On Monday Russian president Vladimir Putin said there were 25 million attempted cyber-attacks targeting the country’s "information infrastructure" linked to the World Cup. At a meeting with representatives of 55 intelligence units from 34 countries who worked on securing the tournament Putin said that it was thanks to Russia's tight security that there were no "serious incidents" and "people who came to our country really felt they were safe."
Sean Sullivan, security advisor at F-Secure emailed SC Media UK to put those big numbers into perspective, commenting: "Clearly there weren’t 25 million "cyber-attacks". (Which would be physically destructive if properly defined.) And what about DDoS attacks? Unlikely. What then? IP addresses and other related activity? Probably. I have no doubt that threat monitoring would have generated 25 million suspicious data points during the World Cup.
"So, it would be more accurate to say something such as unauthorised network scans and DDoS attempts were monitored and successfully mitigated on an impressive scale, requiring tens of millions of data points to be processed. Well done to Russia’s security teams. But that doesn’t sound as impressive, politically speaking, does it?"
David Grout, technical director at FireEye Southern Europe agreed that 25 million attacks did seem like a surprisingly high number, but added that it was not necessarily so surprising for those who work in the field. He emailed SC Media UK to note that even before the competition started there was evidence of Phishing attacks.
He commented: "There are two main categories of risk associated with events like the World Cup.
"The first one is those with a financial objective. This includes the phishing attacks that started several weeks before the tournament and carried on throughout. These campaigns use several levers such as low-cost ticket offers, the chance to win a trip to Russia, promotions for items related to the World Cup (national team jerseys, mugs featuring players etc). In order to increase their credibility, attackers mostly buy domains that resonate with the World Cup event, so victims can receive spam or phishing emails with addresses containing terms such as Russia, FIFA, Russia2018, FIFA2018, worldcup which are very regularly used in more complete domain instances like worldcup.monsite.site. The objective being to deceive the eye of an unwise user. The main goal in this type of attack is to recover your banking information and force you to go through with the transaction to get the card number information, expiration date and also CCV.
"The second risk comes from state-sponsored groups which will attempt to destabilse the IT and EO infrastructure used during the World Cup. A tool commonly used to do this is a distributed denial of service or DDoS attack which takes down websites to make the organisers look vulnerable. Historically we’ve seen an acceleration of attacks and leaks of information trying to discredit the actions of an organisation tied to an event, the most notorious example being the APT28 campaign against the world anti-doping agency (WADA)."
In his press statement Grout did not specifically draw attention to APT28’s activity being widely attributed to the Russian government, but the implication of Putin’s statement appears to be part of the context for its own actions that "everyone is at it" when it comes to cyber-attacks, combining contradictory messages that Russia too is a victim, but that its defences are resistant to such attacks.