As we head into 2025, we are reviewing some of our work from 2024. One key output was our 2024 Summer Olympics Threat Assessment Joint Analytic Report (JAR), released a few weeks before the start of the games. The report looked at potential cyber threats to the Paris Olympic Games and we wanted to evaluate how our projections aligned with actual events. This after-action report examines some of the cyber events associated with the Games and compares them to the JAR.
By Vaibhav Zaveri
CTA members and partners were instrumental in the development of this After-Action Report, with specific recognition to David Tyler, from Symantec by Broadcom, for his significant contributions.
Introduction
The 2024 Olympic and Paralympic Games in Paris attracted millions of spectators, both in-person and virtually. Along with athletes and visitors, thousands of security personnel attended the Games in Paris to address and maintain safety and security. Officials had to look “Beyond the Medal,” by dispatching security professionals to deep dive into aspects that could adversely affect people, systems, and infrastructure.[1] Major events like the Olympics inspire criminals to exploit vulnerabilities, using the platform to draw attention to their causes, further their activism, or achieve financial gain, often at the expense of individuals and organizations. Malicious activity against locations such as museums was reported.[1] Building on the foundation laid by the ‘2024 Summer Olympics Threat Assessment,’ this report analyzes specific activity that occurred during the Games. The aforementioned piece identified potential threats, and this report examines specific incidents that unfolded, and the strategies used to safeguard the Games.
Highlights
According to France’s Cybersecurity Agency, Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), more than 140 incidents occurred during the dates of the Olympic and Paralympic Games, from July 26 to August 11, 2024.[1] ANSSI had a large team of 630 cybersecurity experts to cover the Games and provide security to nearly 500 companies, infrastructure facilities, and other organizations that were involved in the Olympics.[2] Of the 141 cyber incidents reported by the agency, 22 resulted in successful access to information systems, while the remaining 119 had minimal or no impact; however, no further information is publicly available on the specific impact of these 22 incidents.[1]
Among the 141 incidents reported by ANSSI, several involved Denial-of-Service (DoS) attacks and malicious hacking techniques such as typo-squatting.[1] Hacktivist groups harboring anti-French sentiments due to geopolitical tensions in the Middle East and the Russia-Ukraine war, specifically targeted the Olympics. Certain groups were identified as likely working at the behest of certain governments, but those governments called the actors “hacktivists” to divert blame. Those groups deployed DDoS tools against France, with the end goal of causing reputational damage. To deal with incidents, multiple security teams contributed to securing the Games. The 24/7 Security Operations Center (SOC) teams provided round-the-clock monitoring and threat remediation. By aligning their shifts, teams proactively identified and addressed emerging threats. Leveraging advanced tools, dark web monitoring, and third-party intelligence, they generated data-driven threat intelligence reports to inform timely security measures.
Cybersecurity Events and Incidents That Occurred During the Games
Ticket Operations & Malicious Domains
As projected in the JAR, Olympics organizers battled with ticket scams. Researchers at Fortinet, a CTA founding member, found 338 fraudulent websites selling fake Olympic tickets.[3] These sites primarily targeted Russians unable to purchase legitimate tickets due to European sanctions imposed after Russia invaded Ukraine.[1] Along with tickets, threat actors were found setting up fake domain names to sell fraudulent cryptocurrency and merchandise to collect user information.[2] To attract visitors, threat actors abused search engine ads to advertise fake Olympics-related websites.[4]
Symantec by Broadcom, a CTA Affiliate member, had their researchers specializing in Uniform Resource Locator (URL) reputation investigate domain abuse to protect customers from Olympics-themed threats. Common indicators of malicious domains include fake website content, low domain age, typo-squatting, shady Whois information, lower-trust registrars, and Autonomous System Numbers (ASNs). To combat the full spectrum of cyber threats, researchers focused beyond URL abuse to include email security and other critical areas.
Misinformation and Disinformation
Mis- and disinformation[5] posed a threat to the Paris Olympics, which the 2024 JAR identified as a likely problem. Threat actors were found sharing disinformation regarding the Olympics using Artificial Intelligence (AI)-generated content. The generated fake images and news aimed to discredit the Olympic committee and instill fear in attendees.[1] For instance, threat actors created an AI-generated video portraying Paris as a crime-ridden area, mocking the Games’ security preparations.[6] The video amassed thousands of views on social media platforms such as YouTube and X3 and was amplified via approximately 30,000 social media bots.[6] Within the next few days, the video was available in multiple languages to increase reach and discredit the Games.[6] The misinformation and disinformation campaigns could have resulted in negative impacts such as decreasing the number of attendees, but no such incidents were recorded, making it impossible to measure the attempt’s impact as it could not be quantified.
