Research Saturday 12.10.22
Ep 261 | 12.10.22

Cybersecurity during the World Cup.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

AJ Nash: You know, any time there's a major event, like you said, you know, look, the World Cup now, it could be, you know, the Olympics, there's - first of all, there's a lot of preparation that goes into it. 

Dave Bittner: That's AJ Nash. He's vice president and distinguished fellow for intelligence at ZeroFox. The research we're discussing today is titled, Qatar 2022 World Cup Event Assessment. 

AJ Nash: You know, getting set up for this, everybody understands the threat is going to increase at these events, both physical security and cybersecurity, so there's a lot of buildup to that. And organizations tend to set up these large SOCs, or these security operations centers, bring in lots of different government agencies, vendors from around the world, to really set up. So a lot of preparation has gone into this prior to the event ever kicking off. 

AJ Nash: I personally have been involved in some of the run-up for a couple of Olympics. I've seen how that works out. And in doing that, there's a lot of prep work done to understand who are the likely threats, what are the likely tactics, techniques and procedures as related to the technology? So there's a whole acquisition process that goes into that as well. What technology should we acquire - anything from, you know, your comms - you know, whether it's, you know, your cell phone systems, your chat systems, you know, what communication structures you're going to have - but also ticketing, you know, point of sale, you know, all the things you would expect that are with these big events, including accommodations, you know, hotel reservation systems and transportation systems. You know, they have a new metro system - right? - a new train system. So all of that had to be prepared for. That's, you know, that's why these events take years to prepare for. It's not just the construction projects to get that set up. 

AJ Nash: And then as you start getting closer to the event, you know, those SOCs get run up and you start running, you know, your collections to understand what are we expecting to see? There's also a whole social media monitoring campaign that goes with that and dark web research to try to stay ahead of adversaries and understand what they might be interested in. Generally, large events like this, you're looking at a couple of different types of adversaries. There's certainly going to be the financial. There always is. Whenever there's money, there's criminals. There's certainly going to be a financial aspect to it - somebody trying to set up, you know, scams for tickets for, like I said, accommodations, all of these things. 

AJ Nash: But with these larger events like the World Cup, like the Olympics, there's a political aspect to these. You know, you have a lot of nations from around the world getting together. They don't all agree on things, and, therefore, they're, you know, people don't all agree. So there's almost always going to be some level of political concerns. You have to look for hacktivists, you have to look for terrorism, you know, social activism and how that might play a role, protests and things like that. And then that's all overlaid on the laws of the nation, the host nation, right? So the laws, for instance, in Canada or the U.S. or Paris would be very different than the laws in Qatar and how those type of activities are going to be, you know, treated. 

AJ Nash: So all of that, I'm quite confident, has gone on for, oh, since this was awarded 10 years ago, but certainly for the last couple of years in building up that knowledge base and that level of comfort of what we should expect to see and what preparations are in place to account for it. 

Dave Bittner: Can we go through some of the key elements that you and your colleagues report on here in the publication, you know, some of the real - I don't know - proximate things that they're looking out for here? 

AJ Nash: Yeah. I think - and we've seen some of these reported in the media, right? So you're looking for, you know, human rights activists. There's been a lot of discussion there in Qatar and their policies towards the LGBTQ community. There was a bit of an uproar - actually unrelated to that - but got through at the last minute - changed the policy on alcoholic beverages and where those were going to be located. And so Budweiser, you know, had some issues with that because they were sponsors. So you have to look for... 

Dave Bittner: Right. 

AJ Nash: ...What you're going to see there in terms of responses. Are people going to, you know, have adverse responses physically? But also, you know, in cyber, anytime someone is upset, it can trigger an event like that. 

Dave Bittner: I saw that some of the crowds were the - I believe it was the Brits who were chanting, we want beer, because there was no beer in the stadium. 

AJ Nash: Exactly - yeah. It was a last-minute change. Qatar made a few changes at the end there that FIFA took some grief for and had to make some public statements about that people have been upset about, you know? And really, this entire event, there's been some controversy from the beginning when Qatar was first awarded World Cup. And so that's sort of plagued them along the way and some, you know, whispers of how they were able to acquire the World Cup. So any sort... 

Dave Bittner: Right. 

AJ Nash: ...Of changes like that at the last minute aren't favorable to them. But some of the things we covered in the paper specifically - certainly ticketing scams, again, are a big challenge. They are in any kind of event like this. And we have some examples of efforts, you know, to exploit folks with that, some phishing campaigns that tied, you know, lures. The World Cup is, again, a major event - like any major event - is a great lure when you get into phishing campaigns, whether it's, again, a sporting event, whether it's COVID, whether it's an election, anytime there's something that captures the attention of the world, you can really bet on somebody turning that into a phishing campaign. So we've certainly seen a jump in some phishing campaigns tied to COVID. Now we've seen them tied to FIFA, Qatar 2022, you know, fake campaigns to get free tickets and, you know, things that have been tied to cryptocurrency. Anything to try to steal people's money, of course, has been available. 

