Search
During the Olympics, cyber threat actors are going for gold, too.
They disrupted WiFi and other digital infrastructure during PyeongChang 2018. In Tokyo 2021, Russian threat actors attempted to sabotage pre-Games activities. In Paris 2024, we observed a spike in DDoS attempts, Olympics-themed phishing attempts and scam traffic. No doubt about it — infrastructure, venues and local suppliers contributing to the games also become part of the wider Olympic attack surface. With over 3 billion people around the world expected to watch the games, there is a lot at stake.
For athletes and defenders alike, winners will be determined by preparation and strategy.
Why Attackers Love
Global Events
A Target-Rich Environment
The sheer volume of people, systems, money and data involved in the Olympics creates a target-rich environment for attackers.
High-Value Marks
Nation-state actors will take advantage of close access to VIPs, mounting sophisticated attacks to surveil them and their staff.
Critical Infrastructure
The integration of utilities, transportation, stadium functions and more creates complexity and gaps that attackers can exploit.
Geopolitical Tensions
Given a divisive political climate, groups or individual actors may attempt to hijack or deface digital infrastructure to amplify their stance.
Attackers, Motives and Tactics
The Milano Cortina 2026 Winter Games will draw attackers of all types, from petty scammers to nation-state actors. Though their tactics may overlap, their motives and degree of sophistication will vary widely. It’s critical to understand what they’re after, how they’ll go about it and which groups will most likely target your organization.
RANSOMWARE GANGS
Financially motivated crime
Ransomware gangs extort money from victims by encrypting and stealing data, or creating a chokepoint by disrupting critical systems — often systems that support a smooth attendee experience. This gives attackers the leverage they need to extort a ransom payment.
Dark Scorpius
Dark Scorpius phishes victims by impersonating IT staff, email bombing, and social engineering, then tricks them into granting remote control through tools like Windows Quick Assist. Then they move fast. We’ve observed them go from initial access to exfiltration in just 14 hours.
NATION-STATE ACTORS
High-Level Espionage
These groups operate with the flexibility of cybercriminals while enjoying the resources of government sponsorship. Their greatest tool is patience. They infiltrate targets and deepen their position over years, avoiding detection to steal code, data and secrets.
Fighting Ursa
Fighting Ursa, likely backed by Russia, favors phishing through spoofed websites and spearphishing emails containing weaponized documents and links. Once inside, they use proprietary software for tunneling, reconnaissance and command-and-control.
HACKTIVIST GROUPS
Mass Disruption
Hacktivists seek to embarrass and undermine targets while amplifying their ideological message. They want publicity, and they get it through hijacking services and doxxing key figures, releasing sensitive material to the world in order to incite shame and harassment.
Anonymous
Known for their signature Guy Fawkes masks and high-profile attacks, Anonymous typically gains access by scanning public systems for open ports, unsecured or misconfigured servers and leaked credentials. That gives them access to take over websites and social media accounts.
Tactics to Guard Against
Attackers’ motives and methods often overlap. Here are a few common tactics we’ve observed threat actors deploy in Olympic Games scenarios.
Phishing
According to our research, phishing remains the most common initial access vector, especially in the form of business email compromise (BEC). The Milano Cortina 2026 Winter Games will offer a high volume of potential victims, especially as attackers use AI to create more convincing phishing assets quickly and at scale. They may pose as partner organizations, regulatory agencies or other entities.
Software and API Vulnerabilities
The Milano Cortina 2026 Winter Games will give rise to a large, complex digital ecosystem replete with vulnerabilities both old and new. From misconfigurations to unpatched frameworks, from dangling DNS records to overlooked access controls, attackers use AI to sweep for these weak points in order to identify the easiest path to access.
Previously Compromised Credentials
Threat actors may skip phishing in favor of buying compromised or leaked credentials on the Dark Web. If staff, vendors or contractors reuse passwords across multiple accounts, a single set of credentials may lend broad access to cloud, CMS, logistics systems and more — especially if multifactor authentication (MFA) isn’t enforced.
DDoS Attacks
In this common disruption tactic, attackers overwhelm the target service with traffic (usually with botnets) to knock it offline. Distributed Denial of Service (DDoS) attacks are often used as a distraction from data exfiltration, ransomware deployment or efforts to establish persistent access. In the context of the Milano Cortina 2026 Winter Games, DDoS attacks may target attendee-facing systems like turnstiles, ticketing platforms and event websites.
Spotlight On Social Engineering
With social engineering attacks, malicious actors exploit the trust oganizations must place in each other. Global events provide ample social engineering opportunities because many organizations must interact with each other in new ways that create gaps and complexity.
Business Email Compromise
In 76% of phishing cases, attackers gained access through business email compromise (BEC). BEC relies on carefully crafted socially engineered messages that appear to come from trusted sources like leadership, vendors or partners. Attackers impersonating these figures can pressure victims into approving fraudulent invoices, committing fake vendor changes, circumventing multifactor authentication (MFA) and other controls and more.
