Analysis: Wimbledon 2016 saw a 302% year-to-year rise in attacks on the official website.
Cyber attacks targeting sports events, organisations and athletes is not a new phenomena. Last year alone saw Tour de France cyclist Chris Frome targeted in a data hack, FC Barcelona’s twitter account hijacked and a FBI investigation launched into the supposed hacking of a major league baseball team by a rival.
Malicious software has also been found to be effective against certain sports, especially motor sports like F1 and NASCAR – the Circle Sport-Lavine Family Racing (CSLFR) NASCAR team was hit by a crippling TeslaCrypt ransomware attack this year, while back in 2014 the Marussia Formula One team fell victim to a malware attack in Bahrain pre-season testing.
However, while this problem is not new, it is not getting better. In fact, it is getting worse, much worse. One only need look at this year’s Wimbledon as proof that hackers are increasingly viewing sports as a goldmine of opportunity.
For the month of June 2016, Wimbledon technology partner IBM saw a 302% year-to-year increase of security events and attacks on the official website for the tournament, Wimbledon.com. Even before the Championships, in the week leading up to the first day of play, there was a 275% year-to-year increase in attacks. Cyber attacks targeting Wimbledon come as no surprise to Martin Borrett, CTO IBM Security Europe, as the world-renowned tournament will always be a target for opportunistic attackers. However, when looking at previous years, the sheer enormity of the increase in attacks did come as surprise to the CTO. Speaking to CBR, Borrett said:
“In the two months leading up to the 2015 tournament, so May and June, we actually saw a 300% increase on the previous year, 2014. So last year we saw a threefold increase leading up to the tournament. During the tournament itself in 2015 there was a 500% increase in attacks, year-to-year, so I’m not surprised that we are continuing to see an increase, I’m perhaps a little surprised that it’s another three fold increase. [I’m surprised at] the magnitude of it.”
During the tournament, deep inside IBM’s security bunker at SW19, the sheer enormity and scale of what faces a sports event is given clarity with big blue’s real-time threat map. But the map also adds fuel to questions plaguing the security industry today. Borrett said:
“You get a sense of the global scale of what’s happening and if you look at that map you can see that there is no one country or area in the world which isn’t attacking Wimbledon. They really are coming from all over the world, which is fascinating.
“The challenge is that we have to protect from all that variety and it is a variety – one of the continued challenges is about the true motivations [of hackers]. What are they really after? Who are the perpetrators?”
The million dollar questions of who, what and why posed by Borrett are hard to pin down in the world of sports, if not impossible. However, the attacks facing the sports industry are the same attacks facing everyone else – it is the motivations and the leveraging of the peculiarities of the sports industry which differ.
Going for gold – motivations of the athlete hacker
Unfortunately, there is no one motivation for the sports hacker. Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS IB, told CBR:
"In cases like these, sports teams, organisations, and tournaments are threatened by the same cyber-attacks everyone else faces. It’s all about hacker motivations and those unfortunately can be just about anything. From notoriety, financial gain, competitive advantage, protest, you name it, the motivations are extremely broad.”
Just like in other industries, data is a number one target for hackers. Data is the twelfth man in modern sports – on the field, technology like wearables are used to harvest game and athlete data, analysing how fast a serve is to showing how far a rugby player has run in a game. However, if hackers were to get their hands on this data, a number of sure bets could result in a windfall for the attackers, as Stephen Gates told CBR:
“If a hacker had access to team records that showed someone was injured, or someone wouldn’t be playing etc. that inside information could be used to increase sports betting odds. Remember, betting/gambling on sporting events is a huge business.”
But that is just one use for a team’s or individual’s performance data. Some people will stop at nothing to win a game or beat their competitors, as Jason Hart, CTO of Data Protection at Gemalto, told CBR:
“For rival teams, data can show where weaknesses lie and help them to win games – which could be the difference between winning a gold medal at the Olympics and finishing last.”
It goes without saying that team or athlete data can also be used for extortion or fraud, in addition to sports betting and helping rival teams gain an edge over competitors. But it’s not just all about the sports stars and the billion dollar teams, the fans in the stadium are also a key target for hackers.
This is where a unique aspect of sports events comes into play – the draw of tournaments such as the Euros or Wimbledon equals huge attendance numbers, giving hackers a rare window to attack a huge number of people with a known common interest. Hackers have seized on the huge volume of e-commerce transactions that a sports event creates, posing as fake ticket vendors or even the event organiser in order to steal financial and personal data via phishing or malware. Ryan O’Leary, VP Threat Research Centre at WhiteHat Security, told CBR that this particular technique is already being seen in regard to this summer’s Olympic Games.