AJ Nash: Social engineering always comes into play, you know, again, using things like fake lotteries. You know, counterfeit ticket sales have been tied to that, too. So people are targeting folks through social engineering campaigns. And again, the lure is this event. You know, these tickets are expensive, they're hard to come by. This is the world's largest sporting event. I'm pretty confident. It's between this and the Olympics, but I think this is the biggest one. So, you know, it's a massively popular sport. 

AJ Nash: So there's, again, that opportunity. As people want something, whatever that want is, as that want grows, their caution shrinks, you know. So for instance, I know we've talked before about Black Friday events and scams with that. As you really want that hot thing, you talk yourself into believing things you know you shouldn't. Same thing will happen with something like a World Cup. So scams are on the rise as a result of that. And we covered some of that. Mobile app security, another piece that came up here, you know, it's a requirement for everybody 18 and over going to the Qatar World Cup to download an app on a couple of different apps. So that opens the door for concerns about monitoring. You know, are those apps, you know, going to be hacked? Are they being monitored? You know, what's the security that ties to that? And how does that tie back to local authorities, if not, you know, criminals and those who might want to do harm, right? So we did touch a bit on that as well. 

Dave Bittner: I'm curious. You know, the - to me, this really points out the importance of the collaboration between, say, the cyber teams and the physical security teams, how - when you have a big event like this, whether it's this or the Olympics, anything, a Super Bowl - that that flow of information really has to be there. 

AJ Nash: Yeah, 100%. You know, we talk regularly about this, you know, the connection, like you said, between the cyber and the physical world. These are so interrelated. And events like this really amplify that. You know, it's true in daily life. You know, I talk a lot with organizations about the need to have these fusion centers to understand that things that we see in cyberspace can be indicators of a physical event. We see planning, in fact. And things that are happening physically could be tied to a cyber event. A physical attack could be used as a distraction while a cyber event goes on that's being unnoticed. 

AJ Nash: So that's always been true, but never more so than when you get into these large-scale events, again, where you really have to do that. This is why these organizations have these giant SOCs. And they spend a lot of time and energy and money and really get the best resources in the world together to do these events because you have a very small period of time to be as close to perfect as possible. And adversaries who want to do harm, again, the financial is there. But let's say you're politically motivated and you want to do harm. This is the world's biggest stage for that. And folks are expected to protect against that. 

AJ Nash: So there's - the pressure is very high. And you want to bring all of your resources together so that you're able to work together. If something's going on physically, you want to see what's going on in social media, what's being talked about, what's known, you know, what's suspected, what's being claimed. If something's happening on social media and there's discussions about, you know, frustrations about things, are people frustrated and, you know, venting or are they planning to do something about it? Is there an attack that's coming with this? You know, and if bad things do happen, also being able to go back and look, you know, in the places you might expect to find, you know, criminals talking about that, you know. So you can look for attribution or you can look for if data was stolen or where it might have gone or if money was stolen, you know, where it might have been transferred to - or crypto or something like that. 

AJ Nash: So in daily life for large enterprises, certainly I believe these should be fused together. Fusion cells are incredibly important, that cyber and physical work hand in hand on these things. When you're stovepiped, you're really not doing yourself a bit of good, frankly. But in these events is the only time we've consistently seen people seem to pull that together through multiple World Cups and World Series and Super Bowls and Olympics and that kind of thing. We do see that comes together more than ever. 

Dave Bittner: You know, you mentioned that you've had some involvement with Olympic Games in the past. And I'm curious if you have any insights on kind of how it's organized. I mean, is it - does the host country take the lead when it comes to cybersecurity and then the other nations come in and say, yeah, that's good enough for us or we need something in additional to that? Or how does that international collaboration generally work? 

AJ Nash: That's a good question. I can speak to the ones I've seen personally. So obviously, I can't speak to all of them. But in the ones I've seen personally in the run-up to that - so the host nation, along with the International Olympic Committee in this case, worked together on this. So I have some experience from Brazil Olympics and from Japan, from Tokyo and how that was done. And it's intense. There's good reason these Olympic events - and I'm sure it's the same with the World Cup. I have to admit, I haven't watched this - the run-up on the inside. There's a good reason these are put so far in advance. I mean, obviously, there's a lot of infrastructure needs to be built. But also, all of this planning takes a lot of time. 

