Cyber’s coming home: defending the World Cup against cyberattacks

null

The World Cup is well under way. It's one of the biggest sporting events in the world. Bigger than the Super Bowl!  Bigger than the World Series! It has drawn more than 5 million in-person spectators to Russia and is already harvesting a worldwide TV and online audience in the billions. 

Producing and running such an event requires hundreds of companies and thousands of people.  Like the Olympics, it happens in a new location every four years, which means the infrastructure must be built from scratch each time, the complexity of which becoming more staggering with each fresh incarnation.  

This year, the World Cup is possibly more primed than ever before for controversy.  Awarded by FIFA to the Russian Federation amidst a flurry of bad blood and exacerbated by claims during the subsequent FIFA investigation that the Russian computers involved in the bid were “destroyed.”   

Since this decision to award the tournament to Russia, media activity surrounding the country could have been better.  From widespread condemnation of Russian activity in the Crimea and in Ukraine, to accusations of meddling in democratic process across the globe has left a less than positive outlook on the superpower.  This opportunity to host the greatest show on earth is hotly anticipated as a way for Russia to remould its global brand.  A chance for some positive publicity and a bit of redemption perhaps.  The flipside of such an opportunity presents a plethora of potential issues, not least in an area Russia knows all too well – cyberspace. 

When you consider the scope and scale of technology infrastructure required to host and broadcast one of the largest sporting events in the world, there is plenty of opportunity for malicious cyber activity. Given the level of investment and number of physical attendees and remote viewers, the World Cup presents not only a ripe target but a grand stage for a wide range of cyberattacks. Anything is possible, ranging from ticketing scams to malware and ransomware outbreaks to distributed denial of service (DDoS) attacks. 

The good news is that constructing the digital infrastructure from scratch (to an extent) should provide the advantages of using new technology that attackers haven’t had the opportunity to research and compromise in advance.  As most hacks are multi-phased, what has already begun to happen is the registration of look-a-like domains.  For example while worldcup2018.com .net .etc is taken for almost all domain extensions, malicious groups are already registering domains such as - russia2018, russiaworldcup.com, likely for use in phishing emails to fans and even to staff as a campaign to socially engineer malware and backdoor access to gain control from the inside of the digital infrastructure.  

As we saw during the Champions League final, it's also possible for a targeted malware campaign to exploit known vulnerabilities in thousands of IoT devices, working to generate a botnet army at the ready, to strike with a DDoS attack. If there is good news here, it’s that there is a very slim chance that a breach would actually bring the games to a halt. 

Russia however, will know all of this is a distinct possibility. World Cup organisers have most likely brought in skilled experts early on in the planning stages to create both physical and digital threat models to understand and pre-empt the most likely attack scenarios.  It’s important to start engaging with security intelligence experts to identify cyber security threats early and start building defences such as black lists of any potential attack vectors, as well as educating both ground staff and developers working on infrastructure about the security risks and how to best mitigate them.   

As for attacks on the individuals involved, players’ social media accounts may be an easy target. It has happened in the past.  Meanwhile, players have a focus for events like this and the security of their social media is often not even on their radar during that period.  Additionally, ensuring passwords are managed properly and that best practices for securing personal information is something that is difficult to manage at the best of times.  

For fans both at the event and at home, there is a potential for disruption.  Any aspect of the digital infrastructure is fair-game.  From self-printing ticket kiosks or connected QR code readers for eTickets, to malicious mobile applications posing as official World Cup apps, to the live streaming of the event are all possible areas for threat. Cyberattacks could even impact fans viewing the games from the comfort of their homes, even from the opposite side of the world. Fans will inevitably search for streaming sources outside of the official broadcast partners and that provides a big advantage to cyber criminals who want to spread malware or steal information.

Viewers should be wary of sites that ask you to install software to view a live stream. This is an outdated requirement for modern browsers and is likely an attempt scrape details from your web browsing activities including credentials for logins to social media, download malicious software, or even hi-jack your computing resources to mine crypto-currencies while allowing you to watch the game illegally. 

Advice to fans, organizers, and anyone else involved in putting on this gargantuan party is simple: Treat your digital information and property like you would physical property.  You lock your door and set the alarm before you leave the house, right?  You probably don’t make it a habit to leave your wallet on display.  You may even have a fire extinguisher and a smoke alarm if you’re particularly mindful. These activities are all normal to us.  Applying the same level of pro-active security to cyber-threats is a long way from common knowledge, but protecting yourself from cyber threats starts with understanding the threats better and using basic things like password managers, email scanning software that alerts you to phishing emails, and being very wary of any software you allow to run on your phone that asks for permissions you aren't familiar with.  Finally, keep your devices and software up to date.  Attackers prey on low-hanging fruit—known vulnerabilities in widely used software or software components.  If big corporations like Equifax can fall victim to using out-dated technology, so can individuals, and so can the world’s biggest sporting event.  

Steve Giguere, Lead Sales Engineer at Synopsys 

Image Credit: Stux / Pixabay