“More than a quarter of fake tickets sold online in 2015 were for big sporting events such as the Rugby World Cup and Premier League football matches. With that in mind, it is perhaps not surprising that there have already been multiple reports of fake ticket sites having been set up for the Olympic Games and the Euros. Some cyber criminals are even buying cheap SLL certificates, which add the “https” at the beginning of the URL to give the illusion that the website is legitimate.”
Unfortunately, this issue is only further compounded by many sports events and teams looking to increase fan experience via mobile. Users ignoring security best practices combined with fake apps infected by malware pose a significant risk to the now-mobile fan.
There is no denying that data is a key motivation for sports hackers, but for IBM’s Martin Borrett, data is not the most important thing to protect at Wimbledon.
“The thing that we are most conscious of as the technology partner for Wimbledon is protecting their brand. If you think about Wimbledon as a tournament, IBM as a company, what’s one of our most precious assets? It’s our brand, our reputation. So protecting the Wimbledon site, the infrastructure, during those couple weeks of the tournament is absolutely top of mind issue.”
Sports events, teams and individuals operate in an emotive, high-profile, well-known industry. Hackers looking to cause trouble, either for a feather in their cap or for revenge for their losing team, are becoming more and more common. It is this disruption which threatens the reputation of sports teams, individuals and athletes. Amichai Shulman, CTO and Co-Founder of Imperva, told CBR:
“First and foremost there is the emotional aspect. As emotions rise, motivation increases to deface or put out of service websites and digital services related to an event (e.g. the Official UEFA championship site), its organizers (e.g. the International Olympic Committee) or the participating teams. While defacement requires a certain level of skill, launching a DDoS attack against a site only requires an investment as low as 5 USD and no skills at all. These nuisance attacks are likely to be timed to the event dates.”
The sports industry is facing hackers who disrupt, and hackers which steal for financial gain. But for Jeff Kolodziej, Senior Manager for Customer Support, Arbor Networks, there is one more type of attacker who seizes on the global platform afforded by a sports event.
“Often attackers target high profile events to simply cause disruption, embarrass the organisers or raise the profile of their own political agenda. This has certainly been the case with hacktivist groups that use DDoS to take down websites or knock a website offline. It was reported that the 2012 London Olympics faced a total of 156 million security-related events, six of which were major cyber-attacks. Fortunately these were halted through having the right security processes and technology in place, including practising worst-case scenarios.”
So how can sports events, teams and individuals protect against those who want to steal, disrupt and protest? The key is in treating the event, team or high-profile individual as an enterprise in their own right. And as an enterprise they need to make sure the right people are educated in threats and identify mission critical data. Mark Bower, Global Director at HPE Security, told CBR:
“We have a saying in security, it’s not a matter of if a breach will happen, but when. Beyond the threat to sensitive data, companies need to be concerned with the impact a data breach can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the industry-accepted cornerstone needed to allow organisations to mitigate the risk and impact of cyber attacks and other attempts to get this sensitive information.
“Many organisations are not readily equipped with modern data-centric protection which enables them to neutralise breach risks. Any organisation dealing with medical data or other personally identifiable information (PII) must shift gears to modern data security practices while joining their peers in other industries who've already learned the importance of mitigating data threats. The value of data-centric security controls enables organisations to protect valuable data assets and enable data-rich analytic insight without risk.”
Encryption, key management and two factor authentication are just some of the measures that can mitigate the risk of attack. When developing an app, all teams and events should have TLS encryption and secure coding at the very least.
Never has it been more vital to get the basics right when it comes to cyber security in the sports industry. The cyber threat landscape is changing, evolving, and the attacks on world-renowned events like Wimbledon are only going to get more complex. Predicting the key trends that may be seen for the rest of 2016’s sporting events, Sean Davin, Head of Cyber Security at Sevin Cyber Security Ltd, told CBR:
“For this year, trends of attacks are showing a greater propensity to attack smaller companies, Internet of Things devices and to conduct Ransomware attacks as drive-by opportunistic attacks or targeted attacks.
“Critical infrastructure for major events, such as the Olympics, must continually be considered a target, especially for the electrics and water supplies. Any disruption to the Olympics power and lighting would seriously hamper the ability for the event to continue and would cause significant reputational damage to the Olympics organisers and Brazil as a whole.
“The general increase in Internet connected portable devices during the event significantly increases the possibilities of DoS attacks (distributed or otherwise) as items such as tablets and fit-watches used by athletes in the Olympics would constitute a massive increase in the number of portable devices used within the Olympics Internet infrastructure.
Sport is a billion dollar industry, a business generating big money and big data – both of which are perfect for hackers. World-renowned events taunt hackers to disrupt and deface key services, while the thousands of fans in attendance are a veritable money-pit for those looking to extort online.
The sports industry needs to up their game against this breed of attacker, who is looking to make a home-run with data, money, brand and reputation from sport’s big hitters.