The upcoming FIFA World Cup in Qatar (which starts on 20 November) is likely to be a key focus for hostile cyber actors, including nation states.
This assessment was issued to clients of Dragonfly’s Security Intelligence & Analysis Service (SIAS) on 23 August 2022.
Russian state-sponsored cyber groups in particular will probably conduct reconnaissance and espionage activities against firms involved in or sponsoring such events, as they have previously done around major sporting events. And they will probably also directly threaten the event itself through disruptive cyber operations, given Russia’s exclusion from the tournament.
The Qatari authorities nor foreign cybersecurity agencies have publicly warned of specific cyber threats posed by nation states around the World Cup. But the UK and its ‘Five Eyes’ partners have blamed Russian state-sponsored cyber groups for targeting international sporting events in recent years:
- The UK accused Russian intelligence of conducting cyber reconnaissance against officials and organisations linked to the Olympic and Paralympic Games in Tokyo in 2020. The UK authorities said that targets included organisers, logistics services and sponsors.
- The US in 2020 charged several Russian military intelligence officers for developing malicious email attachments and sending spear phishing emails to people working for the 2018 Winter Olympics’ ‘official timekeeping partners and their subsidiaries’. The campaign began in November 2017, a month before the IOC suspended Russia from the competition.
- A US indictment against those individuals revealed that they had also targeted the South Korean government, Olympic athletes and additional official Olympic partners for reconnaissance. They created a malicious mobile app called ‘Seoul bus tracker’, which purportedly intended to target attendees to the event.
- They also deployed so-called ‘Olympic Destroyer’ malware that compromised an IT firm and the PyeongChang Organising Committee, stole employee credentials and obtained access to deploy and execute the malware (the indictment suggests that planning for this attack occurred the day before the IOC suspended Russia in 2017). The attack disrupted the Olympics website, display monitors and WiFi.
- Ahead of a verdict on doping allegations of Russian athletes in 2019, a Russian state hacker group reportedly stole and leaked Olympic-related material.
Russian state-sponsored groups will probably conduct cyber espionage against firms sponsoring or involved in the World Cup, and potentially disruptive operations against events during the tournament. These groups have a proven intent and capability to do so around past international sporting events. FIFA’s suspension of Russia from the World Cup due to its invasion of Ukraine is almost certainly another motivating factor.
A UK government source who works in cyber security (and has experience in cyber mitigation for international events of this kind) downplayed the intent of nation states more broadly to target the upcoming tournament. They cited the absence of recent attempts against smaller sporting occasions, such as in tennis and golf. But the World Cup is symbolic. It will be one of the first major international sporting events since Russia invaded Ukraine. For this same reason, there also appears to be little reason for Russia to try to disguise any hostile activity, particularly given its exclusion from the tournament.
We doubt other nation-state cyber groups are particularly motivated to disrupt the event, or target sponsors. Qatar has cordial relations with most countries that have offensive cyber capabilities, including China and Iran. While North Korean state-sponsored groups already frequently steal and extort money from businesses globally, mainly through ransomware, their attempts to do so do not appear to have increased around previous international sporting events. And in our assessment, hacktivists, rather than nation states, are more likely to try to disrupt logistics during the World Cup. This is due to perceived injustices, such as Russia’s exclusion from the tournament and Qatar’s human rights record.
Threats to businesses
Any hostile cyber operations targeting the upcoming event organisers or firms sponsoring the tournament would most likely consist of spear phishing campaigns with event-related content in the next few months. These are likely to include phishing emails related to the sale of tickets, news around the World Cup, accommodation and travel. For example, the US indictment against the Russian intelligence officers in 2020 revealed pervasive spear phishing campaigns embedded with malware, which consisted of email subject lines such as ‘Accommodation conditions in hotel’ and ‘Further cooperation proposal’.
The Qatari authorities are preparing for the cyber threat during the World Cup. They said last week that they have conducted simulation hacking tests on networks and cyber threat assessments for ‘more than 100 vital facilities’ in the country. But our source has expressed concerns about the Qatari authorities’ ability to fully secure the event. This is given the complexity of logistics, the number of stakeholders involved in the tournament, and the risk of hackers exploiting relatively unsecured entities in the digital supply chain. Indeed, the South Korea ‘Olympic Destroyer’ malware attack was initiated by hackers compromising an IT firm providing services to the Olympic authorities.
Image: flag-raising ceremony in Doha on 16 June 2022; photo by Mustafa Abumunes/AFP/Getty Images