AJ Nash: So there's a lot of interview processes with different vendors. There's a lot of work with different government agencies. From my experience, what I saw was countries really focusing on, we just want the best practices. We want to do this well. I did see a lot of great teamwork and communication. Obviously, vendors are looking to, you know, fight for that business. There's money in there. But I always saw a lot of companies that were willing to work really well together. You know, these nations want to succeed. They want these to be successful events. They're worth a lot of money. They're a lot of prestige. But they also want to keep people safe. 

AJ Nash: And, you know, nobody wants to see - we've had terrible events, you know, years and years ago in the Olympics. No one wants to see something like that again. There's a lot of work that goes into planning that out. But it's - they bring in incredible experts from around the world. And, of course, you know, if you're in this field and you want to do good things, that's where you want to be. You know, the Super Bowl, for instance, use that as an example, is the greatest football event of the year in America. But if you were a cybersecurity expert or a physical security expert, that is your Super Bowl, right? I mean, this is - there's no better opportunity to do good things on a big stage and be successful. It's scary. And it's, you know, it's stressful, much like I'm sure it is for the players on the field, but it's where you want to be. 

AJ Nash: So, you know, these events attract great talent who want to be a part of it. They want a chance to contribute to success. In my experience, what I saw was amazing talent getting together, putting together incredible security practices and, you know, SOCs and backup SOCs and physical and cyber working together and working with the local law enforcement. The only complications I saw that come into it, which is just the nature of international world, is, again, countries have different laws. So then you have to also apply that. So for instance, the ability to monitor domestic communications when somebody like the U.S. or Canada were to host a large event might be different than it is if somebody in, well, Qatar or UAE or Russia or any number of countries, right? I'm not trying to pick out countries specifically. Laws are just different, you know, locally. 

Dave Bittner: Yeah. 

AJ Nash: So also applying that to what you're doing and saying, hey, here's the things we are able to do or the things we're not able to do. How do we account for that? Or how do you build the right relationships with local law enforcement to make things, you know, legal? You do want to stay within law, both domestic and international. So working with the local agencies, the federal agencies, for whatever the host nation is to make sure that you're doing that. And, of course, all those federal agencies have vested interest in successful events as well. So it's remarkable. I got to be honest. And I only had a small piece of those events. I'm not responsible for anything that I would claim - you know, I didn't contribute my opinion. Just a small piece of seeing how these things were being put together and having some... 

Dave Bittner: Right. 

AJ Nash: ...Involvement in the planning. It's remarkable. I don't envy the committees that have the work to do, but what I saw was diligent people who take the time and effort to do it right. It's why there's years on this. And it's - every time there's a large event like this that goes off and we don't have a major news story, it's a credit to the people behind the scenes that are making those things happen. It's hard work. And these are long events. You know, World Cup goes on for a long time. Super Bowl at least is just one day. 

Dave Bittner: Right. 

AJ Nash: You know, World Series is a week, week and a half, whatever it might be, right? The World Cup, the Olympics - these are long events. Lots of people working really hard, constantly monitoring to try to keep everybody safe. 

Dave Bittner: And I suppose there's some security awareness training that goes into everyone - or that goes toward everyone who goes there, from obviously the athletes themselves, the coaches, but I'm thinking even, you know, the folks who are there running the TV cameras and vendors and all that sort of stuff. When you're a stranger in a strange land, you know, you need to - to your point about the local laws and customs and all that kind of stuff, even when it comes to cyber, there's probably nobody who doesn't need a refresher. 

AJ Nash: Oh, 100%, I agree. You know, the reason we do a paper like this, for instance, you know, the World Cup Event Assessment, is for that. You know, this is for anybody - you know, an executive who might be going to the World Cup, for instance, or the cameraman, anybody in between, right? It's an opportunity to understand, what are the threats we should be looking for? You know, what are the local customs rules, laws, et cetera? But there's also other things. You know, we - our team and others do the same, I'm sure. You know, we do travel assessments and briefings of that kind of thing for anybody going anywhere, frankly because you're right. There are things you would think - most of us have a bias, at least, towards what we know, right? So you might think, this is what I've always done. And then you go to a country and realize the thing you do all the time is illegal. 

