FBI warns of 2022 Beijing Olympics cyberattack, privacy risks

The Federal Bureau of Investigation (FBI) warned today that threat actors could potentially target the February 2022 Beijing Winter Olympics and March 2022 Paralympics. However, evidence of such attacks being planned is yet to be uncovered.

“The FBI to date is not aware of any specific cyber threat against the Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments,” the US security service said in a private industry notification (PIN) issued on Tuesday.

As the FBI explained in the TLP:WHITE PIN, attacks coordinated by financially motivated or nation-state threat actors targeting the Beijing 2022 Winter Olympics could involve malware delivery, distributed denial of service (DDoS) attacks, ransomware, social engineering, phishing campaigns, and even insider threats.

If successful, such attacks could disrupt or block live broadcasts of the event, exfiltrate sensitive information after breaching IT systems, or impact private or public digital infrastructure supporting the Olympics.

The attackers’ end goal would likely be to “make money, sow confusion, increase their notoriety, discredit adversaries, and advance ideological goals.”

This warning follows a similar one issued last year regarding potential cyberattack risks surrounding the Tokyo 2020 Summer Olympics, which were the first to be transmitted exclusively via digital platforms and TV broadcasts due to COVID-19 pandemic restrictions.

Data belonging to the Tokyo 2020 Organizing Committee was stolen in late May 2021, before the competition started, after Japanese information technology company Fujitsu disclosed a breach impacted data belonging to government clients, including the Tokyo 2020 Organizing Committee and the Japanese Ministry of Land, Infrastructure, Transport, and Tourism.

In 2020, the Department of Justice also charged six Russian Main Intelligence Directorate (GRU) intelligence operatives (believed to be part of the Russian-sponsored hacking group tracked as Sandworm) for hacking operations targeting the Pyeongchang Winter Olympics.

Privacy concerns surrounding this year’s Winter Olympics

As revealed by a Citizen Lab report, My 2022 (the official app for the Beijing 2022 Winter Olympics) was found to be insecure as it doesn’t protect the users’ sensitive data, and a flaw in its encryption system allows middle-men to access documents, audio, and files in cleartext form.

The researchers also found that the app collects large amounts of sensitive information, including real-time location, list of installed apps, audio info, location access, device identifiers, WLAN status, complete passport info, daily health status, COVID-19 vaccination status, demographic data, and the organization the user works for.

The data collection is disclosed in the app’s privacy policy and, according to Chinese officials, it is required for COVID-19 protection controls, translation services, and tourism recommendations and navigation.

To make things even worse, using the My 2022 app isn’t optional since all athletes, members of the press, and the audience are required to install the app and add their personal information to it.

FBI also addresses these privacy risks in today’s PIN, advising athletes to install the My 2022 application on temporary devices.

“The FBI urges all athletes to keep their personal cell phones at home and use a temporary phone while at the Games,” the federal agency added.

“The National Olympic Committees in some Western countries are also advising their athletes to leave personal devices at home or use temporary phones due to cybersecurity concerns at the Games.”