Due to their high profile, international sporting events and organisations have become a focus for cybercriminals and state-linked threat actors. As detailed in the UK’s National Cyber Security Centre (NCSC)’s The cyber threat to sports organisations report, cybercriminals’ targeting primarily takes the form of business email compromise, cyber-enabled fraud and ransomware, while states typically target such organisations for espionage and sabotage.
Online gambling and esports have also been affected by such cyber operations. This year, the sports betting and online gaming platform BetMGM reported that threat actors had obtained customers’ personal information in a data breach. In 2020, online sports betting company BetUS was targeted by a sophisticated ransomware extortion attack. The group behind the incident, dubbed Maze Team, released some of BetUS’s sensitive corporate data on its website and attempted to extort the organisation in exchange for not publishing its data. BetUS refused to pay the $6m ransom and the group published more than 120 gigabytes of the company’s data on its dark web leak site.
Disruptive distributed denial of service (DDoS) and financially motivated campaigns are also a growing threat to the lucrative Esports industry and will increasingly attract cybercriminals involved in illegal gambling. Many cyber-criminal underground forums have sections dedicated to compromising Esports accounts. Such attacks can lead to identity theft, financial loss as well as reputational damage to advertisers and sponsors (see Figure 1).
The analysis below expands on the threats to events, individuals and organisations in the sports sector.
Disruptive attacks, fraud and extortion
The high-profile nature and political importance of international sporting events such as the Olympic Games or the FIFA World Cup have informed state actors’ targeting intentions. A cyber-attack against the 2018 Winter Olympics in South Korea demonstrated the disruptive potential of state-linked campaigns aimed at sabotage or espionage. Cyber units associated with state intelligence agencies have demonstrated high intent to target international and national organisations involved in organising, reporting on and monitoring the Games.
State espionage campaigns have also targeted sporting and compliance bodies associated with such events. For example, following doping allegations and the subsequent ban on Russian athletes from the 2016 Olympic Games, the Russia-linked group APT28 targeted the World Anti-Doping Agency (WADA) for intelligence collection and likely sabotage. Such threats will likely increase as Russia’s relations with sporting authorities continue to deteriorate – for example, over its anti-doping compliance or the formal ban on Russian athletes competing under their national flag as a result of the Ukraine war.
Financially motivated cybercriminals pose the highest threat to sporting organisations through business email compromise (BEC), cyber-enabled fraud and ransomware attacks. While threat actors will, in the long term, explore emerging technologies such as 5G as they become increasingly implemented in stadium environments, such attacks have not typically required sophisticated capabilities. Instead, they have typically leveraged email phishing and unsophisticated attack vectors to take advantage of weak passwords and a lack of multi-factor authentication (MFA).
Previous incidents
The most common impact of criminal attacks against the sporting sector has been BEC leading to financial fraud. This includes, for example, criminals stealing Office 365 (O365) credentials belonging to the managing director of an English Premier League football club that was involved in a player transfer. The attackers successfully socially engineered the victim to send GBP £1million to a fraudulent bank account, though the bank recognised the suspicious activity and refused the transaction. In a separate incident, a UK sporting body was the victim of an O365 account compromise that led to the theft of nearly 10,000 emails.
Cyber-enabled fraud (traditional fraud facilitated by technology) and ransomware also poses a significant threat to the wider sports sector:
- A UK racecourse was the victim of such fraud after a criminal advertised groundskeeping equipment amounting to GBP £15,000 on eBay. A racecourse employee contacted the seller and received a spoofed payment link to make a fraudulent bank transfer. The payment was not recovered.
- An English Football League club suffered a ransomware attack that encrypted its IT systems and made its email service unavailable. The stadium’s CCTV cameras and turnstiles were also affected, which nearly led to a fixture being cancelled.
Beyond the UK, US basketball team Milwaukee Bucks in 2017 was the victim of a BEC attack that led to the theft of players’ names, addresses, Social Security numbers, dates of birth and salary details. In 2011, the scouting director for a Major League Baseball team gained unauthorised access into a competitor’s records. Italian football club Lazio in 2018 was also the victim of a phishing attack that tricked the club into transferring EUR 2 million to a fraudulent bank account.
According to the aforementioned NCSC report, the security of operational technology (OT) systems at sporting venues – commonly CCTV cameras, payment systems, turnstiles and industrial control systems – is less mature than in other sectors. Nearly a third of organisations surveyed do not have a patching strategy in place for such OT systems, and 56% of cameras, payment systems and turnstiles are remotely accessible by third parties; this provides threat actors with a larger attack surface to cause significant disruption.
Criminals will likely remain attracted to the large amounts of sensitive personal data held and significant financial transactions carried out by sporting organisations, increasingly carry out cyber-enabled ticket scams during major events, and target high-profile individuals representing sporting organisations for blackmail or extortion. Criminals have identified the industry as holding valuable information assets that can be easily monetised, including customers’ personal and financial information. This data can be sold on the deep web and dark web to conduct fraud or identity theft or to prepare more sophisticated phishing attacks against compromised individuals.
Other threats we have observed include:
- Identity theft and financial fraud targeting professional athletes
- Supply chain attacks against software providers exposing a sport betting companies’ sensitive business data
- Competition-related threats related to the manipulation of in-game technology, shared data, proprietary databases and biometric tracking devices
- Cybercriminals monetising illegal streaming of sporting events
- Competition-related threats related to the manipulation of in-game technology, shared data, proprietary databases and biometric tracking devices
- Distributed denial of service (DDoS) against sports betting websites and e-sports events
Case study
The situation: An international sporting organisation engaged Control Risks to provide a cyber and information security threat assessment to its business travellers going to a high-threat destination in preparation for a high-profile sporting event.
Our approach: We used our threat intelligence analysis, and our expertise in investigating deep and dark web, open source, social media and technical sources, to identify the key threat actor groups posing the most significant threats to the client. These comprised state, cybercriminal and cyber activist groups, as well as potential malicious insiders. We assessed each group’s intent and capabilities to target the client and tailored the assessment to include all groups of travellers identified by the organisation.
The outcome: After the initial travel threat assessment, the client launched a review of their travel security policies related to the event, taking into account the mitigation recommendations we provided. The client also considered undertaking a broader cyber threat assessment to understand what security controls should be implemented in relation to the sports event itself.
Sporting organisations face a wide range of cyber threats due to their high public profiles, the perception that these organisations are often very wealthy and the significance of major sporting events to many states’ international relations. As such, sporting organisations should seek to understand their cyber threat profile and identify the key cyber threat groups that may be motivated to target their organisation and people, to build a proportionate and prioritised response to their threat environment.