In his office on one of the top floors of the Paris Olympic organizing committee’s headquarters, Franz Regul had no doubts about what was to come.
“We will be attacked,” said Mr. Regul, who heads the team responsible for preventing cyberthreats against this year’s Summer Games in Paris.
Companies and governments around the world now have teams like Mr. Regul operates in spartan rooms equipped with banks of computer servers and screens with indicator lights that warn of incoming hacking attacks. At the Paris operations center, there is even a red light to alert staff to the greatest danger.
So far, Mr. Regul said, there have been no serious disruptions. But as the months leading up to the Olympics turn into weeks and then days and hours, he knows the number of hacking attempts and the level of risk will increase dramatically. Unlike companies and governments, however, which plan for the possibility of an attack, Mr. Regul said he knows exactly when to expect the worst.
“Not many organizations can tell you they’re going to be attacked in July and August,” he said.
Security concerns at major events like the Olympics typically focus on physical threats, such as terrorist attacks. But as the role of technology in launching the Games grows, Olympic organizers increasingly view cyberattacks as a more persistent risk.
The threats are manifold. Experts say hacking groups and countries like Russia, China, North Korea and Iran now have sophisticated operations capable of disabling not only computers and Wi-Fi networks but also digital ticketing systems, credential scanners and even timing systems for events.
Fears about hacking attacks are not just hypothetical. At the 2018 Pyeongchang Winter Olympics in South Korea, a successful attack nearly derailed the Games before they could even begin.
That cyberattack began on a cold night as fans arrived for the opening ceremony. The signs that something was wrong came at once. The Wi-Fi network, an important tool to send photos and news coverage, suddenly went down. At the same time, the official Olympics smartphone app — which holds fans’ tickets and essential transportation information — stopped working, preventing some fans from entering the stadium. Broadcast drones were grounded and internet-connected televisions meant to show images of the ceremony at the venues went blank.
But the ceremony went on, and so did the Games. Dozens of cybersecurity officials worked through the night to repel the attack and fix glitches, and the next morning there was little sign that a disaster had been averted as the first events began.
Since then, the threat to the Olympics has only grown. The cybersecurity team at the last Summer Games, in Tokyo in 2021, reported that it faces 450 million attempted “security events.” Paris expects to deal with eight to 12 times that number, Mr. Regul said.
Perhaps to reflect the scale of the threat, Paris 2024 cybersecurity officials freely use military terminology. They describe “war games” meant to test specialists and systems, and refer to feedback from “Korean veterans” that have been incorporated into their evolving defenses.
Experts say a variety of actors are behind most cyberattacks, including criminals trying to hold onto data in exchange for a lucrative ransom and protesters who want to highlight a particular cause. But most experts agree that only nation states are capable of carrying out the largest attacks.
The 2018 attack in Pyeongchang was initially blamed on North Korea, South Korea’s antagonistic neighbor. But experts, including agencies in the US and Britain, later concluded that the real culprit – now widely accepted as Russia – deliberately used techniques designed to shift the blame.
This year, Russia is again the biggest focus.
The Russian team was banned from the Olympics following the country’s invasion of Ukraine in 2022, although a small group of individual Russians will be allowed to compete as neutral athletes. France’s relations with Russia have deteriorated greatly President Emmanuel Macron recently accused Moscow of an attempt to undermine the Olympics through a disinformation campaign.
The International Olympic Committee also pointed to attempts by Russian groups to sabotage the Games. In November, the IOC issued an unusual statement saying it had been targeted by defamatory “fake news posts” after a documentary appeared on YouTube featuring an AI-generated voice-over claiming to be the actor that’s Tom Cruise.
Later, a separate post on Telegram — the encrypted messaging and content platform — mimicked a fake news item broadcast by French network Canal Plus and misrepresented that the IOC was planning to bar the Israeli and Palestinian teams from the Paris Olympics.
Earlier this year, Russian pranksters — posing as a senior African official — managed to get Thomas Bach, the IOC president, on the phone. The call was recorded and released earlier this month. Russia took up Mr. Bach’s remarks to accuse Olympic officials of engaging in a “conspiracy” to keep its team out of the Games.
In 2019, according to Microsoft, Russian state hackers attacked the computer networks of at least 16 national and international sports and antidoping organizations, including the World Anti-Doping Agency, which at the time was poised to to announce sanctions against Russia related to its state-sponsored doping program.
Three years earlier, Russia targeted antidoping officials at the Rio de Janeiro Summer Olympics. According to indictments of several Russian military intelligence officers filed by the United States Department of Justiceoperatives in that incident spoofed hotel Wi-Fi networks used by Brazilian antidoping officials to successfully break into their organization’s email networks and databases.
Ciaran Martin, who served as the first chief executive of Britain’s national cybersecurity centre, said Russia’s past behavior made it the “clearest disruptive threat” to the Paris Games. He said areas that could be targeted include event scheduling, public broadcasting and ticketing systems.
“Imagine if all the athletes were there on time, but the iPhone scanning system at the gate went down,” said Mr. Martin, who is now a professor at the Blavatnik School of Government at the University of Oxford.
“Are you going to a half-empty stadium, or are we going to delay?” he added. “Even to be put in that position where you have to postpone it or have world-class athletes in the biggest event of their lives performing in front of a half-empty stadium – that’s really a failure.”
Mr. Regul, Paris’s cybersecurity chief, declined to speculate about any specific countries that might be targeted at this summer’s Games. But he said organizers are preparing to counter measures specific to countries that represent a “strong cyberthreat.”
This year, Paris organizers are holding what they call “war games” in conjunction with the IOC and partners like Atos, the Games’ official technology partner, to prepare for attacks. In those exercises, so-called ethical hackers are hired to attack systems set up for the Games, and “bug bounties” are offered to those who discover vulnerabilities.
Hackers have previously targeted sports organizations with malicious emails, fictitious personas, stolen passwords and malware. Since last year, new employees at the Paris organizing committee have undergone training to spot phishing scams.
“Not everything is good,” said Mr. Regul.
In at least one case, a Games staffer paid an invoice into an account after receiving an email impersonating another committee official. Cybersecurity staff also discovered an email account that attempted to impersonate the one assigned to Paris 2024 chief Tony Estanguet.
Millions more attempts will come. Cyberattacks have generally become “weapons of mass irritation rather than weapons of mass destruction,” said Mr. Martin, the former British cybersecurity official.
“At their worst,” he said, “they become weapons of mass disruption.”