AJ Nash: You know, I talk about this a lot with, like, encryption or VPNs on our phones, for instance. There's countries in the world where that's illegal. And if you don't know that and you show up off the plane and your phone's encrypted and - then you may have a problem. You may not. They may enforce it; they may not. But some countries, that could be a real issue. So understanding that - you know, Qatar specifically - you know, we've seen - you know, there's - I mentioned the LGBTQ controversy. You know, the country has different customs and rules that go along with that. And folks have been protesting in some cases. And there - I've seen reports of people surprised by the law enforcement reaction to the actions they've taken. And I'm not here to decide what's right or wrong, but we all need to understand whatever the domestic laws are. You can disagree with them. We all can. But if you're in a country and you break the law of that country, you've still got a problem. You know, the reality is, you know, you can't just say, well, I'm an American. It's legal in - you know, where I'm from. It doesn't matter. It's not legal there. 

AJ Nash: So, you know, I think people need to really have these opportunities - you know, products like this one or travel assessments or some other ones - you know, to be informed. And so most of the mahor, you know, the sponsor organizations, the teams themselves, et cetera, as you said, yes, I think most have travel assessments and have briefings and are given those opportunities to understand what, you know, the do's and don'ts are wherever you're going. I'm not sure the general population necessarily has enough of that, though. And I think it would be good if more did. 

AJ Nash: So, you know, again, part of the reason we put products like this out certainly is to help people who might be going to those events, you know, to have an understanding of what you should be looking for. It's a challenge. You know, a lot of people don't travel internationally much, if at all. You know, for many people going to Qatar, this is probably their first international trip. And if you're coming from a country that's not very similar - so not probably a local neighbor - chances are very good that it's a culture shock, and there's a lot of things you go into that country not knowing or understanding. And the results can be, you know, catastrophic for somebody, you know, personally. 

Dave Bittner: And folks who are always looking to take advantage of that - the confusion that comes from being away from home and being in a strange place where the customs aren't what you're used to. 

AJ Nash: A hundred percent, yeah, absolutely. And that can be anything as simple as, you know, what somebody charges you for a taxicab ride, right? We've all probably been there at some point - or tipping. You know, tipping is a custom that's different in other parts of the world. So as simple as that to more complex things, you know, that might relate to cybersecurity. You know, when I attach to the local Wi-Fi, is that safe or not? Should I be using Wi-Fi in this country or in this region? Can I use a VPN? Is that legal or not? And, you know, maybe it's not legal, but it's, you know, does this country actually enforce that law? Some do and some don't - or who they choose to enforce it against? 

AJ Nash: You know, I talk a lot with the Middle East. You know, it comes into play sometimes as - listen, the definition of pornography is remarkably different from country to country. You know, if you have a picture of somebody who is just on a calendar that would've been considered a PG picture in the United States, it may not be in a different culture. And if that's the kind of thing you happen to have on your phone, that could be a problem for you. So, you know, what do you do about that? Make sure you know what content you have available to you because your phone could be searched in certain countries, you know, versus others. So it's those kind of details that are really challenging for people who don't focus on this a lot or don't travel a lot. And again, we - most of us see the world through our own lens, so we have our own bias. And that's not a compelling argument when you're someplace else in the world. You know, sometimes the State Department for the U.S., you know, citizens, it can help us out. But sometimes it can't. You know, I - Brittney Griner, I guess, would be the best current example, famously... 

Dave Bittner: Yeah. 

AJ Nash: ...That people are aware of now. You know, these are challenging things. So, again, reports like this, I think, are vital for people who have an opportunity to read them and go in with some knowledge. And if you're not going to do this, you know, for the local - you know, for average citizens, listen, the State Department puts out travel assessments. There's other agencies that do as well. I think it's very important. I'm thankful that we have a great team that puts these kind of reports together for folks on assessments for specific, large events - you know, the G-20 is another one we've been known to do - but also the ability to provide companies with travel assessments specific to their needs - hey, I've got an executive going to, you know, this country next month. Can you tell us everything we need to know? Those kind of things - you know, I'm glad we have a great team that does that. I'm sure it keeps a lot of people safe. 

Dave Bittner: Yeah, it's definitely a report worth checking out. I mean, even if you're not heading to the World Cup, anybody who travels or if you work with people who do, it's just - I enjoy reading these sorts of things because it kind of opens my mind up to a lot of what ifs that I probably don't consider in my day-to-day. And, you know, that kind of intellectual stimulation, I think is, always worthwhile. So hats off to you and the team for coming up with this. 

AJ Nash: Yeah, thanks. I - again, my team, these guys are great. Like, nothing but credit goes to them. I'm thankful to work with brilliant people that care about keeping the world a safer place. So I'm excited to talk about them all day long. These guys do amazing work, and I'm thankful I have the chance to chat with you guys. Hopefully we can help some folks. 

Dave Bittner: Our thanks to AJ Nash from ZeroFox for joining us. The research is titled "Qatar 2022 World Cup Event Assessment." We'll have a link in the show notes. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliot Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.