack on the power supply just before the opening ceremony. Although subsequent investigations concluded that the threat was unfounded, immediate measures were taken to manually verify the backup system and strengthen security.
Four years later, during the Rio Games, distributed denial-of-service (DDoS, T1498) attacks targeted the organization several months before the opening ceremony, then intensified. During the Paralympics, the World Anti-Doping Agency was the victim of a data breach concerning the medical authorizations of Olympic athletes. The attack, attributed to the Russian intelligence group “Fancy Bear“, involved the phishing (T1566) of administrative and management system credentials before and during the Games.
However, the 2018 Winter Games in PyeongChang marked a turning point in preparation and combat against cyber threats. Just hours before the opening ceremony, the OlympicDestroyer malware attack nearly compromised the event. Immediate consequences included black screens in the stadium, malfunctioning security gates, media losing internet access to cover events, and the official Olympic app becoming inoperative. It was the worst scenario ever observed during an opening ceremony and was described by Franz Regul, Chief Information Security Officer (CISO) for the Paris 2024 organizing committee, as the “black scenario to avoid and for which the IOC has given the means to prevent.”
In 2021 in Tokyo, the situation was not as critical as in PyeongChang, likely due to a less tense political climate and a respite linked to the Covid-19 crisis. Japan, isolated by the lockdown, couldn’t host international spectators, leaving its sports venues empty and making attacks less visible and thus less impactful. Nevertheless, this edition was still targeted by multiple cyber attacks, including phishing, DDoS, ransomware (T1486), and data breaches involving the official ticketing system and volunteer access portal. But also, a wiper disguised as a PDF document (T1036) was discovered. It targeted infected systems to delete .txt, .log, and .csv files, as well as files created by the Japanese word processing software Ichitaro, suggesting a particularly targeted attack.
Driven by the global audience of sporting events that offer numerous opportunities, attackers do not limit themselves to the Olympics. Sporting events that attract the attention of millions, if not billions, of viewers are prime targets. The 2022 World Cup, for example, was subject to numerous impersonation attempts through fake streaming sites and fake ticketing. In 2014, the World Cup in Brazil also faced numerous cyber attacks. At the time, General José Carlos dos Santos, head of the Brazilian army’s cyber command, noted that “it would be unwise for a country to say it is 100% ready to face a threat.” Today, France and the 2024 Olympic and Paralympic Games Organizing Committee (COJOP) aim to surpass this caution by meticulously preparing to approach cybersecurity excellence worthy of a gold medal.
Zero defects are achievable: The Tour de France, the third most-watched sporting event in the world, manages to secure its infrastructure year after year. This event, broadcast daily during the 23 days of the race, represents a golden opportunity for attackers to reach new victims through scams or disrupt the broadcast to send a message. The Tour successfully defends its title each edition, despite the unique challenges it faces given the organization, logistics, and scale of the event.
For Paris 2024, the opening ceremony is a major priority. The cybersecurity risks are well known and tend to repeat at each edition. Among the various attack techniques, wipers stand out as the current trend, having been used during the invasion of Ukraine by Russia, as well as during the PyeongChang 2018 and Tokyo 2020 Games.
Thanks to past incidents, cyber risks and threats are now better anticipated and managed.
Prevention and defense measures
The Complexity of the Ecosystem
Organizing an edition of the Olympic Games presents unique challenges and it is important to understand all the complexity.
Paris 2024 as an organization has existed for less than five years and has evolved rapidly, whether in infrastructure development, process improvement, or staff strengthening. Experience is crucial in cybersecurity, and rapid evolution can lead to a lack of perspective on understanding and managing its information system.
The organization of the Paris Olympic Games encompasses not just 12,000 workstations but also thousands of network devices distributed across a hundred sites throughout France. One can consider that the information system of the Paris 2024 Olympic Games is somewhere between that of a company and an industrial system. It also includes all the equipment related to competitions and existing or new sports venues. Integrating them into the ecosystem while ensuring their security is crucial, particularly the means of broadcasting events, the 7,000 wifi access points for accredited journalists, all the stadium screens, timing systems, and access and surveillance systems.
