The Risk Radius of Tokyo Olympics

Because of the pandemic, the Tokyo 2020 Olympics aren’t like any other previous Olympics – nor any other event ever held. They are a year later. There are no spectator crowds. There is a pandemic. All of which contribute to the higher risk of cyberattack.

The Tokyo Olympics are one of the biggest remote-viewed live events, leading experts to anticipate a high level of online threats. According to the NTT Global Threat Intelligence Report (GTIR), the top three attacks likely to occur before, during, and after the games are:

1. Nation-state attacks (based on current geopolitical tensions and past attack histories)
2. Criminal actors
3. Ransomware, e.g., shutting down ticketing or logistic support operations
4. Disruptive and disinformation campaigns, e.g., Distributed Denial of Service (DDos) attacks

However, it’s important to note that it’s not just the Olympics that is vulnerable, it’s any global event—the bigger the event, the more people involved, particularly people involved remotely, the higher the potential risk.

Mimecast’s Director of Threat Intelligence Dr. Francis Gaffney addressed these concerns in a recent webinar, The Risk Radius of Tokyo 2020-July 2021. He was joined by colleagues Head of Risk and Resilience Carl Wearn and Email Efficacy Product Manager Dr. Kiri Addison. Their insights into how they assess the threat level to the Olympics provide the groundwork for considering the risk radius of any global event.

Just as the five rings of the Olympic logo represent the five continents of the competing nations, there are five key considerations to assess risk of cyberattack.

1. Potential expected risks.
2. Assess potential risks.
3. Mitigate probable threats.
4. Plan for the future.
5. Protect, protect, protect.

Potential Expected Risks

As  Gaffney points out, you weigh a number of factors against some basic assumptions to determine potential risks. For example, the military and political setting of an event can indicate the type of bad actors likely to launch a cyberattack. The geopolitics of Olympics in years past has seen nation states attempt certain disruptions to discredit competitors.  Another example is, given the importance of broadcast rights and associated revenues to the games, cyber criminals look to target network vulnerabilities in areas such as supply chain attacks to possibly extract ransomware.

What’s unique for this Olympics is the convergence of COVID and the lack of host-nation support equivalent in past Olympics because there aren’t as many spectators. “There are going to be more opportunistic attacks, which we’ve already seen,” Gaffney says. “One example is apps used to regulate movement of athletes and contractors.” Hacking into those reduces the level of trust, so athletes might ignore the apps, and therefore be late for events and possibly disqualified. Worse, they may provide personal and sponsor identification used for credential harvesting for future exploitation or ransomware.

“Athletes are at the top of their game for their sport,” Gaffney notes, “but aren’t at the top of their game for cybersecurity.”

Assess Potential Risks

To assess likely threats, look at certain drivers (i.e., social, technology, economic, political, military, legal, environmental, security) and then formulate assumptions.

Gaffney makes the analogy that an assessment isn’t just based on past knowledge. “We know from experience we can expect the sun to rise tomorrow. What a threat assessment does is to use the tools we have to tell you at what angle to the horizon the sun rises and at what time tomorrow.

“You look at a particular hazard, its plausibility and confidence of its use, what can actually be used to attack that hazard, and then all the possible prevention tools to stop or recover from the attack (business continuity),” Gaffney says.

The assessment is presented to a decision maker who, based on the threat assessment as well as other factors such as budget and risk appetite, determines the best strategies to counter probable attacks.

Mitigate Probable Events

Preparing against possible threats involves developing defense in depth, with layers of protection and counter deceptions for software, hardware, third parties and people appropriate to the region where the event takes place. Examine the potential attack areas and decide where strengths and weaknesses lie, identify gaps and develop strategies to close those gaps. Ensure these strategies are adopted within the organization as well as throughout the supply chain.

Threat actors employ increasingly complex deception methods, increasing the likelihood of human error as a key consideration since everyone is a possible victim. “Threat actors use opportunistic phishing during global events, and we’ve seen this particularly during COVID,” Dr. Addison notes.

Which is why email is one of the most relevant places to build defenses, with rigorous email and URL inspection using a variety of software tools and AI analysis.

“The threat becomes more complex because the data from a single phishing attack is heavily aggregated with other data breaches,” Wearn observes. “It increases potential for credential stuffing attacks by reusing captured passwords. In the last year alone, these schemes were used to attack two loyalty card programs.”

This underlines the need to educate users about possible phishing attacks and not open attachments or click on fraudulent links, or even hover over them (as this provides information about location). The probability of this type of attack is growing, particularly during the pandemic when more people are working remotely. Additional distractions at home coupled with relatively new technologies for remote working raise the probability of attack.

Plan for the Future

What makes these attacks doubly malicious is not just the threat of ransom, but that hijacked data is likely sold on the dark web for other actors to employ in future attacks. A data breach at the Tokyo Olympics may not be identified because it won’t be used to launch an attack until the Winter Olympics in China later this year.

Mimecast develops a “cone of plausibility” that demonstrates the historic evidence, the most probable points of attack and outlines a most likely course of action for the future. “We’ve seen similar types of attacks in previous Olympics, so it is reasonable to expect similar actions in Tokyo,” Wearn says.

Underlying all this is education. “Talking about even the most improbable attacks makes people more aware,” Gaffney says, adding,  “Zero trust is the best practice; always be suspicious at the moment. If it’s too good to be true, it probably isn’t.”

Protect, Protect, Protect

The likely risks to protect against at Tokyo are:

• Most threats will be online due to low volumes of live spectators. Athletes are not “cyber aware” and may be victims of opportunistic attacks.
• Russian patriots (as Russia is not able to compete) may disrupt the Games with denial of service (DOS) attacks or other similar protest campaigns.
• Email is particularly vulnerable to attack, due to prevalence of remote working.
• Ransomware is the most dangerous and most likely threat. DOS has returned with a vengeance in the last year. As mobile data becomes faster and more sophisticated with 5G and able to handle more data and communication speeds increase—more malware and attack traffic.
• Repeat attacks, starting smaller and building to a bigger disruptive threat—especially for time critical events like 100 meter track final for example—are quite likely.

The Bottom Line

A global event presents a host of potential cyber threats, which must be assessed and mitigated. The growth of remote working, particularly during COVID, creates further vulnerabilities to consider. A layered security approach best protects people and assets to ensure operation without disruption, for the Tokyo Olympics and for your organization.

To find out more, watch the on-demand webinar.