DHS Report: Criminals and Hacktivists May Use 2012 Summer Olympics as Platform for Cyberattacks

National Cybersecurity and Communications Integration Center Strategic Outlook: 2012 Summer Olympic Games

7 pages
May 17, 2012

Executive Overview

(U) Major social events such as the World Cup, Super Bowl, and Olympics have typically drawn the interest of cyber criminals and hacktivists. Open source reporting indicated that China was subjected to approximately 12 million online attacks per day during the 2008 Summer Olympics in Beijing. Two months after the closing ceremony for the 2008 Games, cyber criminals began launching campaigns using 2012 London Summer Olympic themes. Reporting last year indicates some groups are also preparing attacks linked to the 2014 Winter Games in Sochi, Russia.

(U) Scams, malware campaigns and attacks will continue to grow in scale and complexity as the 27 July opening ceremony in London draws near. Event organizers, sponsors and British authorities continue to increase their physical and cybersecurity awareness as the event approaches. Information systems supporting the Games, transport infrastructure, law enforcement communications, financial operations and similar will become prime targets for criminals. A collective of approximately eighty-seven UK banks exercised their ability to withstand cyber attacks last November. Olympic organizers anticipated cyber threats and began testing their cybersecurity posture during ‘technical rehearsals’ by running scenarios from their Technology Operations Center (TOC) situated on Canary Wharf. The TOC will be manned with over one hundred personnel continuously monitoring critical applications, such as the Commentator Information System, organizers’ intranet, and a telecom infrastructure encompassing 900 servers, 1,000 network and security devices, and 9,500 computers. In addition, British law enforcement organizations have been collaborating with the U.S. Secret Service and other industry experts to understand attack vectors, detection methods and mitigation strategies to combat the threat. However, the cyber implications are more expansive than localized attacks against systems and encompass globally distributed Olympic-themed malware, spam campaigns and scams.

(U) There are eleven global sponsors of the 2012 Olympic Games: Coca-Cola, Acer, Atos, Dow, General Electric, McDonalds, Omega, Panasonic, Proctor & Gamble, Samsung, and VISA. These sponsors include a variety of companies, some of which are Critical Infrastructure Key Resources (CIKR) or Information Sharing Analysis Center (ISAC) members. The actions or creditability of the sponsors may become targets for cyber criminals or hacktivists. The purpose of this bulletin is to provide a strategic outlook for the 2012 Summer Olympic Games and similar events to assist partners in detecting and mitigating related attacks.

…

Technical Details

(U) Disruption of Operations: Protestors could choose to disrupt the Games using cyber or physical means. Typical methods of cyber disruption include a denial of service (DOS) or distributed denial of service (DDOS) attack, which may be the result of a physical or cyber action, and causes an interruption of business operations against a network, website or other resources. With an IT staff of over five thousand (approximately half are volunteers), there is potential for insider attacks during the Olympics which could cause a DOS, this bulletin will focus on a DOS or DDOS achievable through technological means only. DDOS attacks are typically launched using a botnet and the ability to bring down a target depends on three variables:

Type of DDOS: Certain styles of DDOS attacks are more effective than others, depending on the type of DDOS attacks. DDOS attacks typically manipulate the way systems communicate.

Size of the botnet: A large botnet spanning multiple network blocks and geographic locations is more difficult to mitigate than a small, group of attackers concentrating on a single target.

Resiliency of the target infrastructure: The ability of an organization to withstand a robust DDOS attack depends on the infrastructure and technology solutions in place (routers, firewalls, ISPs, etc).

(U) Attackers motivated by ideals are considered hacktivist and a wide spectrum of events may at as a flashpoint for their attacks. Criminals or hacktivists utilizing DDOS attacks or web defacements may be motivated by ideological or financial objectives. For example, in February, a group of Iranian hackers dubbed the “Cocain (sic) Warriors” took credit for defacing the official website of the National Olympic Committee of Azerbaijan and the website of Azerbaijan Airlines. The actors left an anti-Israeli political message about Azerbaijan and Israel’s recent increased cooperation and arms deal. Israel recently announced that it was selling $1.6 billion in arms to Azerbaijan, a move that upset both Armenia and Iran. The text of the defacement was political, with likely intentions to reach as broad an audience as possible and amplify the message by targeting an Olympics-related national-level website. The following are examples of things which may incite hacktivists to launch attacks during the Olympics:

Olympic organizer issued warnings about stringent enforcement of limiting photography, digital recordings and general publishing of Olympic activities. This warning included prohibition of content being posted to social media sites. It is possible that tight enforcement of copyright infringement laws during the games may also prompt cyber reactions.

The recent controversy over stadium panels provided by Dow. Critics have tried to block the installation of the panels because of the Dow links to Union Carbide, which was accused of the 1984 gas leak in Bhopal, India. These pre-game criticisms by activists may translate to physical protests or cyber actions.

Hacktivists have consistently attacked websites and networks of countries ‘perceived’ as violating human rights, especially countries that endorse policies that limit access to digital content. As a result, countries banning or controlling Internet access to Olympic Games will also likely draw the attention of global hacktivists.