Beyond the infrastructure of the organizing committee, its partners, and subcontractors, the responsibility for the security of the Games also lies with the whole of France. The multitude of companies involved in preparing the Games, to whom Paris 2024 delegates certain operations, present potential security vulnerabilities. If a cyber attack were to compromise the services of the SNCF or the RATP, the image of the Games would be tarnished even though the committee has no direct link with public transport operators. These operators and also those of vital importance (OIV) must be protected, both for the previously mentioned reason and for their own security to ensure the availability of the country’s resources. Previous editions show that actors targeting France will also target the Games and vice versa. Franz Regul advises everyone: “if you have important cybersecurity projects for 2024, it’s better to do them in Q1 or Q2 than to wait until autumn or winter.”
The saying is not just a play on words; cybersecurity is a team sport and involves mobilizing an ecosystem of partners.
Preparation
Among Paris 2024’s technical partners, such as Atos, Intel, and Orange, Cisco stands out as the official partner for network equipment security, drawing on its experience from the last three Summer Games editions and the National Football League (NFL).
Cisco’s approach to risk management focuses on several aspects:
- Awareness: Informing and educating employees, partners, and supply chain actors about security expectations, their roles, and obligations.
- Defense: Developing a defense architecture to protect digital assets, including cloud infrastructures, hybrid clouds, and globally distributed employees forming the Paris 2024 information system.
- Responsiveness: Being ready to react quickly in case of an incident, understanding exposure, attackers’ actions, and the risks involved.
- Collaboration: Cultivating a network of trusted partners to seek help if needed and work together to strengthen security.
Aware of the image issues and risks to the national ecosystem, the ANSSI (National Cybersecurity Agency of France) plays a strategic role. As the national authority on cybersecurity, it mobilizes its expertise to evaluate and classify organizations based on the impact their failures could have on the smooth running of the Games and the event’s image. According to the established categories, ANSSI offers audit actions and technical support, called “exercise kits.”
The agency also offers exercises for any organization wishing to prepare for the Games, regardless of its maturity level. To strengthen security, SNCF Connect publicly opened a Bug Bounty program on the YesWeHack platform in early April.
One must understand ANSSI’s dual challenge: beyond the success of these Olympics, the entire country and its OIVs could be targeted by attacks, whether direct or indirect, deliberate or accidental.
Response
Zero risk does not exist. “2024 will not be ‘Business as usual,’” said Franz Regul at a conference organized by Cisco. He added that the enthusiasm generated by sports is “the kind of emotions we hope to bring to fans worldwide.” Whether a semantic error or genuine hope, doubt seems to hang over the cybersecurity ecosystem’s tightness around the Games. In fact, the doubt is well-founded. During the same conference, Cisco’s CISO, Anthony Grieco, stated: “There is no cyberproofing, this is all about cyber resilience.” This means perfect protection does not exist, and Paris 2024 understands this well.
The organization will set up a Cyber Security Operation Center (CSOC, not to be confused with the Games’ Sport Operational Center) with the objective of preventing risks, detecting them, and responding as quickly as possible, anticipating the shortest and most effective decision-making circuits. If the front lines are compromised, the goal is to minimize and mitigate the impacts as quickly and effectively as possible. In its effort to create a coherent and strengthened cyber ecosystem, the COJOP has partnered with a qualified entity to equip its CSOC with Threat Intelligence.
The primary objective of Threat Intelligence is to gather information and insights on past attacks (or attempts). By sharing this knowledge (i.e., intelligence), a past attack should not reoccur with the same tools and infrastructures. This includes identifying malicious actors, their motivations, methods, tools, and the vulnerabilities they exploit. Specifically for Paris 2024, this translates into two different methodologies. First, evaluating and detecting specific indicators of compromise such as IP addresses or malicious domains to block communications as quickly as possible, and second, monitoring and identifying potential threats through the surveillance of communication channels used by malicious actors, like forums on the Dark Web. This Games CSOC will act as a control tower to ensure an enhanced view of threats, and the availability and continuity of service.
