The World Cup is providing cybersecurity threat actors with a unique opportunity to breach systems and cause disruptions on a global stage.
Goooooooooooooooooal! The World Cup is kicking off (no pun intended) and with it comes a wave of excitement around the globe. This year boasts the largest World Cup ever, played across three countries. Eleven US cities, three Mexican cities, and two Canadian cities will serve as hosts to 48 teams from around the world. While the tournament is battled out on the pitch, hosting cities and local businesses will be facing a different struggle in the cyber realm. Major sports events like the World Cup or the Olympics create both a massive attack surface and a massive target for malicious actors. Organizations like FIFA have the finances and resources to defend themselves well against cyber attackers, but municipal governments and regional businesses don’t have the same capacity — and attackers know it.
To make matters worse, the World Cup is coming at a time when the cyber threat environment is already particularly precarious with the use of AI to develop, design, and orchestrate cyber operations by cybercriminals, nation-states, and hactktivists. These same groups will be looking to take advantage of the World Cup in their own ways to achieve their goals. A key point to note for threats facing these organizations is that phishing will be a common factor and cyber threat actors of every kind will almost certainly leverage World Cup-related lures in their efforts to get victims to interact with their initial attack vectors, be it email, vishing, or other social engineering efforts. But let’s take a deeper look at what host cities and local businesses will be facing and what they can do to protect themselves.
Host cities and their associated services, including transportation and critical infrastructure, face the most severe threat environment, with criminals, countries, and hacktivists all likely to target them. Iran and its associated threat actors, including patriotic hacktivists, have a history of targeting municipal websites for defacement (i.e., posting politically charged or malicious messages on the webpage), and the combination of the high profile of the World Cup and the ongoing war only makes host cities’ websites more appealing targets. Disruption of critical infrastructure, in particular transportation, is also a concern, with cybercriminals looking to take advantage of the heightened pressure and visibility on host cities with ransomware attacks, assuming the victims would feel an increased pressure to pay to resolve the issue quickly. Finally, cities may face hack and leak attacks, in which threat actors (particularly nation-states or hacktivists) gain access to restricted systems, exfiltrate private and/or sensitive data, and release it publicly in an attempt to embarrass and/or punish the host nation.
Local businesses are most likely to be the focus of cybercriminals, leveraging World Cup-themed phishing lures to deliver infostealers, ransomware, or other malware during a period when organizations are seeking to maximize their engagement with a highly lucrative event. Nation-states will present less of a direct threat to these businesses, though they can’t be discounted, as these organizations are often viewed as access points back into larger targets, in particular, critical infrastructure.
So how can municipalities and businesses protect themselves against these threats? First and foremost, education is key. Making employees aware of and appreciate the increased risk is an excellent first step, including warning them to be extra cautious about phishing attempts (especially those using World Cup-themed lures). Making sure systems are patched with the latest versions is important as well, as threat actors will be seeking to take advantage of unpatched vulnerabilities as an entry point. Finally, organizations should ensure their credential policies enforce the use of complex, unique passwords for each account and multifactor authentication whenever possible. When it comes to cybersecurity, the basics are still the best protection, even in (and ESPECIALLY in) a heightened threat environment.
About the Author
Mike Kosak is a former US Department of Defense (DoD) counterterrorism intelligence officer with more than 20 years of experience as a threat intelligence analyst. While with the DoD, he served in several senior intelligence officer roles, including leading the Pentagon office responsible for providing intelligence updates to the chairman of the Joint Chiefs of Staff, and was deployed to Iraq three times in support of Operation Iraqi Freedom. He also served as the acting senior command representative to the Joint Special Operations Command for the Defense Intelligence Agency.
During his deployments, he led intelligence teams in support of both conventional and special forces. Following his government service, Kosak held private sector cyber intelligence positions at Bank of America, where he led the Strategic Cyber Intelligence and Threat Evaluation teams, and TIAA, where he led the Cyber Threat Intelligence team. He currently serves as the director of threat intelligence at LastPass.
