The Paris Olympics face the biggest cyber threat in its history. And the fallout could reach well beyond cyberspace, write Sherryn Groch and Marta Pascual Juanola.
It’s the biggest corruption scandal you’ve never heard of, and Tom Cruise is explaining it to you with all the explosive special effects you’d expect from a Netflix documentary starring the Top Gun star.
In the lead-up to Paris 2024, the slick film Olympics Has Fallen has appeared online. In it, Cruise, ‘‘the actor’’, as he reminds us, details his apparent backstory in sport cut short ‘‘by a knee injury’’ – and his certainty that dodgy Olympic officials are turning the world’s oldest games into a rort.
Only none of it, including Cruise’s suspiciously stilted narration, is real.
The fraudulent film has been shared across social media, complete with bogus five-star reviews, stirring graphics of smouldering Olympic rings, and fake endorsements from fellow celebrities such as David Beckham and Miley Cyrus. Some celebs were even duped into recording real messages supporting ‘‘Tom’’ via the site Cameo, where people pay celebrities for personalised videos. Those videos were then deceptively edited into promotional material for the film, according to Microsoft’s threat centre.
Welcome to Russia’s information war on Paris 2024.
The Olympics are the biggest event ever organised in France – and they face the biggest cyber threat yet, with experts expecting hundreds of thousands of attacks around those 16 days in July and August, mostly from Russia.
While blocking hacks on the Games has almost become an Olympic sport in itself, this year’s event, set during two major wars in Gaza and Ukraine, is considered the most vulnerable so far. And the fallout could reach well beyond cyberspace – not only could hackers stop the trains or attack power grids, broadcasts and ticketing, Russia’s growing wave of disinformation online could inspire protests, boycotts, even sabotage and terrorism.
Sour grapes
Russia and its ally Belarus are banned from the Olympics – their athletes can compete without flags only, and if they can prove they don’t support Russia’s invasion of Ukraine. French President Emmanuel Macron is one of the most hawkish European leaders on Russia, speaking of sending troops to Ukraine if necessary and having long clashed with Vladimir Putin over the Russian president’s mercenaries in Africa. Not to mention Macron has just pulled the trigger on snap elections in France weeks before the Games begin, where his party faces a far-right opposition that Russia has an interest in helping win.
‘‘It’s the perfect storm,’’ says professor of cyberwar and former Australian government adviser Greg Austin.
Already this month, a Russian-Ukrainian bombmaker has been arrested in Paris, near where Ukrainian refugees have been taken in, following another bombing plot by a Chechen foiled in May.
Fake graffiti has appeared in photos taken around the city spreading fears that the Games will become ‘‘the next Munich’’ (referencing the deadly attacks on the Israeli Olympic team at the 1972 Games in Germany). And fake news stories pushed by Russian bots warn of everything from an impending nuclear war between France and Russia to non-refundable Airbnb reservations and exotic allergic reactions to a bedbug epidemic in Paris.
Macron and Moscow are regularly trading barbs as the French president accuses Putin of trying to sabotage the Games, and Russian politicians remark: ‘‘It would take just two minutes to nuke Paris.’’
While Russia’s nuclear threats for the West are largely considered bluster, former cyber tsar for the Obama administration Michael Daniel says the cyber risk for the Olympics has never been higher.
‘‘The Russians don’t have much to lose,’’ he says, and the Games give them a unique opportunity to sow chaos on the world stage. But then, ‘‘defences have never been higher either.’’
For Russia expert Professor Mark Galeotti, the geopolitical backdrop recalls the tense early years of the Cold War when the rules were not clear.
That makes it dangerous. But the attacks may be smaller, ‘‘stupider and pettier’’ than you’d expect, he says, recalling Russia’s embarrassment when one of the lights of the Olympic rings failed during the opening ceremony of its Sochi Winter Games in 2014.
‘‘You can hardly go to war because your opening visuals have been disrupted,’’ says Galeotti. But even minor hacks allow Russia to humiliate its rivals, to show once again what it can do. It’s the country’s way of saying, ‘‘We can mess with anything at any time,’’ Galeotti says.
Of course, with cyber criminals, hacktivists and other ‘‘useful idiots’’ to the Kremlin all drawn to the ‘‘big target of the Games’’, things could spiral out of control too, says Daniel.
From Russia with love
Russia has a long history of Olympic Games sabotage. In 1984, the Soviets boycotted the Los Angeles Games and were linked to mysterious leaflets threatening violence against non-white athletes. Then in 2016, in the midst of Russia’s doping scandal, its hackers penetrated the World Anti-Doping Agency to steal the private medical records of US athletes, including Serena and Venus Williams.
Two years later, at the 2018 Winter Olympics in South Korea where Russian athletes were banned, Kremlin hackers took down part of the broadcast and internal servers, in an attack nicknamed ‘‘Operation Sour Grapes’’ by the US. The Russians returned again to target the Tokyo Games – more than 4 billion attacks in total were detected, though attempts to overload networks then were blocked.
French organisers are expecting 10 times that number of attacks this year. They’ve already begun, authorities say, including a bizarre takeover of the French sports minister’s X account.
‘‘Putin hates Macron,’’ says Austin, recalling major Russian hacks on the French president’s 2017 election campaign. ‘‘He’ll want chaos, and he’s not afraid to stir it up, short of provoking a major war.’’
