Tokyo 2020: The dark web is hacker gold

Tokyo 2020: The dark web is hacker gold
(Image credit: TheDigitalArtist / Pixabay)

If the sophisticated cyberattacks on the 2018 Winter Olympics in Seoul – which only recently came to detailed light – are any indication, the 2020 Summer Olympics in Tokyo will be cyber honey to legions of well-equipped, experienced, and possibly state-funded targeted attacker flies.

About the author

David Carmiel, CTO, KELA Group

Long before the age of the Internet, Chinese philosopher Sun Tzu claimed that “…what enables the wise sovereign and the good general to strike and conquer…is foreknowledge.” To gain this foreknowledge in the lead-up to Tokyo, cyber reconnaissance needs to focus on the murky, subversive underground that is the dark web. Here’s how easy it is for hackers to find, purchase, and use tools and services that can literally wreak mayhem – and what Olympic stakeholders can do about it.

What’s for Sale?

The tools and data available on the dark web threaten everyone associated with the Tokyo Olympics – from international fans and the companies that serve them- such as airlines and hotels - through athletes and their sports associations, the host city and its critical and sports infrastructure, and even the International Olympic Committee (IOC) itself with its databases of event results, personal details, and all the other resources it commands.

What treasures can hackers find on the dark web, how have these been used in the past, and what might threat actors be planning for Tokyo this summer? Here are the top four threats that KELA’s research team has been monitoring recently on the dark web:

Accounts compromised by botnet-infected devices can be used to access the personal data of the device owner, data related to third parties, or customer-sensitive data – all of which can allow threat actors to facilitate sophisticated attacks that threaten the games.

By way of example, we’ve seen access to botnets on major brand-name ticket-selling platforms for sale on the dark web. A hacker gaining such access would easily be able to steal PII or credit cards from ticket holders. We’ve also seen botnet access to major games’ sponsors, and even the IOC, for sale on the dark web.

FOR SALE: Network vulnerabilities in Olympic IT infrastructure

If exploited, vulnerabilities in specific Olympic-related IT infrastructure can form part of a destructive campaign, enabling harm against critical networks or commercial interests during the games.

In past Olympic Games, cyberattacks have largely originated with vulnerabilities like open ports, outdated security schemes or unpatched servers. The incidents in the 2018 Seoul games, for example, were related to network vulnerabilities. And in the 2016 Rio de Janeiro Summer Olympics, Anonymous posted entire databases of network vulnerabilities online, encouraging activists to attack. Today, too, we’re seeing threat actors offering detailed scans of various Olympic-related networks on the dark web, including highlights of vulnerabilities found in these networks.

FOR SALE: Leaked credentials of Olympic employees or contractors

Leaked credentials allow threat actors to impersonate legitimate and trusted Olympic-related entities like employers, initiating phishing emails that garner sensitive athlete or game details, or can be used for extortion purposes.

During the Rio games, Anonymous leaked personal, financial and login details from local Brazilian sports confederations, including passwords and credentials of registered users. That same year, the FancyBear hacking group leaked World Anti-Doping Agency (WADA) documents and databases containing sensitive athlete medical information, which originated from a credential theft. More recently, during Japan’s Rugby World Cup 2019, we discovered numerous leaked Rugby World Cup-related personnel credentials on the dark web - the majority of which contained either a hashed or plaintext password.

FOR SALE: Olympic-themed phishing sites and lookalike domains

Phishing sites or lookalike domains can be used to gather the personal or financial information of anyone entering the sites - either for credential theft or to install malware on their computers.

In the Rio Olympics, hackers created a fake IOC intranet portal – so that when employees tried to login their credentials were immediately stolen and used to access the actual portal. During Japan’s Rugby World Cup, we identified dozens of phishing sites and lookalike domains, and on the dark web we’re seeing an increasing number of threat actors offering 2020 Olympic-related lookalike sites and phishing services.

What Can Be Done?

Organizers, suppliers, and ticketholders need to be wary of the massive threats facing events of this scale and act accordingly – and immediately. The actions that need to be taken? Initially, they’re actually well-known – yet sadly not always implemented.

For example, Olympic organizers and suppliers should ensure that all technologies used in all systems are updated. Patch all existing vulnerabilities – an action that seems intuitive, yet we’ve seen lists of vulnerabilities posted in the dark web based on recent scan logs of Olympic-related sites. Close any ports that don’t need to be opened, switch to more secured ports, or hide sensitive ports behind a VPN or by adding a WAF (Web Application Firewall). Monitor and take down any malicious domains found.

Games organizers need to take immediate, public and far-reaching measures to educate athletes, fans and other stakeholders of safety measures that should be taken before, during, and following the games. All Games stakeholders should use two-factor authentication whenever possible on ticketing sites. Olympic employees and contractors should be briefed on proper cyber hygiene such as not saving passwords in their browsers. And all Games-related organizations should install software capable of detecting malicious fingerprint plugins and strong antivirus software to prevent malware infections.

Not all cyberattacks are preventable. Yet much of the vast amount of information easily accessible today on the dark web would not be there if the above, and other, simple precautions had been taken to deny hackers their taste of Olympic gold.

David Carmiel

David Carmiel is the Chief Technology Officer(CTO) at KELA Group.

KELA Targeted Cyber Intelligence is a global leader in the threat intelligence market, providing solutions and support in monitoring and preventing potential cyber-attacks for enterprises and government clients.

KELA provides intelligence by using an automated technology, which monitors a curated set of Darknet sources, providing fully targeted, actionable intelligence. All threats are analyzed and qualified by KELA's analysts, ensuring all intelligence is 100% actionable.