Forecasting OpOlympicHacking

15 August 2016

We recently published a report on the eight cybersecurity considerations around Rio 2016. But what have we observed so far, and what do we expect to see in the short and medium terms?

Over the past three weeks, we have detected an increase in hacktivist activity conducted as part of this operation.  These have included multiple denial of service claims on Brazilian government and sporting entities, as well as data leaks from Brazilian sporting confederations, Brazil-based businesses and the International Court for Arbitration for Sport.

OpOlympicHacking Timeline  

Furthermore, we’ve also observed the introduction of new threat actors, previously unassociated with the campaign. When first announced in February 2016, OpOlympicHacking was connected to the Brazilian branch of the Anonymous collective (Anonymous Brasil) and the affiliated ASOR Hack Team. Since 22 July, however, threat actors such as Ghost Squad Hackers, Anonymous Poland, and Anonymous France have either actively participated, or pledged their allegiance to the operation. This is highly likely a result of the worldwide media attention surrounding the games, which threat actors will likely see as an opportunity to advertise their capability and increase their reputation.

So what does this mean going forward? We have generated four scenarios in order to forecast the threat OpOlympicHacking will pose in three weeks’ time, using two key factors: levels of participation and levels of organization.

OpOlympicHacking Scenarios 1

OpOlympicHacking Scenarios 2

Short term

More participation and less organization (1) 

It is likely that new threat actors will continue to join and support the operation, at least until the event’s close on 21 August. This would likely result in an increase in claimed attacks, particularly around the time of the closing ceremony, albeit with a lack of coordination. The main channels for OpOlympicHacking are Facebook event pages, text-sharing websites such as Pastebin, and IRC channels. Not all threat actors participating in this operation are present on, or aware of, these channels, and sharing targets in real-time across various time-zones, appears to be difficult. As a result of this, attacks would likely have a low impact. Once the event finishes on 21 August, we expect there to be a significant drop in activity, when the ensuing decline in media coverage will likely decrease the incentive for threat actors to participate in the campaign. Diminishing levels of exposure and international coverage will likely lead threat actors not directly based in Brazil to pursue alternative causes and operations.

 

Medium term

Less participation and more organization (3)

The end of the Rio 2016 and decrease in media coverage will most likely result in less participation and less organization among threat actors. There is a possibility, however, that a scenario involving less participation and more organization would emerge. Here, threat actors not based directly in Brazil would most likely fade in their support for the campaign, but groups such as Anonymous Brasil might consolidate coordination of the operation and continue targeting Brazilian entities in the context of the economic, social and political tensions that are likely to continue in Brazil for the foreseeable future.

 

While we cannot predict what will happen in the short and medium term, by using a scenario-based approach and stress testing our analysis, we can better acknowledge our assumptions and identify key indicators. Both of these allow us to make more informed assessments of how a threat may be developing.