2022 FIFA World Cup: Qatar’s Cybersecurity Measures

Cyber Attacks in Previous Sporting Events

When we look back at sporting events from the past, it becomes apparent that major events and cyber attacks tend to go hand in hand.

During the Rio 2016 Summer Olympics, the Russian-linked APT28 threat actor was able to gain access to the Anti-Doping Administration and Management System (ADAMS) of the World Anti-Doping Agency (WADA). Later, the APT28 group released information which appears to show that U.S. athletes, including Simone Biles and Serena and Venus Williams, were allowed to participate in the Olympics even after testing positive for illegal substances.

In 2018, the Pyeongchang Olympics were the target of a greatly disruptive cyber attack that shut down every domain controller in the Seoul data centers which supported the event. This prevented event attendees from printing their tickets, reporters were not able to connect to the Wi-Fi network, Internet and TV broadcasts went down, RFID-based gates in the building stopped working, and the official Olympics app full of schedules, hotel information, and maps was completely down. The malware responsible for the attack later came to be known as the “Olympic Destroyer”.

In 2020, a plan for a similar Russian military intelligence cyber attack on the Tokyo Olympics was luckily uncovered by US intelligence agencies and the UK National Cyber Security Center.

Since football is arguably the most popular sport on the planet, the biggest football event is therefore at least as likely as the Olympics to draw the attention of hackers. Let’s have a look at the two previous FIFA World Cup events and the attacks that targeted them:

FIFA World Cup 2014: Back in 2014, Brazil has seen a swarm of cyber attacks never witnessed before by the South American country. Distributed denial of service (DDoS), spear-phishing, and malware attacks were just a few of the threats targeting the government websites and employees, citizens, and visitors alike. Starting from April 2014 – two months before the event –, cyber attacks against government infrastructure were originating from countries all over the world and were aimed at almost two thousand daily targets.

Days before the beginning of the competition, employees of the Ministry of Foreign Affairs were targeted by more than 600 spear-phishing emails tricking employees into submitting their credentials on a fake website. This resulted in the unauthorized access of employee email messages and address books and allowed hackers to – at least – partially control the ministry’s email infrastructure for an undetermined amount of time.

During the competition, leaks of personally identifiable information originated from cyber attacks targeting Rio de Janeiro’s State Military Police website and that of the National Regulatory Agency for Private Health Insurance and Plans.

Additionally, DDoS attacks brought down the websites of the Ministry of Employment and Labor and the Ministry of Sports, and the websites of some organizations such as Banco do Brasil and Universal Music were defaced by the attackers.

FIFA World Cup 2018: Fast forward to 2018, Russian Special Presidential Envoy for International Cyber Security Cooperation Andrei Krutskikh announced that Russia had detected around 25 million cyber attacks aimed at disrupting the 2018 FIFA World Cup. No additional information was provided however about the nature or targets of the cyber attacks.

Social Engineering attacks were especially on the rise, tricking people into downloading malware. This is easy to achieve when some football fans do not have access to legitimate sources of live coverage and have to resort to illegal streaming sites which are usually infested with malware download links. One malicious app downloaded from such sites was identified by TrendMicro as AndroidOS_DarDesh.HRX and was used to steal location information, audio from calls, and files in external storage. Another app identified as W2KM_POWLOAD.ZYFG-A acted as a key logger and allowed attackers to take screenshots and search for files.

Moreover, Group-IB, a major cybersecurity and threat intelligence service provider, identified more than 1500 fake or illegal domains relating to “FIFA”, “Russia”, and “WorldCup2018”. Those domains were used for online fraud, tricking users into purchasing fake tickets, or phishing for their payment and personal information.

Additionally, the North Korean-linked DarkHotel and the Russian-linked APT28 threat actors have both been known to target hotel Wi-Fi networks on specific occasions, allowing them to install backdoors on the systems of hotel guests in order to extract sensitive information. This led the Russian Federal Security Service (FSB) to reportedly conduct checks of IT networks in hotels to ensure no such attacks were taking place.

It is hence apparent that if we were to learn from the past, cybersecurity should be a top priority when preparing for a sporting event. But history and previous breaches are one of the many components of the threat landscape. Other equally important pieces of the puzzle are the different motives threat actors can have. Let’s have a look at the most important ones.

Motives of Threat Actors during Major Sporting Events

Threat actors are always looking for opportunities to take advantage of. Even the COVID-19 pandemic was considered as such an occasion with the witnessed rise in social engineering attacks using topics related to the pandemic.

It is therefore typical for an event as big as the FIFA World Cup to be considered as a trove of opportunities for attackers looking to make some money, or hacktivists looking to be heard.

Financial Scams: Major sporting events often come hand in hand with financial scams. The typical methods are bogus websites selling fake event tickets or merchandise and collecting credit card information. More advanced methods rely on POS and ATM skimming to collect card information from the large number of visitors relying on electronic payments when attending the event.

In a near cashless society such as Qatar, attacks targeting electronic payment systems will surely be something to watch out for.

However, event attendees are not the only ones who should be careful. According to Ernst & Young, the total amount of fraud-related losses among athletes was as high as almost $600 million between 2004 and 2019, and this only accounts for publicly acknowledged losses. Since football athletes are among the highest paid in the world, they constitute an ideal target for attackers looking for financial gain.

Social Hacktivism: Hacktivists are threat actors who consider themselves to be fighting for a cause. During the World Cup in Brazil, a group of hacktivists was protesting the hosting of the World Cup in a country with a failing economy, while another group was targeting World Cup sponsors to take a stance against the spending of large amounts of money on such events. Major events are therefore ideal for hacktivists who want to be heard. This will be especially true for Qatar due to the controversies related to Qatar’s position on some human rights topics that made the headlines in the past year, and the state being a major player in the oil and gas industry, which makes it a target of ecological hacktivists.