Counterintuitively, time becomes an ally in this context, almost like a sparring partner to use sports vocabulary. Normally, companies facing the threat of cyberattacks cannot predict when they will occur. Attackers take the necessary time to plan their intrusions and ensure they strike at the opportune moment. For the Olympic Games, the dynamic is different: time becomes an ally for the organization.
Not only can the Games anticipate the timing of attacks, but attackers are also constrained by time: before the event, it’s too early, and after, it’s too late.
The risks of cyberattacks for Paris 2024
We have seen from past editions that cyber events are varied and can come from different sources. While there were nearly 450 million attacks targeting the Tokyo Games in 2021, it is anticipated that there will be eight to ten times more for Paris. The concept of “attacks” should be taken with a grain of salt, as it includes not only state actors or ransomware operators behind significant attacks but also “cyber events” in a broader sense, encompassing phishing attempts and reconnaissance scans on servers.
Attacker Profiles
Several attacker profiles could jeopardize the smooth running of the Paris 2024 Olympic Games. This represents a consensus of all the profiles existing in the cyber ecosystem, a kind of Cyber Olympics, that could find interest during this exceptional period. These profiles correspond to those observed during previous editions of the event, each associated with distinct motivations, specific attack methods, and defined consequences.
- The Opportunistic Attacker
This category of attackers is particular as it can encompass varied profiles. It includes small groups or even individuals with limited skills. This could be someone in their garage doing reconnaissance on infrastructures or a spectator in the stands trying to attack a wifi point meant for the media during an event. Their motivations are diverse, from the challenge of attacking a large organization to making a profit through phishing campaigns. Overall, although they are not ignored by Franz Regul and his teams, their impact is low.
- The Malicious Insider
Often overlooked, the malicious insider operating within the company can easily serve as an entry point. Approached by threat actors seeking data at a lower cost, this profile aims to exfiltrate sensitive data (TA0010) such as confidential documents or to communicate or sell access to COJOP’s information systems. This is known as an Initial Access Broker, a role discussed in the Threat Actors section of our second semi-annual report of 2023. Sometimes motivated by revenge against the employer—though unlikely in an Olympic organization—the primary motivation is financial. By the end of 2023, there were nearly 2000 employees, and this number will double during the fortnight, not counting the 45,000 volunteers, partners, and suppliers, making the workforce a threat that multiplies attack vectors. Franz Regul says, “Statistically, there are dishonest people.”
- The Hacktivist
Hacktivists are motivated by promoting their cause and sending a message, often to raise awareness or protest against perceived injustices, censorship, or government policies. Highly publicized sporting events are a boon for this profile. Outside the cyber realm, activists have already blocked stages of the Tour de France or attached themselves to the net during a Roland Garros match. In cyberspace, it’s not enough to divert cameras for a few minutes; entire programs or websites are interrupted or hijacked to display a message.
- Organized Cyber Crime
Organized crime in cyberspace represents a real and growing threat, with groups operating globally. These attackers use the most advanced techniques and tools to compromise their targets, and some groups are as developed as businesses in terms of organization and resources. Their primary objective is financial gain.
- State Actor
As discussed earlier with Russia’s retaliation during the PyeongChang Games, state actors can respond to geopolitical events but are also known for conducting industrial espionage and data theft. State actors can infiltrate a network and remain hidden for an indefinite period, listening for sensitive information or waiting for a specific opportunity. They possess the most powerful strike force, akin to organized groups.
Injury Risks
Three major categories of risks are identified:
- Sabotage of Operations
- Damage to Image and Revenue
- Physical Danger to People
The organization and smooth running of events and ceremonies are not only synonymous with the Games’ success but also the culmination of efforts by thousands of people working on this project for years. As the backbone of the Games, these operations will quickly become a sensitive point for attackers to press, for both ideological and financial reasons.
Firstly, ideologically, attackers have several tools to disrupt the Games’ organization: DDoS attacks mentioned earlier in previous editions, and the well-known “wipers” used by Russia during the invasion of Ukraine. Wipers function similarly to ransomware but with a notable difference: instead of encrypting data, this type of malware destroys it (T1561). The aim is clear: to cause maximum damage to the organization. Speaking of ransomware, while primarily used for financial reasons, it also undermines the Games’ proper functioning. Operators use ransomware to encrypt data, demanding a ransom for the decryption key. This method is particularly effective during the Games: before the opening ceremony or an athletics final, if COJOP cannot contain the infection, pressured by time, it would be more likely to pay the ransom to restore order. Just like that.
