Recorded Future’s Insikt Group analyzes the threat landscape around the 2022 FIFA World Cup in Qatar, covering state-sponsored cyber operations, cybercrime, influence operations, and physical security threats. The assessment finds no imminent disruptive cyber attacks identified but notes espionage and influence activities are plausible, with attendees advised to take enhanced digital precautions. #EndlessMayfly #OlympicDestroyer #GoldDragon #KillNet #XakNet #APT28 #Sandworm #OilRig #FIFA #QatarWorldCup #BeINConnect
Keypoints
- No imminent, planned, or ongoing state-sponsored cyber operations targeting the 2022 FIFA World Cup were identified, but foreign intelligence gathering remains a likely activity in a target-rich environment.
- Russia has the strongest motivation to disrupt the event, but is likely focused on the war in Ukraine, with possible tacit support for disruptive actions by proxy groups.
- Iran, China, and North Korea are considered unlikely to mount disruptive attacks; their influence and espionage efforts are more probable, with Endless Mayfly cited as a past example of Iran-led influence activity.
- Cybercriminals are expected to continue tournament-related phishing, rogue ticket and credential theft, counterfeit tickets, fake apps, and ransomware opportunistically.
- Influence operations are likely to stress Qatar’s relations with Western countries and highlight bilateral ties with Iran and Russia, leveraging state media to shape perceptions.
- Qatar’s security posture is strengthened with significant internal and international support, including US, UK, France, Italy, Türkiye, and Pakistan, and preparations for mitigations against unmanned aerial systems (UAS) are emphasized.
MITRE Techniques
- [T1566] Phishing – Tournament-related phishing attacks use various lures to collect PII or distribute malware. Quote: “cybercriminal threats include, but are not limited to: fake mobile applications around the event that can distribute malware and harvest user data; … ransomware attacks that would likely seek to opportunistically target victims based on accessibility, opportunity, and factors such as the ability to pay large ransom amounts.”
- [T1036] Masquerading – Fraudulent mobile applications around the event that impersonate legitimate ones. Quote: “fake mobile applications around the event that can distribute malware and harvest user data.”
- [T1078] Valid Accounts – Credential leaks and use of compromised credentials to access systems. Quote: “credential leaks for 14 unique *@qatar2022[.]qa email addresses … including 8 unique email addresses with associated passwords.”
- [T1583] Acquire Infrastructure – Dark web markets and services used to obtain credentials and access. Quote: “Genesis Store sells packages of compromised account credentials and associated user data designed to allow threat actors to bypass anti-fraud solutions.”
- [T1552.001] Credentials in Files – Leaked credentials across dumps enable initial access and fraud. Quote: “credential leaks … including 8 unique email addresses with associated passwords” (within dumps such as GoNitro, Cit0day, etc.).
- [T1486] Data Encrypted for Impact – Opportunistic ransomware targeting; attackers may pick victims based on payoff potential. Quote: “ransomware attacks … based on accessibility, opportunity, and factors such as the ability to pay large ransom amounts.”
Indicators of Compromise
- [Domain] Typosquat/impersonation domains – fifa[.]com typosquat domains; qatar2022[.]qa; qatar2022[.]pro; hayyar[.]qatar2022[.]qa
- [Credential] Stolen credentials in data dumps – 14 unique *@qatar2022[.]qa emails; 8 with associated passwords
- [Credential Dump] Public data dumps containing credentials – GoNitro Database Dump, Cit0day Dump, ShareThis Data Dump, Zynga Data Dump, Dropbox Credential Dump, Qatar National Bank Data Dump
- [Dark Web] Credential/ticket marketplaces – Russian Market (credentials/logs), Genesis Store (bot with credentials, IP, browser fingerprint), 2easy Shop (stealer logs)
- [Domain] Official ticket and Hayya-related domains – tickets[.]fifa[.]com, hayyar[.]qatar2022[.]qa
- [Malware] Fileless/malicious app indicators – Gold Dragon (noted in past Olympic targeting)