Nation State Attacks: Nation state attacks are one of the most dangerous types of threats due to attackers being supported by substantial research and budget by the offensive nation state. Such attacks mainly result from the geopolitical dynamic, and Qatar is a nation with a unique geopolitical situation. With Europe requesting more gas supply from Qatar to replace Russian gas, and with the state hosting the World Cup to improve its reputation on the map of the world, the event will definitely spike the interest of Russian and other nation state threat actors.

The above are only a subset of the multitude of cybersecurity threat actors Qatar is expected to face when hosting the world’s biggest sporting event. Confronted with such a threat landscape, what has the country done to improve its cyber defense, and will that be enough?

Qatar’s Cybersecurity Measures

Since Qatar is a small country hosting for the first time an event of this size, it was only reasonable to ask for help. The most important assistance provided to Qatar came from the Interpol and was named Project Stadia.

Project Stadia: Project Stadia is Interpol’s 10-year initiative for securing major sporting events in general, and the 2022 FIFA World Cup in particular. The project, which is funded by Qatar, groups experts in annual meetings, where various aspects of cybersecurity are reviewed and explored, such as national cybersecurity capabilities, risk management, internet of things, and industrial control systems. The outcome is an extensive set of recommendations for securing the country and its infrastructure during the event.

Qatar also had to rely on internal resources and initiatives to secure its cyber landscape. As such, the country had to make use of its already established Computer Emergency Response Team (CERT), conduct yearly cybersecurity drills, and develop a framework to guide critical organizations on the implementation of the necessary cyber defense capabilities.

Q-CERT: The Qatar Computer Emergency Response Team (Q-CERT) was set up back in 2005 by the Ministry of Transport and Communications (MOTC) in partnership with the Carnegie Mellon’s Software Engineering Institute.

Q-CERT is responsible for a number of cybersecurity measures that have been implemented in preparation for the World Cup. In fact, Q-CERT is building a threat intelligence center and developing a fully automated threat monitoring system. Those will complement each other to ensure the timely identification and mitigation of cybersecurity threats to the government network.

Q-CERT will also empower Qatar with malicious software analysis capabilities by building a malware analysis lab where malware collected through other initiatives can be reverse engineered and analyzed.

Cybersecurity Drills: In its aim to ensure that the country’s entities are prepared to defend themselves against cyber attacks, Qatar has been conducting annual cybersecurity drills since 2013. The drills cover various aspects of security such as defense, resilience, incident response, and business continuity.

The 2022 edition of the drills was the largest, with the participation of more than 125 governmental and non-governmental entities from the vital infrastructure sector. More than 1400 participants engaged in the drills which consisted of different scenarios and exercises aimed at evaluating the entities’ readiness to detect and respond to cyber attacks.

Qatar 2022 Cybersecurity Framework: Qatar’s Supreme Committee for Delivery and Legacy issued the Qatar 2022 Cybersecurity Framework which “defines the core cyber-competencies and cyber-capabilities needed to safeguard critical national services supporting this prestigious tournament”, as stated in the framework’s foreword by Colonel Al Sulaiti, the committee’s Executive Director of Security. Various parties have contributed to the development of the framework, including representatives of government and civil society and subject matter experts.

The 425-page framework is on par with other international cybersecurity standards and frameworks and provides controls for the implementation of common cybersecurity capabilities such as cybersecurity governance, endpoint, application, and network security. It also covers more specialized capabilities such as Operations Technology Security Monitoring, Internet of Things, and Cloud Security.

Controls are mapped to international standards such as ISO 27001, NIST SP 800-53, PCI-DSS, and GDPR, and the framework even provides security metrics that allow the measurement of the effectiveness of the controls in each capability.

Entities which are part of the World Cup ecosystem are expected to implement the capabilities and competencies applicable to their operations.

On paper, it looks like Qatar has everything under control. But how does this reflect across the state’s cybersecurity industry, and how well are the country’s critical organizations catching up with the flux of regulations and policies?

The Situation on the Ground

The gap between compliance with standards and regulations and the actual security posture is something we witness everyday in the cybersecurity industry. Compliance does not directly translate into security. Take the ISO/IEC 27001:2013 standard for example: while complying with the standard provides a marketing advantage by giving customers a sense of security, you can initially be certified without having addressed all your risks, as long as those risks are identified and a plan is in place for their treatment. In our line of work, we have seen many organizations mostly complying with applicable standards, laws, and regulations, but still being the victims of a breach.

But what about Qatar’s organizations supporting the World Cup? While all these organizations have to comply with the requirements of the Qatar 2022 Cybersecurity Framework, most of them have not been able to do so on time. During a work-related visit to Qatar, it became apparent that some critical organizations have note yet complied with the requirements of the framework, nor have they been audited by the regulator. It would be highly optimistic to think that in the couple months separating us from the World Cup, non-conformities can be identified and addressed across all the organizations in the World Cup ecosystem.

With the evolution of both threats and defensive methods, cybersecurity preparedness in this World Cup will be one of the highest witnessed to date in major sporting events. However, the efforts Qatar spent during the 9 years of cyber defense preparations may not actually be reflected on the ground.

They say preparation is half the battle; the other half remains to be fought during the tournament. While millions of fans will be cheering for their teams, another game will be taking place behind the scenes: threat actors known for their attack will be extremely active, yet they will be facing a team that has spent a long-time training and trying to prepare for the worst. This will be an interesting game to watch.