Gradually, completely disrupting an information system is not the only way to cause damage. The environment is comprehensive enough to imagine actions across different sectors: disrupting the broadcast of events on stadium screens and television, affecting the timing system’s operation (even minor alterations!), or blocking access gates to sports facilities—sky’s the limit.
While ransomware harms image and revenue, it is not the only discipline mastered by attackers. Phishing remains the most used technique for years, and 2024 will be no exception. In March, 9,000 gendarmes received an email offering tickets to the 2024 Games. Of those 9,000, 500 clicked. Although clicking the email link does not necessarily involve providing personal information, just a handful of victims can make the campaign profitable for attackers and encourage them to continue. Imagine this on a scale of billions of potential victims. In terms of image damage, all successful attacks contribute to this result: those mentioned earlier, along with other more visible attacks. Naturally, defacement (T1491) comes to mind, an action well-known to hacktivists who alter the main page of a website.
The context explained earlier is not unrelated to people’s reputations. Beyond the sporting event, other organizations in France could be targeted. More concerning is the possibility of multiple coordinated attacks targeting various infrastructures nationwide, raising a crucial question: to what extent can the competent authorities absorb such a load? Would Paris 2024 and France have sufficient resources to contain these threats?
Physical danger to individuals completes this risk podium. The history of terrorist attacks on national territory has left deep scars. More recently, this year, during the Champions League quarterfinals, ISIS issued death threats through a disturbing photo montage showing an armed fighter in front of several stadiums of the competition. This threat led Gérald Darmanin, the Interior Minister, to order a significant increase in security forces around the Parc des Princes in Paris. For the Games, security around and within the stadiums and event venues is paramount given the number of spectators expected. Regarding cyber risks, it is imperative to maintain the integrity of all security equipment, such as secure doors, surveillance systems, and intrusion detection devices. Unlike blocking access gates, a failure in these systems could allow free access to everyone… and anyone.
Some risks are already evident: several computer thefts have been reported targeting various profiles related to the Games, including a general secretary of a hospital in Bobigny and an engineer from the Paris City Hall. These thefts are not trivial: the stolen devices likely contain confidential documents related to the Games’ organization and security.
The Geopolitical Olympics of 2024
The Olympic Games are a magnificent showcase for all the participants, including the host country, the host city, official and commercial partners, and beyond: other nations might view them with envy or even resentment. The various international conflicts raging across the globe in recent years have pushed different nations to take sides.
The war at Europe’s doorstep, particularly, has seen the West align its political interests with Ukraine at the expense of a Russia willing to do anything to achieve victory. It is already known that Russian and Belarusian athletes will not be able to compete under their flags in Paris this summer and will have to compete under a neutral banner. Their numbers have also been reduced; there were 335 Russians at the Tokyo Games in 2021, and “there may be no more than 40,” according to IOC Vice President John Coates. Worse still, on March 19, the International Olympic Committee ruled that these athletes would not be invited to march during the opening ceremony.
On the other side of the Mediterranean Sea, the situation in the Middle East is no better. While Israel and Hamas clash in the desolate lands of Gaza, Iran mobilizes different resources. The country, itself torn by an unprecedented wave of social protests, sees different profiles of actors taking positions for two closely related causes. The first, supported by the authoritarian regime, directly attacks Israeli and, more broadly, Western IT infrastructures in response to the lack of support for the Palestinian people. The second, fueled by the repression suffered by the population and the violation of women’s rights, mobilizes to strike the government in place.
The stances taken as the event approaches are becoming increasingly complex. Regardless of the evolution of conflicts involving France and more broadly the international geopolitical situation, some parties will be dissatisfied. Unfortunately, these dissatisfied groups include some of the world’s best hackers who will not hesitate to use the Games’ prominence as a vector for their agendas.