Museums
The museums in France were also targets of criminal activity. One such museum was the Grand Palais, the museum that has hosted art by well-known artists like Picasso, Richard Serra, and the Fauves.[7] The Grand Palais, which has hosted iconic art exhibitions, concerts, and equestrian shows, also hosted two Olympic events – taekwondo and fencing.[7] This museum along with 40 other museums became a victim of a ransomware attack that targeted an information system that centralized financial data and threatened to release critical financial data.[8] Officials opened a criminal investigation into the incident and later discovered that Olympics-supporting systems were not affected.[8]
Train & Cable Sabotage Affecting Physical Security
Trains in France were victims of an arson attack hours before the Olympics started on July 26, 2024, disrupting travel for thousands.[9] France’s caretaker prime minister, Gabriel Attal, said that the attack hit railway lines running east, west, and north of Paris. Additionally, he said that the attack was coordinated, hinting that the threat actors had some knowledge of the network.[9] This demonstrated how attackers used old, less sophisticated methods to disrupt physical services and infrastructure. After the trains were sabotaged, long-distance Internet cables met the same fate. Internet cables were cut, disrupting Internet service across France on July 29, 2024.[10] ANSSI issued a statement saying that the attacks on the cables were not related to any cybersecurity incidents.[10] An investigation was opened by the public prosecutor’s office to look into the attack on the trains, but no arrests have been announced.[9] These incidents were primarily physical acts of vandalism that disrupted physical infrastructure, but there could be indirect cybersecurity implications, such as increased vulnerability to cyberattacks during periods of disruption or potential data breaches due to damaged infrastructure. Physical security and cybersecurity are often intertwined due to the convergence of physical and cyber systems, and the role of cybersecurity in physical security such as access control, incident response, and threat monitoring. [11] Additionally, cybersecurity techniques, such as Open Source Intelligence (OSINT), are used to gain valuable information about physical assets.[12]
Security Cooperation
To ensure smooth operations, ANSSI, government officials, police officials, threat intelligence partners, volunteers, and Olympic Board officials coordinated and shared information. The officials, experienced in combating cybersecurity threats, were familiar with the technical and human processes to coordinate and share timely security information, enabling quick responses, mitigations, and remediations. Along with government officials and law enforcement, cybersecurity companies played a crucial role in securing the Games. From safeguarding visitors to identifying emerging threats and developing countermeasures, they focused on all aspects of cybersecurity.
CTA members and partners actively collaborated with the CTA and contributed significantly to other published reports. These reports provided valuable insights and data, fostering collaboration and knowledge sharing with the international community. The extensive efforts dedicated to investigating novel threats, creating vulnerability assessments, and proactively defending were highly beneficial. At the end of the Games, Mike Mestrovich, former CIA CISO stated on the successful completion of the Games, “It just shows that, with enough coordination and with enough luck, you can actually survive through these things.”[2]
Conclusion
The After-Action Report supports the CTA 2024 Summer Olympics Threat Assessment’s analysis presented in the Joint Assessment Report (JAR). Several incidents anticipated in the JAR, such as Distributed Denial-of-Service (DDoS), Cryptocurrency scams, and Misinformation and Disinformation campaigns, were indeed realized during the event. The success of the Paris Olympics in mitigating diverse security threats highlights the critical role of advanced technologies, proactive planning, and seamless collaboration among stakeholders – themes also highlighted in the JAR. Cybersecurity professionals leveraged AI to create scenarios and came up with solutions to solve possible attacks. Their proactive approach to preparing for the evolving threat landscape, coupled with the strategic deployment of advanced tools and technologies, enabled them to pre-empt threats and safeguard operations. Collaboration between the Olympic Board, partnering companies, French authorities, and ANSSI, was a crucial component of the security strategy, ensuring timely threat mitigation and minimizing opportunities for threat actors to exploit vulnerabilities. The collaborative efforts of many participants successfully identifying and mitigating threats show the value of planning and cooperation.
Overall, we conclude that the JAR correctly projected the main cyber threats that occurred over the course of the Games. A few threats emerged against organizations we did not specifically call out, such as museums and the rail network, which highlights the need for broad preparedness against cyber threats. CTA’s recommended actions also proved effective in mitigating these threats when they materialized. We look forward to incorporating these learnings into future reports.
[1] https://www.securityintelligence.com/articles/paris-olympic-authorities-battled-cyberattacks-won-gold/
[2] https://www.bankinfosecurity.com/how-paris-olympics-survived-unprecedented-cyber-threats-a-26060#
[3] https://www.fortinet.com/blog/threat-research/dark-web-shows-cybercriminals-ready-for-olympics
[4] https://www.proofpoint.com/us/blog/threat-insight/security-brief-scammers-create-fraudulent-olympics-ticketing-websites
[5] https://www.cyberthreatalliance.org/resources/assets/cta-2024-summer-olympics-threat-assessment-july-2024/
[6] https://apnews.com/article/olympics-2024-russia-disinformation-khelif-paris-cdabb2945ec9a80f72cb41a48a51d277
[7] https://news.artnet.com/art-world/the-history-of-the-grand-palais-in-7-groundbreaking-exhibitions-2534464
[8] https://www.france24.com/en/live-news/20240806-olympic-venue-among-40-museums-hit-by-ransomware-attack-french-police-source
[9] https://www.washingtonpost.com/world/2024/07/26/france-rail-disruptions-scnf-olympics/
[10] https://www.wired.com/story/saboteurs-cut-internet-cables-in-latest-disruption-during-paris-olympics
[11] https://www.lenels2.com/en/news/insights/Physical_and_Cybersecurity.html
[12] https://liferaftlabs.com/blog/what-businesses-need-to-know-about-osint-for-physical-security