The Cyber Threat Alliance (CTA) released our first threat assessment focusing on the 2020 Summer Olympics in Tokyo way back in February 2020. Around the release date, we were seeing stories of a novel coronavirus beginning to spread. Some of us were starting to get concerned about it here in the US, but it hadn’t started to change our lives yet. After all, many of us still traveled to the RSA Conference in San Francisco the week after we released the report (we should all be grateful that wasn’t a superspreader event …). We certainly didn’t think some virus in February would affect the Olympics in July.
Things were a lot different in February. We had a different view of the world. We didn’t have a collection of masks at home. We weren’t struggling to find toilet paper and cleaning supplies at the store. We hadn’t created school-from-home spaces for our kids next to our work-from-home spaces. Our favorite local breweries and restaurants hadn’t shut down and switched to takeout or delivery only. We had no idea what changes were in store for us when the World Health Organization declared COVID-19 a pandemic on March 11, 2020.
About two weeks later, the International Olympic Committee and the Government of Japan announced a delay of the 2020 Summer Olympics due to the pandemic. The Tokyo Summer Olympics are now scheduled to be held from July 23 to August 8, 2021. All these changes that our world is going through means we must consider a different cybersecurity risk landscape than the one we considered in early 2020.
CTA leveraged our Olympics Cybersecurity Working Group to review the threat assessment and update it for our new pandemic world, highlighting several new cybersecurity trends and changes in the behavior of malicious cyber actors that the Olympic Committee, the Tokyo Organizing Committee, governments, sponsors, and critical infrastructure owners should consider when preparing for the rescheduled Games.
Our full update is provided in English here and Japanese here. Highlights from our update include:
- There is no doubt that the threat and pervasiveness of ransomware actors has increased dramatically over the last year. CTA assesses that ransomware actors may see the Olympics and Olympics-related entities, such as vendors or other organizations in the supply chain, as high-value targets during the Games. These entities will have little tolerance for downtime during the Games, which will make them key targets for ransomware actors seeking a quick pay day.
- CTA continues to assess that various nation state actors will conduct offensive campaigns targeting the Olympics or Olympic-related organizations to meet their strategic ends. These offensive operations could take the form of data theft and leaks, disinformation, or disruption of systems involved in the Games.
- We have updated the Threat Assessment with information released from government agencies over the past year that attributes past incidents involving the 2018 Winter Olympics to Russian actors and updated our assessments of nation state cyber activity from Russia, China, and North Korea.
- In particular, we highlight the recent Russian supply chain campaign that installed a backdoor in the SolarWinds Orion product and provided Russian intelligence actors access to thousands of government and private organizations around the world. It is highly likely that an attack on the Olympics could take a similar path through the supply chain, considering the high number of vendors involved with supporting various aspects of the Games.
- We also highlight changes in Chinese APT behavior over the last year, including the Palmerworm/Black Tech activity, which reportedly targeted a Japanese engineering company, and the HAFNIUM activity exploiting vulnerabilities in a vast number of on-premises Microsoft Exchange Servers at organizations worldwide.
- We reviewed changes in the ways the Games will be held and how that might affect our previous assessments. With potentially fewer spectators in-person (and no international spectators), we highlight that there could be a slight increase in the demand on infrastructure to livestream coverage of events or scams targeting spectators that purchased tickets but can no longer attend.
- The use of new digital infrastructure and smartphone apps to track or report COVID testing or vaccinations could be targeted and compromised, impacting the ability of government officials to accurately assess the public health status in Tokyo and the surrounding areas, put additional stress on public health infrastructure, and impact the safety of athletes and spectators.
- CTA members also assess that threat actors may believe that Japan has a weakened cybersecurity posture due to a variety of ongoing domestic issues that could distract from security preparations, such as the state of the pandemic, anonymous media reports that Japanese government officials were considering canceling the Games, the resignation of former Prime Minister Shinzo Abe, and low Japanese support for the Olympics. Threat actors may see these issues as an opportunity to conduct operations against a distracted Olympics host.
We’ve all learned over the last year the importance of staying flexible, vigilant, and, most of all, resilient. There are still decisions that need to be made that will impact our cybersecurity threat assessment. As of the beginning of May, Japan is seeing a rise in positive COVID cases and has declared a third state of emergency due to the COVID-19 pandemic in Tokyo and surrounding areas. Olympics organizers may not decide on whether to allow Japanese spectators until a few weeks before the Games begin. Yet another significant zero-day vulnerability in a widely used networking product, this time in Pulse Secure VPN appliances has been discovered and actively exploited by an APT group that is suspected to operate on behalf of the Chinese government. Who knows what else will come in the next three months?
For our part, CTA members will continue to closely monitor threats and risks to the Games, work as responsible partners with Olympic organizers, and be prepared to respond to any and all cybersecurity incidents that may occur.