As major sporting events become increasingly digitised, sports organisations are increasingly concerned about cybersecurity. Daniel Bardsley investigates the potential risks posed by digital technologies in sports and how potential victims can help reduce opportunities for attack.
“Greetings citizens of the world. Allow us to introduce ourselves… We are Fancy Bear international hack team. We stand for fair play and clean sport.”
These slightly chilling sentences are how the cyber-hacking group Fancy Bear, which is thought to be linked to the Russian government, showcases itself online.
Whatever the motivations behind its activities – Fancy Bear is thought to be linked to Russian military intelligence and is said to be doing the Kremlin’s bidding by targeting western nations – the group has certainly shaken up the sporting world by making public information about drug use in sport.
Not all of its hacks are linked to sport, but among those that are, one on the World Anti-Doping Agency’s database revealed that the British Tour de France cycle race winner Sir Bradley Wiggins had been give a therapeutic use exemption (TUE) allowing him to take a banned asthma drug.
This 2016 bombshell and subsequent investigations have removed some of the shine from the reputation of a rider who also won the world time trial title and who retains the record for the longest distance cycled in an hour.
If nothing else, the Wiggins case demonstrates that cybersecurity breaches in sports are no trivial matter.
“If you look at the types of cyber incidents in professional sport, it’s a pretty long list. It affects teams globally in all types of possible attack scenarios,” says Merritt Maxim, a principal analyst at the research organisation Forrester and author of a recent report entitled “Securing the Internet of Sports”.
“It’s a real trend and no organised sport is immune from potentially being victim to attacks like these.”
Attacks that are reported in the media are likely to be just a fraction of the total because, for example, many attacks in the United States probably fall outside of requirements for notification.
With cyber criminals able to easily get hold of hacking tools, sports organisations, employees, teams, individual athletes and even fans are at growing risk result as the sector digitises, with multiple potential vulnerabilities exposed.
Digital technology is being used to improve engagement with supporters, sometimes with cloud-based systems that allow teams to ramp up to high volumes when selling tickets, or through the use of apps that update fans during tournaments.
“That provides a lot of benefits, but introduces security risks that companies have to think about,” explains Maxim, a keen sports fan himself who follows everything from cycling to winter sports.
Ray Kafity, vice president, Middle East, Turkey and Africa at Attivo Networks, says that the Internet of Things (IoT) was radically changing cybersecurity in sports by “adding digital dimensions into every facet of the sporting experience and expanding the attack surface.”
Devices might cover everything from athlete care to device-enhanced viewing, scoring systems and ‘smart’ stadiums.
“In addition, stadiums and sports arenas have infrastructure vulnerabilities similar to smart buildings, wherein missing-critical functions are managed by a centralised network that can be compromised,” says Kafity.
“A cybersecurity breach in the system can impact the integrity of the game being played, while direct and targeted cyberattacks against sporting events can create a new potential risk to the safety of fans.”
Consequences could expand to include sports broadcasting, advertising, insurance, sports merchandise and more.
“I think it’s safe to assume it’s a global phenomenon and will continue to affect organisations directly involved with sport or indirectly for the foreseeable future,” says Maxim.
Just as the cyber-vulnerabilities are many and diverse, especially at events where tens of thousands of people might be present, so are the motivations behind attacks.
Political activism is one reason, such as when Tibet campaigners launched an offensive against the website of the 2008 Beijing Olympics.
A further motivation is financial gain, with attackers trying to secure the payment information of customers through a website hack. Ticket websites are vulnerable to other types of scams.
“In 2015, cyber attackers schemed to hijack online ticket sales of the Rugby World Cup to force resale in secondary markets at increased prices,” says Kafity.
Meanwhile, phishing attacks by fraudsters looking to turn a profit may target more than just fans – sportspeople could fall victim too.
“Certainly the athletes themselves are potential targets because they have assets. They make a lot of money and, therefore, they may be susceptible to being victims to a phishing attack. If some information is compromised, hackers could use that to do identity theft,” says Maxim.
Other incidents involve sporting espionage, such as a well-known example that came to light last year in which the scouting director of the MLB St Louis Cardinals baseball team accessed, for more than two years, the scouting database of his former team, the Houston Astros. He was able to commit this “insider theft” because he had kept hold of his user credentials.
Rivals might want to learn about the injuries that athletes on opposing teams have suffered, or to find out about training regimes, data that could also be used to manipulate betting.
It is no wonder, then, that reports indicated that some footballers at this year’s World Cup in Russia were told not to use public Wi-Fi for fear that details about tactics, squad selection and the like might be stolen.
“Data in sports extends beyond a player’s value in the field. It is also linked to their popularity in bringing crowds into stadiums, viewership and retailing of merchandise,” says Kafity.
“This kind of data is used to analyse what a player means for the club’s bottom line. Information on player’s compensation could also be targeted and exploited.”
A distributed denial of service (DDoS) attack on the Swimming Australia website was blamed on Chinese hackers after a dispute between swimmers from the two countries.
“It didn’t cause huge amounts of disruption, but if a rival team doesn’t like what’s happened, they may have cyber [hacks] to cause disruption to a rival organisation,” says Maxim.
The key to stopping an attack is, according to Kafity, “early detection and actionable response”, since this can derail incidents before damage is done.
“In addition to early detection, sports organisations that invest in tools for threat and adversary intelligence will be able to better understand their security vulnerabilities, quickly isolate attacks, and prevent recurring attacks,” he adds.
“Many organisations are turning to deception technology for offence-driven security designed to significantly reduce dwell time and acceleration remediation by tricking attackers into making a mistake and revealing their presence in the network.
“It is widely recognised for its ease of operations, cost efficiency and ability to deploy across a wide variety of attack surfaces.”
Certain types of attacks can be difficult to defend against. For example, specialists have said that attacks on sporting event infrastructure are hard to simulate.
So, the solution, some have said, may be to outsource defences to organisations that are able to assess the threats and introduce the necessary security barriers while employing the likes of proactive monitoring and threat intelligence.
But there are many relatively simple safety precautions that organisations themselves can take. If players are transferred from one team to another, for example, there should be a policy in place to ensure these people cannot continue to access their old club’s systems.
Such measures may not be enough to keep the likes of Fancy Bear at bay, but they could be crucial in keeping the spying eyes of rivals away from potentially vital information.