‘‘The Russians are definitely on the warpath,’’ not just in cyberspace but in ‘‘unconventional guerilla-style sabotage operations,’’ says Austin, pointing to recent spates of arson in western Europe linked to Russia.
‘‘It’s low level so far, but it’s classic playbook from the KGB in the 1970s, ’80s.’’
‘Cyber Pearl Harbour’ or death by a thousand hacks?
In the cybersecurity hub of Olympic Games in Paris, at a location kept secret, artificial intelligence helps prowl for intrusions, war games run cyber calamities, and ‘‘ethical hackers’’ are paid bounties to test for vulnerabilities.
The French have been ramping up their cyber defences for years. Ahead of the Games, they’ve turned to help from powerful Western allies such as the US and veterans of the Russian attacks in Korea.
Daniel heads a global network of security companies, many of which are helping fortify France’s cyber defences for the Games, and says it’s too early to say where the main attacks might hit.
But Russian hackers are known to have code lying in wait in critical infrastructure abroad, from worms switching off Ukrainian power grids to the 2021 attack that shut down one of the US’s biggest fuel pipelines.
Counterterrorism expert Thomas Renard points to the hacks that came close to destroying a French TV network in 2015, where Russian attackers masqueraded as a ‘‘cyber caliphate’’.
‘‘Russia will attack French transport and energy systems,’’ and other critical infrastructure during the Games, Austin says. ‘‘But most of those attacks will be defeated . . . though they’ll probably succeed in some disruption, [perhaps] the trains shut down for a day.’’
Galeotti says the Russians will want to ‘‘take the gloss off the Olympics’’ – always a huge soft-power opportunity for any host nation – but they still have restraint for now. He imagines it’ll be ‘‘death by a thousand cuts, a thousand irritations’’ to make the French government look incompetent, rather than the kind of ‘‘Cyber Pearl Harbour’’ knockout hit long feared by experts.
After all, there’s a risk that a major cyberattack on Paris could unify Europe against Russia and turn French voters back to Macron. ‘‘And they won’t know what France has in the drawer in return,’’ says Galeotti.
Daniel agrees that, with so much of the world gathered in Paris, Putin will have to temper his desire to ‘‘poke a sharp stick in Macron’s eye’’, or risk drawing the ire of China and other allies attending.
Hacks, then, are more likely to cause spectator chaos, targeting ticketing systems, broadcasts and transport, for example, rather than infrastructure like power grids that could endanger lives. Daniel expects security will be tight around the computers calculating who crosses a finish line and other key Olympic metrics. But hackers could still get creative.
‘‘They could send out a fake text diverting people’’ from train stations or stadiums, says Daniel, as the edge between traditional cyberwar blends with the disinformation war raging online.
How would the world respond?
Before Russia invaded Ukraine, it gave the world a taste of the chaos it could sow. In 2017, it unleashed the worm NotPetya, knocking out power, trains, ATMs, airports, and TV stations throughout Ukraine. But the malware spread too far, paralysing hospitals, companies and shipping across the world, even looping back into Russia, and costing $12.9 billion damage.
Some experts fear even a smallerscale attack could get out of control again, and ignite a diplomatic incident inside a NATO country.
‘‘NATO certainly sees itself as in an information and cyberwar with Russia,’’ says Austin. But he doubts the Western alliance, long wary of Russia’s nuclear arsenal, will let a hack spiral into actual warfare.
And, given Russia’s cyber army has proved even less effective than its troops in the Ukraine invasion, Austin thinks the Kremlin has already lost part of its cyber edge. International IT companies from Google to Microsoft have pulled out of Russia, it’s cut off from key electronics like computer chips, and its intelligence agencies, rocked by the recent Wagner coup, are mired in division and corruption.
But Austin warns the Russians have learnt from their failures too, and are now ‘‘more determined to achieve things in cyberspace they’ve been denied on the battlefield’’. ‘‘They’ll follow up one win with another attack, they’ll be more targeted, clever.’’
Gaelotti thinks that, while cyber weapons may have been overhyped in actual warfare, the Kremlin’s cyber arsenal has actually been strengthened, as it leans more on criminal hackers for operations.
That means many ‘‘very imaginative, emotionally bankrupt’’ freelancers are also in play, with varying degrees of competence.
Crowdsourced chaos
Something the Russians do have success in, however, is whipping up dissent in rival nations. French agencies have recently uncovered a vast ‘‘foreign digital interference’’ network run by Russia, and Microsoft has warned Russia’s fake outrage machine online could spill over into staged protests.
Meanwhile, Russian and Belarussian nationals have been banned from volunteering at the Games over fears of physical sabotage.
Galeotti says those fears are not misplaced. While Russia’s diplomats have been expelled from France, it continues to run agents there, often through ‘‘increasingly arms-length recruitment’’ online, says Galeotti. Those pulled into missions may not even realise they are working for the Russians.
And the Kremlin is expert in magnifying existing concerns, whether it’s the money spent on Olympic stadiums or the plight of Palestinians.
‘‘Some attacks are clearly organised by Moscow,’’ says Galeotti, but others are better disguised, anonymously tapping into the extremist fringe, ‘‘in a similar way to Islamic State’’.
At the other end of the spectrum, one fake Tom Cruise film may seem so bizarre it’s almost ‘‘taking the piss’’, but Galeotti explains it’s all part of Russia’s storm of ‘‘info noise’’.
When there are so many bizarre conspiracies, so many competing versions of events, almost nothing can be believed. Not even an actor who does his own stunts.