Hacktivists may rally around an unforeseen cause, such as the emergence of a news story surrounding the Olympics or Olympics sponsors that hacktivists find offensive or that conforms to their ideological platform (e.g. allegations of corporate malfeasance, environmental damage, corruption, etc.).

(U) Information Theft: The second type of attack would have a goal of information theft. This information could be used to grant a competitive edge to a company, individual or other entity. This type of attack may be facilitated by an insider or a remote attacker exfiltrating data through a system compromise. Criminals seeking competitive advantage often use spearphishing to penetrate a network. Spearphishing is an email-based attack where tailored emails containing malicious attachments or links are sent to key personnel identified during reconnaissance operations. These emails are especially convincing because they appear to be sent from a legitimate source. The highly customized nature of spearphishing emails and employment of spoofed email addresses make it extremely difficult to mitigate at the email gateway. In addition, advanced attackers understand how to bypass email filters and antivirus software so that the payload can be delivered successfully. Adversaries may target Olympic personnel to gain access to engineering schematics, scoring technologies, competitor information, ticketing systems, or similar targets.

…

Future Outlook

(U) The 2014 Winter Olympics to be held in Sochi, Russia, have prompted (and will likely prompt more) attention to controversial issues and Russia’s role in the region. Sochi is located on the Black Sea and borders the North Caucasus region. The North Caucasus is part of the Russian Federation and is comprised of several smaller republics, many ethnic groups and a rich cultural legacy wracked by war, intermittent violence and competing claims to power. Legacies surrounding land claims and ethnic sovereignty issues in the Caucasus have been ongoing for centuries, and they continue to the current day with wars having occurred in the last few decades, particularly in the early 1990s in Chechnya and between Georgia and South Ossetia as recently as 2008. This demonstrates that political beliefs (or reactions to such speech) are often expressed via cyber means in the region.

(U) Pro-Olympic Cyber Attacks: The construction of the 2014 Olympics facilities near the UNESCO protected Caucasus Biosphere Reserve and Sochi National Park has drawn criticisms from global environmental groups, as well as local Sochi news organizations. These Sochi news portals came under attack in late 2010 because of their vocal opposition to the Olympic construction. It is unknown who perpetrated this series of attacks, but their choice of targets indicates the attacker was possibly attempting to subdue opposition.

(U) Hacktivism: Hacktivists (Anonymous Kavkaz) purporting to be part of the larger Anonymous collective vowed to attack MegaFon on May 21, 2012 as part of ‘Operation BlackHole’. MegaFon is Russia’s second largest mobile phone operator in Russia and one of the national sponsors for the 2014 Winter Olympics, to be held in Sochi, Russia. The Adiga actors expressed outrage about the location of the Olympics in Sochi, Russia, as they believe that the Olympic complex is being built upon mass graves from the Circassian genocide. The attack date is significant, as Circassians commemorate the Circassian-Russian War every year on May 21, the day that Circassia was annexed by the Russians and as a remembrance of the genocide that the Circassians believed occurred at the hands of the Russians.

(U) Anonymous Kavkaz (aka Adiga Hackers) started a Twitter feed on Feb. 25 and have only updated it twice, with just a handful of followers as of this writing. The true affiliation with the larger Anonymous group seems unlikely because:

Anonymous Kavkaz does not appear to be active in the main communications channels, where they would be most likely to make connections with more capable actors.

Anonymous Kavkaz’s Facebook presence is more geared toward ethnic, religious and political grievances in the Caucasus than with traditional Anonymous causes.

(U) The group purports to have attacked and disabled (exact means unknown) the server of the Russian Commercial Bank (a subsidiary of another Russian bank, the VTB Bank) on March 29, 2012. According to a website monitoring service, the bank’s website was having problems, but it is unclear what the issues were or if they were related to the alleged attack.

(U) Politically motivated actors from this region vary in ability, but the Russian e-crime underground offers advanced capabilities that could be sought out by North Caucasus hacktivists. Similarly, the Adiga hackers could seek more skilled Anonymous-associated actors for assistance, but thus far they have not been observed communicating in known Anonymous communications channels. This could be good indication that they are only peripheral, aspirational actors. It is possible the Adiga hackers only adopted the Anonymous moniker in an attempt to gain legitimacy and anchor their somewhat obscure cause in the framework of a larger movement to attract more followers or participants.

(U) This is the first time Russia has hosted the Olympics (the 1980 Olympic Games were held in the USSR) and officials are actively monitoring the region for any indication of unrest. Russia has recently deployed military forces to the North Caucasus as part of a broader effort to stabilize the region in the lead-up to the 2014 Olympics.

(U) Although each host country will face unique challenges, the majority of cyber threats will remain consistent as officials begin preparations for the 2016 (Rio de Janeiro, Brazil) and 2018 (Pyeongchang, South Korea) Olympic Games. DHS and partners should continue to coordinate with impacted CIKR partners while promoting awareness campaigns to minimize malware infections.