Threat actors go where the targets are, capitalizing on opportunities to
launch targeted or widespread, opportunistic attacks. This extends into
high profile sporting events, especially those in increasingly
connected environments, introducing cyber risk for organizers, regional
host facilities, and attendees. The United Kingdom’s National Cyber Security Centre
(NCSC) found that cyberattacks against sports organizations are
increasingly common, with 70 percent of those surveyed experiencing at
least one attack per year, significantly higher than the average across
businesses in the United Kingdom.
The pressure to deliver a smooth, safe experience on the world stage introduces new stakes for local hosts and facilities. A single misconfigured device, exposed password, or overlooked third-party connection can lead to a data breach or successful intrusion.
Microsoft delivered cybersecurity support to critical infrastructure facilities during the State of Qatar’s hosting of the FIFA World Cup in 2022TM. In this edition we offer first-hand learnings about how threat actors assess and infiltrate these environments across venues, teams, and critical infrastructure around the event itself.
We are all cybersecurity defenders.
Microsoft performed over 634.6 million authentications while providing cybersecurity defenses for Qatari facilities and organizations between November 10 and December 20, 2022.
Opportunistic threat actors exploit target-rich environment
Cybersecurity threats to sporting events and venues are diverse and
complex. They require constant vigilance and collaboration among
stakeholders to prevent and mitigate escalation. With the global sports
market valued at more than USD 600 billion,
the target is rich. Sports teams, major league and global sporting
associations, and entertainment venues house a trove of valuable
information desirable to cybercriminals.
Information on athletic performance, competitive advantage, and personal information is a lucrative target. Unfortunately, this information can be vulnerable at-scale, due to the number of connected devices and interconnected networks in these environments. Often this vulnerability spans multiple owners, including teams, corporate sponsors, municipal authorities, and third-party contractors. Coaches, athletes, and fans can also be vulnerable to data loss and extortion.
Furthermore, venues and arenas contain many known and unknown vulnerabilities that allow threats to target critical business services, such as point-of-sale devices, IT infrastructures, and visitor devices. No two high-profile sporting events have the same cyber risk profile, which varies depending on factors like location, participants, size, and composition.
To focus our efforts during Qatar’s hosting of the World Cup, we carried out proactive threat hunting through which we assess risk using Defender Experts for Hunting, a managed threat-hunting service that proactively searches for threats across endpoints, email systems, digital identities, and cloud apps. In this instance, factors included threat actor motivation, profile development, and a response strategy. We also considered global threat intelligence on geopolitically motivated threat actors and cyber criminals.
Top-of-mind concerns included the risk of cyber disruption of event services, or local facilities. Disruptions like ransomware attacks and efforts to steal data could negatively impact the event experience and routine operations.
The threat hunting team operated under a defense-in-depth philosophy to inspect and protect customer devices and networks. Another focus was monitoring the behavior of identities, logins, and file access. Coverage spanned a variety of sectors, including customers involved in transportation, telecommunications, healthcare, and other essential functions.
Overall, the total number of entities and systems monitored
twenty-four-seven with human-led threat hunting and response support
encompassed more than 100,000 endpoints, 144,000 identities, 14.6
million plus e-mail flows, over 634.6 million authentications, and
billions of network connections.
As an example, some healthcare facilities were designated as urgent care units for the event, including hospitals delivering critical support and health services for fans and players. As healthcare facilities owning medical data, they were high-value targets. Microsoft machine- and human-powered threat-hunting activity leveraged threat intelligence to scan signals, isolate infected assets, and disrupt attacks on these networks. With a combination of Microsoft Security technology, the team detected and quarantined pre-ransomware activity targeting the healthcare network. Multiple unsuccessful sign-in attempts were logged and further activity was blocked.
The urgent nature of healthcare services requires devices and systems to maintain a peak level of performance. Hospitals and healthcare facilities have a challenging task balancing service availability while maintaining a healthy cybersecurity posture. A successful attack, in the near term, could have immobilized medical facilities from a data to IT perspective, leaving medical providers relegated to pen and paper when updating patient data and weakening their ability to perform life-saving medical care in an emergency or mass triage situation. Long term, malicious code planted to provide visibility across a network could have been leveraged for a broader ransomware event aimed at further disruption. Such a case could have opened the door to data theft and extortion.
As large global events continue to be desirable targets for threat actors, there are a variety of motivations from nation states which seem to be willing to absorb collateral damage from attacks if it supports broader geopolitical interests. Furthermore, cybercriminal groups looking to leverage the vast financial opportunities that exist in sporting and venue-related IT environments will continue to see these as desirable targets.
Vast attack surfaces require additional planning and oversight
With events like the World Cup™, the Olympics, and sporting events in
general, known cyber risks surface in unique ways, often less
perceptibly than in other enterprise environments. These events can come
together quickly, with new partners and vendors acquiring access to
enterprise and shared networks for a specific period of time. The pop-up
nature of connectivity with some events can make it hard to develop
visibility and control of devices and data flows. It also fosters a
false sense of security that “temporary” connections are lower risk.
Event systems can include the team or venue web and social media presence, registration or ticketing platforms, game timing and scoring systems, logistics, medical management and patient tracking, incident tracking, mass notification systems, and electronic signage.
Sports organizations, sponsors, hosts, and venues must collaborate on these systems and develop cyber smart fan experiences. Further, the huge swell of attendees and staff that bring data and information with them through their own devices increases the attack surface.
Providing security teams with information they need upfront—including
critical services that must remain operable during the event—will better
inform response plans. This is essential in IT and OT environments that
support venue infrastructure, and to maintain the physical safety of
attendees. Ideally, organizations and security teams could configure
their systems before the event to complete testing, snapshot the system
and devices, and make them readily available to IT teams to rapidly
redeploy when needed. These efforts go a long way in deterring
adversaries from taking advantage of poorly configured, ad hoc networks
within the highly desirable, target-rich environments of large sporting
Additionally, somebody in the room should consider privacy risk and whether configurations add new risks or vulnerabilities for attendees’ personal information or teams’ proprietary data. This person can implement simple cyber smart practices for fans, directing them, for example, to scan only QR codes with an official logo, to be critical of SMS or text solicitation they didn’t sign up for, and to avoid using free public Wi-Fi.
These policies and others can help the public better understand the cyber risk at large events, specifically, and their exposure to data harvesting and theft. Knowing safe practices can help fans and attendees sidestep becoming victims of social engineering attacks, which cybercriminals can wage after gaining a foothold into exploited venue and event networks.
In addition to the recommendations below, the National Center for Spectator Sports Safety and Security offers these considerations for connected devices and integrated security for large venues.
Get more insights on common security challenges from Principal Group Manager Justin Turner, Microsoft Security Research.
Snapshot data represents the total number of entities and events monitored twenty-four-seven between November 10 and December 20, 2022. This includes organizations either directly involved in, or affiliated with, tournament infrastructure. Activity includes human-led proactive threat hunts to identify emerging threats and track notable campaigns.
For more threat intelligence insights and guidance visit Microsoft Security Insider.
Methodology: For snapshot data, Microsoft platforms and services, including Microsoft Extended Detections and Response, Microsoft Defender, Defender Experts for Hunting, and Azure Active Directory, provided anonymized data on threat activity, such as malicious email accounts, phishing emails, and attacker movement within networks. Additional insights are from the 65 trillion daily security signals gained across Microsoft, including the cloud, endpoints, the intelligent edge, and our Compromise Security Recovery Practice and Detection and Response Teams. Cover art does not depict an actual soccer game, tournament, or individual sport. All sports organizations referenced are individually owned trademarks.