As the Winter Olympics approach, reports indicate that cybercriminals will seek to take advantage of the heightened activity. Whether from nation-state operatives or petty actors, organizations may see an increase in threat activity.

Attacks could come from, but are not limited to, the following:

• Ransomware gangs, seeking financial gain
• Hacktivists, who want disruption 
• Nation-state groups, pursuing espionage

While attacks may vary, many will overlap. Common techniques security leaders should watch for include phishing, DDoS attacks, software/API vulnerabilities and previously compromised credentials. 

CISOs Discuss Winter Olympic Cyber Threats 

Randolph Barr, Chief Information Security Officer at Cequence Security:

The biggest risks to large events like the Olympics don’t come from new exploits. Instead, they originate from people misusing legitimate apps, identities and corporate processes. Phishing, impersonation, and automated misuse are becoming more prevalent techniques for attackers to gain access that seems legitimate, especially when thousands of employees, partners, and vendors are working together on systems they don’t know well and have tight deadlines. When there are large events, access levels are often elevated for a short period, apps and APIs are used to their fullest, and security teams are focused on keeping systems available than protected. This makes it tougher to spot slight abuse.

When attackers gain access, they usually don’t use malware or other dangerous behaviors to wreak damage; instead, they use trusted access. This involves taking over an account, abusing sessions and tokens, scraping automatically, perpetrating fraud, and staying in the environment for a long time. These things usually become part of everyday business and can go on for weeks or months without triggering standard security procedures that are supposed to stop intrusions, not misuse.

If businesses can observe how apps and APIs are being used in real time and know when things aren’t working as expected, they can prevent a lot of these dangers. If you have controls that can discover abnormal usage patterns, block automated abuse, and stop replaying credentials or tokens, you can stop assaults before they affect your business or lose you money. Security procedures that keep transactions and workflows safe are much more crucial when attackers are looking to compromise trust.

The 2024 example in which an employee was tricked into paying roughly $25 million through an AI-generated deepfake online conference shows how easy it can be, even in areas where there don’t seem to be any security weaknesses. People are more prone to trust attacks like this during large events like the Olympics because they are used to and expect odd, urgent demands.

Businesses that support the Olympics should keep in mind that securing infrastructure is equally as vital as protecting identities and applications when they design an event. Some of the trickiest attacks to identify are those that leverage trusted users, systems and workflows. 

Rex Booth, Chief Information Security Officer at SailPoint:

Attacks targeting these events are rarely “smash and grab” style operations; instead, they are calculated and methodical. As the report notes, attackers often compromise credentials, gain access to systems, and quietly collect data over extended periods of time, remaining undetected.

Any high-profile event, like the Winter Olympics, becomes a magnet for cybercriminals and fraudsters eager to exploit the enthusiasm of fans and the complexity of the event’s digital infrastructure. While digital ticketing has largely suppressed traditional scalping, it hasn’t eliminated the risk of scams. Fraudsters are adept at creating authentic-looking imitations to separate victims from their money. The responsibility lies with venues and event organizers to not only secure initial ticket transactions but also provide safe and authorized resale options. Without these safeguards, scammers can easily exploit desperate fans.

The worst-case scenario for victims isn’t just buying a fake ticket, it’s the compromise of their sensitive credentials or bank accounts. Sharing account information in the hope of securing an in-demand ticket can lead to devastating financial losses. Fans should remain vigilant: if anyone asks for sensitive details, it’s a scam. Walk away.

The Olympic organizers have also created a significant repository of sensitive personal information. This data is a prime target for both cybercriminals and nation-state actors, particularly those tracking diplomatic attendees. The organizers must ensure the security of this data not only during the event but for years afterward, as the risks don’t disappear when the Games end.

High-profile events like the Olympics tend to attract attackers looking to make a statement. The objective of making a big impact sometimes means using different tactics than, say, corporate espionage where you want to go unnoticed both on the way in and the way out. Organizers and defenders need to be on the lookout for threats that are oriented for maximal exposure and disruption rather than stealth and targeted objectives.

How Security Leaders Can Protect the Organization

“The same advice rings true for the Olympics as it does any other time of the year: if it sounds too good to be true, it probably is,” says Trey Ford, Chief Strategy and Trust Officer at Bugcrowd. 

In addition to safeguarding against specific techniques such as phishing or DDoS attacks, security leaders can bolster their organization’s defenses by engaging with one of their greatest assets: their people. 

Reminding employees of fundamental cyber-safe practices as well as enacting awareness training can support the organization’s security. Below, Ford provides a few reminders security leaders can impart to their organizations. 

“We all love a good deal, but take care in where you try to make purchases online. Buying from reputable sources (whether tickets, merchandise, or anything else) is the only way to avoid credit card theft and counterfeit products,” he states. “I believe that most people have learned not to enter credit cards into shady websites, and we should all think twice before giving away our email address and cell phone numbers. Never install applications after clicking an advertising link, especially when it came from trying to buy tickets or sports merchandise. Most of this fraud should clearly take place outside of the workplace. Ultimately, we should all avoid conducting personal business on our work accounts.” 

Through preparedness, awareness and resiliency, organizations can band together to make these Winter Olympics a cybersecurity success story.