Going for Gold: How Cybercriminals Could Target 2020’s Biggest Events

Given its significance for those across Europe, the United Kingdom’s decision to leave the European Union (EU) has provided numerous opportunities for cybercriminals to exploit.

With Brexit set to go ahead on 31 January following the Conservative party’s general election victory in December, Monrad expects these exploits to continue into the New Year:

“Although we haven’t seen it, as we move closer to the actual Brexit, there can be a variety of opportunities for different individuals, cybercriminals and others, to try and use the themes or try and take advantage of the situation.”

Cyber influence

While the investigation into apparent Russian interference in the UK’s 2016 Brexit referendum is ongoing, various studies found evidence that Russia-based groups used social media to spread pro-leave messages leading up to the vote.

The UK subsequently voted in favour of leaving the European Union, and after three years of discussion and debate, Brexit negotiations appear to have finally reached a conclusion. However, with plenty of uncertainty still present over the impact it will have, there is still an opportunity for foreign states to attempt to control the geopolitical narrative in a way that suits them best.

“On Brexit we have seen several indications that there might be an interest from foreign state sponsored campaigns to either utilise the narrative or try and drive a specific narrative around Brexit,” Monrad says.

These attempts to influence are likely to continue up until the Brexit deadline and beyond, as citizens and businesses attempt to come to terms with what the eventual outcome means for them.

Spear phishing campaigns

Social engineering techniques, where information is provided in order to manipulate individuals into divulging personal information, handing over money, or downloading a malicious file, are commonly used by cybercriminals.

In 2019, the United States Department of Homeland Security (DHS) warned of cybercrime campaigns designed to trick victims out of money in the wake of the El Paso and Dayton mass shootings. Likewise, those eager to read whistleblower Edward Snowden’s new book, Permanent Record, were targeted with a timely malware campaign soon after its release.

FireEye has seen evidence of similar spear phishing campaigns using the Brexit theme to dupe victims. One campaign specifically targeted diplomats across the continent, using Brexit as a topic of interest to encourage their victims to open and interact with malicious emails.

“These type of lures that target government specifics is something we would expect to see more,” Monrad says.

Given its global reach, the Olympics usually presents big opportunities for threat actors, whether the end goal is to monetise the increase in tourist traffic, cause disruption, or steer the geopolitical narrative.

For example, Brazil-based cybercrime groups ramped up the use of payment technologies to steal banking cards and credentials ahead of the 2016 Olympics,according to cybersecurity company Fortinet.

However, cybercriminal activity carried out during Olympic events typically differ depending on the hosting nation. Financial cybercrime wasn’t quite so prevalent during South Korea’s Winter Olympics, and that is likely to be the case again in Tokyo.

“’I’m not sure we’ll see the same frequency of cybercrime this year for the Summer Olympics. This is a bit more of a mature nation and also a bit more effective with security controls and payment systems compared to Brazil,” Monrad explains.

State-sponsored cyberattacks

In Tokyo, rather than financially-motivated cybercrime, state-sponsored attacks seem more likely.

Non-critical systems were attacked by a malware strain named ‘Olympic Destroyer’ ahead of the opening ceremony of South Korea’s 2018 Winter Olympics. This attack was initially attributed to North Korea, given part of its code matched previous malware used by the infamous Lazarus Group. However, a FireEye researcher later found similarities between the documents used to spread Olympic Destroyer and other documents used to target Ukrainian groups and organisations. The attack was eventually attributed to Russian group Sandworm, and its Russian origin was confirmed by two US officials to the Washington Post.

“Those type of elements are something we could potentially see again,” Monrad believes.

The World Anti-Doping Agency’s recent ruling against Russia could intensify that threat. Russia has been banned from all international sporting events for the next four years as punishment for widespread athlete doping and evidence tampering. Subsequently, athletes will be prohibited from competing under the Russian flag at the Tokyo Olympics.

Monrad speculates that the Olympics could be used to retaliate against this decision, providing a global stage for bad actors to cause disruption or spread their preferred narrative.

Hacktivism

Russia aside, there is also a possibility that Japan will come under attack for issues that are a little closer to home, such as whaling and nuclear energy. There is also tension in the region over Chinese nationalism, and protests and activism could find its way to Tokyo.

“Since this is in Tokyo, and throughout the years we have seen grassroots movements targeting Japan for their whaling campaigns, this could be an area where we might also see a significant digital threat based on the theme of whaling carried out by hacktivism groups or individuals supporting an anti-whaling campaign,” Monrad speculates.

“This will be relatively new compared to previous Olympics, where we didn’t really have that grassroot theme or a potential threat from that.”

Four years on from the election that kick-started debate around the use of social media to interfere in politics, US voters will vote for their next president. Likewise, various European countries, including France and the UK, will go to the polls throughout the year.

Cyber influence

The spread of misinformation in an attempt to influence voters is likely to continue, and in many cases we might not even notice that it is occuring.

“What we have learnt from the 2016 election in the US is that these sort of operators, they are able to actually target a specific audience that might be more easy to convince,” Monrad explains. “These type of citizens, based on research, might not even read mainstream media… they might not see BBC or CNN, they might get their news from other places.”

FireEye, which has watched these cyber influence campaigns evolve, has seen signs of the groups behind them deploying new techniques to hide the true origin of malicious posts. One such technique appears to involve the use of artificial intelligence (AI) and deepfake technology to generate realistic profile pictures in order to mimic the appearance of a real post.

“There was one lady with a fairly large set of earrings, and you could see that one of them was weird compared to the other one. Very blurred and distorted,” Monrad recalls. “Those type of details is something that suggests they’re trying to blend in with normal traffic by generating artificial or deepfake images.”

Cyber espionage

While infrastructure attacks, such as the targeting of digital voting machines, aren’t of much concern in Europe, these machines could present issues in the US. Ahead of the US mid-term elections in 2018, cybersecurity experts pointed to various flaws in voting machines that left them vulnerable to exploit from malicious actors. One machine, used in 23 states, still carried a vulnerability that had been unearthed a decade earlier.

Whether or not bad actors will try to exploit these vulnerabilities is another matter, but one thing Monrad is certain will occur is cyber espionage activity leading up to major votes.

“That’s not something that I would be very surprised to see in upcoming elections,” Monrad states. “I would expect any sort of mature nation to conduct some sort of intelligence operations ahead of elections to learn what sort of candidates will be brought in, what will be the changes to geopolitical and diplomatic relationships, will there be a completely different agenda from the new government?”

Hack & leak campaigns

Hack and leak campaigns are also a concern, and if the UK general election is anything to go by, this is likely to be a tactic increasingly used in 2020.

A major talking point heading into that vote centred around leaked documents that Labour leader Jeremy Corbyn said proved the National Health Service (NHS) had been discussed in trade talks with the US. The leak has since been linked to a group with ties to Russia’s intelligence service.

“That is something I’m more concerned about, because we don’t know what can control the narrative, we cannot see how it starts and how it got into the hands of the attacker,” Monrad says.

Despite calls to improve security ahead of the 2020 election to stop foreign nations from interfering, cybersecurity firms continue to highlight glaring lapses in security and failures to act. The Tokyo 2020 organisers have been more proactive, approaching firms like FireEye in an attempt to predict and protect against threats before they arise. However, with 68% of business leaders fearing cybersecurity risks are increasing, it’s difficult to see 2020 passing by without a hitch.