Keypoints
- Olympic events have been targeted since Beijing 2008 for espionage, sabotage and financial fraud, with Olympic Destroyer (PyeongChang 2018) as a high-profile destructive example.
- Destructive wiper malware is increasingly used (deleting backups/logs), often by state-nexus intrusion sets like Sandworm and APT28.
- Attack techniques observed include lateral movement using PsExec and WMI, worm-like automatic propagation, data exfiltration, and DDoS against websites and APIs.
- Opportunistic cybercrime (phishing, typosquatting, fake ticketing/reseller sites, malicious apps) remains the most frequent threat vector against spectators and partners.
- Ransomware/extortion threats (simple and double extortion, RansomDDoS) are rising, aided by RaaS ecosystems and data-leak sites.
- Influence operations and coordinated hacktivism (DDoS/defacement/leaks) are used to amplify disruption and obscure attribution through false flags.
MITRE Techniques
- [T1485] Data Destruction – Wiper malware used to erase critical data and backups: ‘deleting backup files, event logs, and attempting to lateralise across networks’
- [T1021] Remote Services – Lateral movement leveraging remote management tools: ‘attempting to lateralise across networks using specific tools like PsExec & WMI’
- [T1105] Ingress Tool Transfer – Worm-like automatic replication and propagation of destructive payloads: ‘destructive malware presented worm-specific automatic replication capabilities’
- [T1566] Phishing – Mass and targeted phishing campaigns exploiting Olympics themes (ticketing, betting, travel): ‘phishing campaigns luring people over a chance to win free airline tickets’
- [T1583.001] Acquire Infrastructure: Domain Registration – Typosquatted and lookalike domains used for fraud and credential theft: ‘domain addresses mimicking Paris 2024 themed legitime ones’
- [T1499] Endpoint Denial of Service – DDoS attacks against websites, APIs and apps to disrupt services and reputation: ‘DDoS attacks impacted websites of the Sochi airport, the sponsors … they were unavailable for several hours’
- [T1041] Exfiltration Over C2 Channel – Theft of sensitive datasets from organisations (e.g., WADA athlete medical/test data): ‘Confidential medical data and test results of 41 athletes were exfiltrated from WADA’
- [T1204] User Execution – Trojanized mobile/desktop apps used to deliver info-stealers and other payloads: ‘Trojanized apps mimicking legitimate ones … deliver malicious payloads’
Indicators of Compromise
- [Malware families] Mentioned destructive and infostealer families – Olympic Destroyer, Lumma, BadRabbit, NotPetya, Prestige, BiBi, CaddyWiper, ZeroWipe (and other wipers)
- [Threat actors / intrusion sets] State and nation-nexus groups referenced – Sandworm, APT28, Lazarus, Mustang Panda, Ember Bear, NoName057 (and other state-linked actors)
- [Ransomware groups / data-leak platforms] Extortion operators cited – LockBit, Play ransomware, Mallox (and other ransomware/data-leak actors)
- [Applications / mobile apps] Vulnerable or trojanized apps – My2022 (Chinese event app), fake/trojanized streaming or ticketing apps distributing Lumma infostealer
- [Botnets / tools] DDoS and proxy infrastructure examples – RSOCKS, Cycloc Blinks (botnet malware), DDoSia toolkit (and botnet-enabled proxy services)
State-nexus and criminal operators favor a combination of destructive and covert techniques. Destructive procedures center on wiper families that remove backups, logs and critical files, often delivered with worm-like propagation to multiply impact rapidly; investigative reporting described malware that had “worm-specific automatic replication capabilities” and purpose-built routines to delete backups and event logs. Lateral movement during these incidents commonly used native Windows remote administration tooling—PsExec and WMI—to move laterally and execute payloads, while exfiltration phases targeted sensitive databases (for example, WADA’s athlete test results) before or alongside sabotage. Detection and containment therefore require monitoring for unusual use of PsExec/WMI, rapid file deletion patterns, unexpected high-volume lateral transfers, and anomalous outbound C2/exfiltration traffic.
Opportunistic monetization and access-gain techniques remain prevalent: mass phishing (campaigns themed around tickets, betting, and travel), typosquatted domains, and trojanized mobile/desktop apps delivering info-stealers like Lumma are primary infection vectors for credential and payment theft. Ransomware actors combine encryption with data theft (double extortion) and sometimes DDoS extortion (RansomDDoS) against service-facing endpoints such as ticketing APIs and transport apps; infrastructure acquisition via domain registration and botnet-enabled proxies amplifies these campaigns. Technical defenses should therefore include domain-monitoring, app-store and binary vetting, anti-phishing controls, robust EDR to detect credential theft and lateral movement, network segmentation to limit PsExec/WMI misuse, and immutable backups isolated from the primary network.
Past incidents also illustrate operational deception and hybrid tactics—false-flag artifacts, public leak staging, and coordinated hacktivist DDoS/defacement used to distract incident responders—so telemetry correlation across endpoint, network and threat-intel sources is critical to distinguish noise from targeted sabotage. Prioritizing detection of data-destruction behaviors (mass deletion, backup tampering), rapid containment of remote-service abuse, and hardened recovery procedures will reduce the impact of both state-driven wipers and opportunistic ransomware/extortion operations during large events.
Read more: https://blog.sekoia.io/securing-gold-assessing-cyber-threats-on-paris-2024/