Microsoft Warns of Growing Cyber-Threats to Sporting Events

Written by

Sporting events and venues are increasingly vulnerable to cyber-attacks, a new study from Microsoft has found.

The Microsoft Threat Intelligence State of Play report highlighted the growing opportunities for threat actors to target high-profile sporting events, “especially those in increasingly connected environments, introducing cyber risk for organizers, regional host facilities and attendees.”

Research has demonstrated rising attacks on high profile sports events and organizations in recent years. For example, a report from the UK’s National Cyber Security Centre (NCSC) in 2020 found that 70% of sports organizations experience at least one attack per year.

A Vast Digital Playing Field

Microsoft supported the cybersecurity of critical infrastructure at the 2022 FIFA World Cup in Qatar. During this event Microsoft observed attackers continually attempted to compromise connected systems through identity-based attacks, Justin Turner, Principal Group Manager, Microsoft Security Research, told Infosecurity.

“What we saw was consistent, with cyber-criminals being opportunistic and seeing where they can infiltrate and find gaps between a lot of connected systems, in the context of a large event. The cybercrime economy's sheer size and low barriers to entry make this kind of opportunism a significant risk to account for in planning and having layered defenses in place,” he said.

Numerous publicly reported sport-related cyber-attacks have taken place in the past five years, including:

Sporting events face unique cybersecurity challenges due to the vast digital surface that needs to be protected – with a high level of cyber-physical convergence. This means there are a range of connected devices and interconnected networks that can be exploited, alongside known and unknown vulnerabilities across different venues and arenas.

Turner told Infosecurity: “What makes the sports landscape unique is that the IT assets and operations are so different, you have a lot of mobile devices across teams and staff, and a lot of connectivity across different stadiums, training facilities, hotels and other venues. And the nature of these connections is that they stand up and down as teams complete in seasons and tournaments.”

He added that this enables threat actors to simultaneously target pop-up payment and retail systems, socially-engineer attendees, and scan for unpatched or misconfigured devices.

Security is further complicated by the numerous parties managing the various systems, such as corporate sponsors, municipal authorities and third-party contractors.

Attacker Motivations

Microsoft’s analysis noted a “diverse and complex” range of cyber-threats to sporting events and venues, carried out by both financially motivated cyber-criminals and politically inspired actors.

  • Cyber-Criminals: Modern sports teams, associations and venues house a trove of valuable information desirable to cyber-criminals. This includes data on athletic performance, competitive advantage and personal information, making tactics like data breaches and ransomware tempting approaches for cyber-criminals.
  • Politically-Motivated Threat Actors: Microsoft said there were a variety of motivations from nation-states to launch cyber-attacks targeting sporting events. They even seem to be willing to absorb collateral damage from attacks if it supports broader geopolitical interests. Nation-states and hacktivist groups are primarily motivated to disrupt the event and generate publicity for their cause, often using DDoS attacks for this purpose. 

Cybersecurity Recommendations

Microsoft set out a range of recommendations to protect sporting events going forward, such as the 2023 women’s football World Cup in Australia and New Zealand:

  • Augment the SOC team: The report emphasized the need to have “an additional set of eyes monitoring the event around the clock” due to vast threat environment.
  • Conduct a cyber risk assessment: Organizers should identify potential threats specific to the relevant event, venue or nation in advance; in particular, assessing the various key stakeholders involved, such as third-party vendors, venue IT staff and sponsors.
  • Implement strong access management measures: Access to systems and services should only be granted to those who need it. Additionally, personnel should be trained to understand access layers.
  • Protect venue technology: Liaise with venues to ensure systems like digital signage, point of sale (POS) and infrastructure equipment are protected as much as possible. This includes patching software and developing logical network segmentations between IT and OT systems.
  • Implement a multi-layered security framework: This involves deploying firewalls, intrusion detection and prevention systems, and strong encryption protocols to fortify the network against unauthorized access and data breaches.
  • User awareness: Employees, stakeholders and attendees of the event should be educated on cybersecurity best practices, such as recognizing phishing emails, using multi-factor authentication, and updating software on devices.
  • Close collaboration: Good communication between different entities is especially important in the sporting world. As well as co-ordinating with venues and sponsors, close information sharing practices should be set up between teams in professional sports leagues to help prepare for and quickly respond to incidents.

What’s hot on Infosecurity Magazine?