Mandiant assesses with high confidence that Russia poses the most significant threat to the Paris Olympics, including cyber espionage, disruptive and destructive operations, and information operations. Organizations should update threat profiles, conduct security awareness training, and consider travel-related cyber risks to reduce these threats, as the security community is better prepared than for previous Games. #APT44 #Doppelganger
Keypoints
- Russia is identified as the highest-risk state actor for the Paris 2024 Olympics, with other states like China, Iran, and North Korea posing moderate to low risk.
- Threats could impact event organizers, sponsors, ticketing, Paris infrastructure, and travelers attending or traveling to the Games.
- Threat categories include cyber espionage, disruptive/destructive operations (defacement, DDoS, wiper malware, OT targeting), information operations, and financially motivated activity.
- Historical activity highlights include APT44’s Android campaign before the 2018 Winter Games in PyeongChang and the broader Doppelganger information operations campaign.
- Information operations and hacktivism, including pro-Russian narratives, are a notable concern with campaigns and specific groups highlighted (e.g., Anonymous Sudan, NoName057(16), Ghostwriter, etc.).
- Financially motivated threats—ransomware, extortion, ticket scams, and lure material—are anticipated to intensify around Olympic-related activity.
- Mitigation emphasizes updating threat profiles, threat hunting, security awareness, travel risk planning, and communications mitigation strategies.
MITRE Techniques
- [T1566] Phishing – Credential phishing used to harvest credentials and enable campaigns. Quote: “The activity included credential phishing, and distribution of Windows,MacOS, and Android malware.”
- [T1195] Supply Chain Compromise – Trojanized Android apps published to the Play Store to deliver a mobile implant. Quote: “In the Android campaign, APT44 obtained legitimate copies of Android applications popular in South Korea, modified them to add a custom mobile implant, and then published the trojanized apps to the Play Store.”
- [T1119] Automated Collection – CHEMISTGAMES implant described as designed for gathering data at scale. Quote: “The implant, CHEMISTGAMES, was a modular framework designed for gathering data at scale.”
- [T1499] Network Denial of Service – Disruptive campaigns include DDoS attacks. Quote: “websites defacements, distributed denial of service (DDoS) attacks, …”
- [T1485] Data Destruction – Deployment of wiper malware as part of destructive campaigns. Quote: “the deployment of wiper malware, and operational technology (OT) targeting.”
Indicators of Compromise
- [Domain] Doppelganger inauthentic domains and social media accounts – Doppelganger domains promoted across platforms to circulate narratives (examples include social media accounts and domains associated with pro-Russian information operations).
- [Malware] CHEMISTGAMES – Android data-collection implant used in trojanized apps; example: CHEMISTGAMES.
- [Application] Trojanized Android apps from Google Play – Example apps modified for implants; examples include a bus timetable app and an app for checking apartment rental prices.
- [Threat Actor] APT44 – Android campaign and CHEMISTGAMES infrastructure described as linked to APT44.
- [Threat Actor] UNC4057 (COLDRIVER) – Activity described as a risk cluster associated with Russian information operations.
Read more: https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics/