Phishing for Gold: Threats to the 2018 Winter Games
February 6, 2018
Digital Shadows has been monitoring major sporting events since 2014, beginning with the Winter Olympics in Sochi, Russia, and then the 2014 World Cup in Brazil. The 2016 Olympics, held in Rio de Janeiro were a hotbed of cyber activity, dominated by the OpOlympicHacking campaign, physical protests, and high levels of cybercrime against attendees. Rio shows that cyber actors look to profit from the millions of visitors, global media audience and increased number of financial transactions that accompany major sporting events.
Although hacktivist and physical protest activity often accompany events with international media coverage, we believe cyber crime and fraud will be the most imminent and prevalent threats to the 2018 Olympic event and its attendees. Rio was also significant as it highlighted how actors working with the approval or on behalf of nation-states can use the cover of global sporting events for their own goals. In 2018, regional tensions between North and South Korea may well contribute to nation-state cyber operations, although it’s unclear how the recent public overtures between the two states and the decision to invite North Korean athletes to the event will affect this.
As millions of fans descend on South Korea, particularly business and political VIPs, we believe the event will likely be targeted by a variety of cyber actors. This includes financially motivated cyber-criminals and more capable nation state actors – possibly as a dry-run for campaigns during the larger 2018 World Cup to be hosted later this year in Russia.
The Games Have Already Begun
We have already reported on data leaks and phishing attempts targeting organizers and affiliates of the Winter Olympics. As well as this, our SearchLight platform found several potentially malicious domains, social media accounts and infrastructural issues that could be used in future attacks.
Both in the lead up and during the event, we expect to see:
- Phishing – As well as targeting volunteers, attackers will use interest in the event as a lure when sending malicious phishing emails. We discovered several typo-squat domains that use the 2018 Winter Olympics and World Anti-Doping Agency (WADA) brand names. These domains were not registered to official entities, and over half were registered in Russia and Ukraine or behind proxy services. Although not currently used in active campaigns, these domains could be used in phishing attacks to distribute malware or harvest credentials.
Selection of typo-squat domains discovered by Digital Shadows
- Exposed credentials. We searched for examples of exposed credentials belonging to Olympic and WADA accounts in our repository of third party breaches. Here we found at least 300 examples of Olympic or WADA credential pairs in multiple breached datasets that became public in the last 12 months. These credentials could be used for further cyber-attacks against Olympic organizations, including spear-phishing and account takeover.
Selection of exposed credentials for Olympic and WADA domains in breaches found by Digital Shadows
- Data Leaks. In January, the Fancy Bears group – a self-proclaimed hacktivist group believed to be affiliated to the Russian state – published emails from the International Olympics Committee and International Luge Federation, likely in retaliation to the banning of Russian athletes for alleged doping controversies. On January 31, they published further information implicating Canadian athletes. “Fancy Bears” is a play on the widely used name “Fancy Bear” (APT-28), which is refers to an espionage group that the US intelligence community has linked to the Russian intelligence services. It is still unclear whether the two groups are one and the same; nevertheless, data leaks against WADA and the International Olympic Committee have been conducted under the Fancy Bear name since Rio in 2016.
Fancy Bears announce leak of documents belonging to Canadian athletes via Twitter
- Malware attacks. 2018 Olympic volunteers were targeted by macro-malware through email attachments imitating genuine documentation from the official 2018 Winter Olympics website. The original contained logistics details for the volunteers, suggesting the malware was aimed at either the volunteers themselves, or the volunteer portal. More recently, a data-gathering malware known as GoldDragon was identified targeting organizations associated with the 2018 Winter Olympics. In this case, the payloads were designed to establish persistence on targeted machines and enable further data exfiltration, as well as provide an ability to download additional malware.
- Attacks on Wi-Fi network users. Attackers have previously compromised public Wi-Fi networks when going after high-value targets. The campaign known as DarkHotel, for example, used spoofed software updates on infected Wi-Fi networks targeting hotels in Asia, while APT-28 used credentials likely stolen from Wi-Fi networks in hotels to deploy remote access malware that could steal information and allow for lateral movement across networks.
- Financial cybercrime. Criminals will often try and exploit the large number of visitors and increase in financial transactions, particularly in areas of high tourist density such as city centers, hotels, restaurants and shopping For example, between March and July 2017, over 41 Hyatt Hotel locations in 11 countries were compromised, resulting in the compromise of customer payment card details. 18 of the affected hotels were in China, but branches in South Korea, Japan, North and South America were also impacted. As well as an increase in payment card theft through point of sale malware infections at hospitality, leisure and retail locations, expect a rise in ATM skimming, banking fraud and scam emails.
Visualizing the Threat
Below is a visualized form of the expected threat landscape of the upcoming event. It breaks down potential targets for the Winter Olympics and presents some of the most likely risks for each.
The 2018 Winter Olympics is expected to be a focal point of criminal and politically-charged cyber activity, as seen in previous similar events. The following mitigation techniques can help limit the impact of the malicious activity that will likely occur:
- Update and patch. First and foremost, organizations should make sure their firmware and OS systems are updated with the latest patches, especially Microsoft applications.
- Be wary of scams and phishing emails. Do not click on any links in emails marketing or referencing the event. The IOC will not be launching an email marketing campaign with “FREE TICKETS!!1!” and any claimed scandals pertaining to athletes can be found on trusted news media sites, not in any “YOU WON’T BELIEVE HOW THIS ATHELETE WON 20 GOLD MEDALS, CLICK HERE TO FIND OUT” emails.
- When downloading applications, make sure you only initiate these from legitimate sites such as the Apple and Google stores. Also ensure you review security and access permissions granted to these programs. In November 2017 it was discovered that Android malware previously used by the Lazarus Group – an actor affiliated to the North Korean state – had been used to target the general public in South Korea.
- Be vigilant when using ATMs in-country. Look out for evidence of machine tampering: some skimming device can be spotted by a quick wiggle of the card reader or through visible marks on the PIN code area. To help lessen the impact of Point of Sale malware and ATM skimming, alternative forms of payment like chip and pin, pre-paid and pre-capped cards should be considered.
- Avoid untrusted networks. Corporate users should use Virtual Private Network (VPN) tunnelling when connecting to company networks and corporate accounts, especially on public Wi-Fi. Multi-Factor authentication can also help combat successful account compromises.
- Protect VIPs. High-value employees traveling to the event should consider having their technology and devices placed in isolated corporate networks preceding and during the event. Following the event, a quarantine period could also be established to ensure nothing malicious has been brought back into the corporate network.