Ahead of Paris Olympics, Canadian intelligence agency warns attendees to be on guard for cyberattacks
As athletes and officials prepare for this summer's Paris Olympics, Canada's electronic intelligence agency is warning them to also get ready for likely cyberattacks.
The Communications Security Establishment (CSE) — in charge of gathering signals intelligence and protecting the federal government's cyber networks — issued a threat bulletin Friday morning aimed at tourists, government officials and athletes attending the events, as well as Canadian organizations involved in organizing, managing, sponsoring and broadcasting major sporting events.
"The high profile and costly nature of major international sporting events make them a prime target for cybercriminals looking to exploit targets of opportunity for profit. They also provide a global stage for hacktivists and state-sponsored actors to gather information and publicly embarrass a target," the report says.
Sami Khoury, head of CSE's Canadian Centre for Cyber Security, said the Olympics, this summer's Formula 1 Canadian Grand Prix in Montreal and the World Junior Championships in Ottawa this winter are all ripe for "cyber malfeasance."
The CSE bulletin said cybercriminals "will very likely target" for extortion large organizations — such as government organizations and corporations involved in sponsoring the events — and local businesses, especially those in the travel and hospitality sectors.
Attendees and spectators should also be aware they could be targeted through phishing emails and malicious websites, the agency said.
"Topical event-related lures may include promises of discounted merchandise, free event tickets or access to a livestream of the events," the report says.
State-sponsored actors after VIPs: report
CSE said state-sponsored cyber threat actors likely will try to spy on prominent and high-profile individuals, including representatives of government and anti-doping organziations.
"We know that these events, especially [the] opening ceremony, closing ceremony, tend to draw a lot of very important people to those events, heads of states, you know, senior government officials. And that's a very rich target for a nation state," said Khoury.
He said state actors will be looking to collect foreign intelligence or personal information on dignitaries and create a backdoor on their phones to obtain access to their office systems.
"If I go to Paris, a state sponsored [actor] then exploits my phone. I come back to work, I'm now connected to my IT infrastructure at work and and this is an easy way for a state sponsor to get into our IT without having to maybe exploit the it from the outside," he said.
The CSE report points to the 2016 Olympics in Rio, where Russia-backed threat actors targeted hotel chain wi-fi networks and routers used by Olympics officials for reconnaissance.
They were ultimately able to compromise the World Anti-Doping Agency (WADA) database and leaked the personal information of 127 athletes, including their test reports, therapeutic use exemptions and past infractions.
Hacktvists likely will also see this summer's Olympics as an opportunity to get their messages out through website defacements, distributed denial-of-service (DDoS) attacks and hack-and-leak operations, said CSE.
"Major international sporting events provide an opportunity for hacktivists to widely promote their messaging on domestic issues, environmental causes or international conflict situations," it said.
The threat report said the anti-government protests in France regarding changes to the minimum pension age are "likely a motivation for domestic hacktivism against the 2024 Paris Olympics."
France's support for Ukraine has also motivated pro-Russian hacktivist groups, said the report.
Khoury said events in Canada might attract different threats.
"French politics are different than Canadian politics," he said. "They're hosting an event so there might be cyber activity that is specific to to France, which might be different than maybe when we host the junior hockey in December."
The CSE report ends by encouraging all attendees, athletes, government officials and organizations associated with major international sporting events to take appropriate measures to protect their systems against cyber threats.