The Paris Olympics’ One Sure Thing: Cyberattacks
In his office on one of the upper floors of the headquarters of the Paris Olympic organizing committee, Franz Regul has no doubt what is coming.
“We will be attacked,” said Mr. Regul, who leads the team responsible for warding off cyberthreats against this year’s Summer Games in Paris.
Companies and governments around the world now all have teams like Mr. Regul’s that operate in spartan rooms equipped with banks of computer servers and screens with indicator lights that warn of incoming hacking attacks. In the Paris operations center, there is even a red light to alert the staff to the most severe danger.
So far, Mr. Regul said, there have been no serious disruptions. But as the months until the Olympics tick down to weeks and then days and hours, he knows the number of hacking attempts and the level of risk will rise exponentially. Unlike companies and governments, though, who plan for the possibility of an attack, Mr. Regul said he knew exactly when to expect the worst.
“Not many organizations can tell you they will be attacked in July and August,” he said.
Worries over security at major events like the Olympics have usually focused on physical threats, like terrorist attacks. But as technology plays a growing role in the Games rollout, Olympic organizers increasingly view cyberattacks as a more constant danger.
The threats are manifold. Experts say hacking groups and countries like Russia, China, North Korea and Iran now have sophisticated operations capable of disabling not just computer and Wi-Fi networks but also digital ticketing systems, credential scanners and even the timing systems for events.
Fears about hacking attacks are not just hypothetical. At the 2018 Pyeongchang Winter Olympics in South Korea, a successful attack nearly derailed the Games before they could begin.
That cyberattack started on a frigid night as fans arrived for the opening ceremony. Signs that something was amiss came all at once. The Wi-Fi network, an essential tool to transmit photographs and news coverage, suddenly went down. Simultaneously, the official Olympics smartphone app — the one that held fans’ tickets and essential transport information — stopped functioning, preventing some fans from entering the stadium. Broadcast drones were grounded and internet-linked televisions meant to show images of the ceremony across venues went blank.
But the ceremony went ahead, and so did the Games. Dozens of cybersecurity officials worked through the night to repel the attack and to fix the glitches, and by the next morning there was little sign that a catastrophe had been averted when the first events got underway.
Since then, the threat to the Olympics has only grown. The cybersecurity team at the last Summer Games, in Tokyo in 2021, reported that it faced 450 million attempted “security events.” Paris expects to face eight to 12 times that number, Mr. Regul said.
Perhaps to demonstrate the scale of the threat, Paris 2024 cybersecurity officials use military terminology freely. They describe “war games” meant to test specialists and systems, and refer to feedback from “veterans of Korea” that has been integrated into their evolving defenses.
Experts say a variety of actors are behind most cyberattacks, including criminals trying to hold data in exchange for a lucrative ransom and protesters who want to highlight a specific cause. But most experts agree that only nation states have the ability to carry out the biggest attacks.
The 2018 attack in Pyeongchang was initially blamed on North Korea, South Korea’s antagonistic neighbor. But experts, including agencies in the U.S. and Britain, later concluded that the true culprit — now widely accepted to be Russia — deliberately used techniques designed to pin the blame on someone else.
This year, Russia is once again the biggest focus.
Russia’s team has been barred from the Olympics following the country’s 2022 invasion of Ukraine, although a small group of individual Russians will be permitted to compete as neutral athletes. France’s relationship with Russia has soured so much that President Emmanuel Macron recently accused Moscow of attempting to undermine the Olympics through a disinformation campaign.
The International Olympic Committee has also pointed the finger at attempts by Russian groups to damage the Games. In November, the I.O.C. issued an unusual statement saying it had been targeted by defamatory “fake news posts” after a documentary featuring an A.I.-generated voice-over purporting to be the actor Tom Cruise appeared on YouTube.
Later, a separate post on Telegram — the encrypted messaging and content platform — mimicked a fake news item broadcast by the French network Canal Plus and aired false information that the I.O.C. was planning to bar Israeli and Palestinian teams from the Paris Olympics.
Earlier this year, Russian pranksters — impersonating a senior African official — managed to get Thomas Bach, the I.O.C. president, on the phone. The call was recorded and released earlier this month. Russia seized on Mr. Bach’s remarks to accuse Olympic officials of engaging in a “conspiracy” to keep its team out of the Games.
In 2019, according to Microsoft, Russian state hackers attacked the computer networks of at least 16 national and international sports and antidoping organizations, including the World Anti-Doping Agency, which at the time was poised to announce punishments against Russia related to its state-backed doping program.
Three years earlier, Russia had targeted antidoping officials at the Rio de Janeiro Summer Olympics. According to indictments of several Russian military intelligence officers filed by the United States Department of Justice, operatives in that incident spoofed hotel Wi-Fi networks used by antidoping officials in Brazil to successfully penetrate their organization’s email networks and databases.
Ciaran Martin, who served as the first chief executive of Britain’s national cybersecurity center, said Russia’s past behavior made it “the most obvious disruptive threat” at the Paris Games. He said areas that might be targeted included event scheduling, public broadcasts and ticketing systems.
“Imagine if all athletes are there on time, but the system scanning iPhones at the gate has gone down,” said Mr. Martin, who is now a professor at the Blavatnik School of Government at the University of Oxford.
“Do you go through with a half-empty stadium, or do we delay?” he added. “Even being put in that position where you either have to delay it or have world-class athletes in the biggest event of their lives performing in front of a half-empty stadium — that’s absolutely a failure.”
Mr. Regul, the Paris cybersecurity head, declined to speculate about any specific nation that might target this summer’s Games. But he said organizers were preparing to counter methods specific to countries that represent a “strong cyberthreat.”
This year, Paris organizers have been conducting what they called “war games” in conjunction with the I.O.C. and partners like Atos, the Games’ official technology partner, to prepare for attacks. In those exercises, so-called ethical hackers are hired to attack systems in place for the Games, and “bug bounties” are offered to those who discover vulnerabilities.
Hackers have previously targeted sports organizations with malicious emails, fictional personas, stolen passwords and malware. Since last year, new hires at the Paris organizing committee have undergone training to spot phishing scams.
“Not everyone is good,” Mr. Regul said.
In at least one case, a Games staff member paid an invoice to an account after receiving an email impersonating another committee official. Cybersecurity staff members also discovered an email account that had attempted to impersonate the one assigned to the Paris 2024 chief, Tony Estanguet.
Millions more attempts are coming. Cyberattacks have typically been “weapons of mass irritation rather than weapons of mass destruction,” said Mr. Martin, the former British cybersecurity official.
“At their worst,” he said, “they’ve been weapons of mass disruption.”