Travellers to World Cup present golden goal for cyber threat actors

High-profile individuals face threat of foul play

February’s Winter Olympics in South Korea saw the most recent example of apparent state-sponsored targeting of a major event, when a wiper malware dubbed Olympics Destroyer disrupted internet and TV broadcasts from the event’s opening ceremony. False flags embedded in the attack suggest its perpetrators sought to cause geopolitical fallout by implicating other states as responsible.

The Winter Olympics was also targeted in another attack involving four pieces of malware. This campaign was attributed to the North Korean-linked DarkHotel threat actor, and in December targeted at least 333 organisations associated with the Games. DarkHotel in 2015 also compromised hotels’ Wi-Fi networks, in a bid to place backdoors into the systems of government employees and senior executives at commercially strategic businesses, allowing the group to exfiltrate data from such targets.

APT28, a group with perceived links to Russia, has also used this technique, compromising European and Middle Eastern hotels’ Wi-Fi networks to laterally move across networks and target guests’ computers with information-stealing malware. There are limited reports of hotels being specifically targeted during such sporting events, but Russian Federal Security Service (FSB) experts are reportedly checking hotels’ IT networks, amid concerns that they may be the target of cyber attacks during the event.

Home advantage for Russian cybercriminals

We have also noted an increase in cybercriminal activity leading up to international sporting events, including phishing pages imitating ticket sale websites and phishing emails containing malicious attachments related to such events. Other campaigns have compromised event hosts’ websites, then used those sites to deliver malware to visitors. We expect such campaigns to be prominent before and during the World Cup.

In particular, Russian cybercriminals have shown high social engineering capabilities in committing financial fraud, such as using typosquatting to imitate official partners’ websites. Such crimes can be conducted by a range of actors from various countries, and we assess that both local and international cybercriminals will continue to use traditional vectors such as phishing and drive-by downloads to launch financially motivated attacks in the lead-up to and throughout the event.

Tackling the threat

Travellers to the World Cup in Russia are therefore potentially exposed to a broad threat landscape. State-sponsored actors will likely focus on espionage and information theft, particularly if the target is associated with a government or business of strategic interest. The cybercriminal threat is indiscriminate and is likely to affect anyone travelling to the event, regardless of such affiliation.

Financial loss is the primary risk here, though sensitive data such as usernames, passwords, transaction information and intellectual property are often also sought and sold on online marketplaces and will likely also be targeted.