AI Attacks and Deepfakes
We’ve seen attackers create highly convincing deepfakes and emails with minimal technical effort or expense. With just a few samples of, say, a CEO’s emails and speaking engagements, attackers can train malicious AI to impersonate anyone. Under this disguise, the typical signs of a scam, like urgency and commands to shortcut approved policies, are more likely to go unnoticed.
High Touch Impersonation
IT staff hold the keys to the digital kingdom, and attackers target them to gain access. They research a target’s service desk processes, staff, and systems, so they can impersonate a legitimate user convincingly request password resets or bypass MFA. When successful, the attacker logs into the target’s account, where they can escalate their own privilege, set up forwarding rules, register new MFA devices and create backdoor accounts.
ClickFix Campaigns
ClickFix attacks trick users into self-remediating a supposed problem by clicking a malicious link or accidentally executing malicious code. An attacker may send a phishing email that looks like an automated alert or system notification, prompting the victim to “Click here to reset an expired password” or engage with a fraudulent CAPTCHA test. When they click, the victim may download malware or be redirected to a fake login page where their credentials are harvested.
SEO Poisoning
For this tactic, attackers deploy malicious websites, then manipulate search engine optimization (SEO) techniques to make that site or page rank high on search results. These pages often look like legitimate sites or imitate login portals that users access through search engines. Engaging with the fraudulent site can trigger malware downloads, steal credentials or perpetuate fake software updates and tech support manipulation.
Threat Actors: Who to Watch
Threat Profile: Muddled Libra
In 2025 alone, we’ve observed Muddled Libra (aka Scattered Spider, UNC3944) activity in the government, retail, insurance and aviation sectors. They extract large ransoms, in the tens of millions, often in cryptocurrency. It is undetermined whether this group is state-sponsored, but they operate with a high degree of sophistication and are fluent in English.
Unlike other cyber actors, Muddled Libra performs extensive reconnaissance, accessing the target’s own technical documentation and incident response processes to understand where to place implants and how defenders are likely to respond.
They research employees, too, so when they call the help desk — a shift from text-based phishing to voice-based phishing — impersonating executives or remote workers, they sound that much more convincing. By using details gathered from data breaches, previous compromises, and even social media accounts, they can answer identity verification questions and pressure help desk staff to reset passwords or enroll new MFA devices. This direct exploitation of human trust and standard IT workflows allows Muddled Libra to bypass several layers of defense and gain deep access to corporate environments.
Here’s how the group could hypothetically pivot from initially access via social engineering a help desk employee, to escalating privileges, to domain admin rights in about 40 minutes.
Threat Profile: Insidious Taurus and Salt Typhoon
Insidious Taurus and Salt Typhoon are Chinese state-sponsored groups carrying out campaigns against the U.S. Though they are often grouped and talked about interchangeably, their operations are drastically different.
Insidious Taurus: Operational Positioning Insidious Taurus works to compromise and maintain persistent access to America’s critical infrastructure. By pre-positioning themselves on IT networks, they are prepared to move laterally, perhaps into OT environments to cause mass disruption in energy, transportation, water and other essential services. These actors are playing the long game, using living-off-the-land techniques to evade detection and maintain footholds for years.
Salt Typhoon: Intelligence-Gathering Espionage Salt Typhoon (tracked by Unit 42 as CL-STA-0967) compromises telecommunications companies across the world to conduct surveillance and espionage. They steal customer call records data, copy certain information subject to U.S. law enforcement requests pursuant to court orders and compromise the private communications of select individuals involved in government.
Below is an example of how Salt Typhoon could execute a prolonged series of network intrusions, beginning with extensive reconnaissance.
Either or both of these groups may target the Milano Cortina 2026 Winter Games. They may target vendors, service providers or event equipment that connect routers or network appliances, giving them the ability to pivot into more critical systems. Living-off-the-land tools such as PowerShell or Windows Management Instrumentation are common to these typhoons’ playbooks and can help them fly under the radar.
Safeguarding Essential Services
Organizations participating in the Milano Cortina 2026 Winter Games must understand where they fit in the event’s ecosystem and coordinate defenses together. Outlined below are the most critical services necessary for the successful execution, along with the perceived motives driving threat actors to potentially target them.
Tips for Defenders
Gearing up for your event shouldn’t require a drastic spike in cybersecurity focus. It should be a gradual intensification of your existing practices. If you stay ready, you won’t have to get ready.
See more, respond faster
Empower your SOC with comprehensive visibility across the enterprise, and the technology to identify the signal in the noise. Visibility gaps give attackers more cover. Gain full visibility from network to endpoint to cloud, and map internal and external attack surfaces to inventory all assets and connections. To reduce complexity, consolidate telemetry into a universal hub, then apply AI and machine learning to filter out the noise, gain a full picture of each threat, and respond with precision.
Accelerate zero trust adoption
Eliminate implicit trust, enforce least privilege access, and continuously verify users and devices. In the case of an intrusion, zero-trust controls drastically mitigate the impact. Work to tailor controls to support least privilege principles. Monitor users to establish behavioral baselines, so you can recognize aberrant activity. Finally, identify and verify users, devices, and apps on a continuous basis.
Secure apps and the cloud from dev to runtime
Implement MFA, just-in-time access, and continuous monitoring to reduce attack surfaces. The cloud can no longer be a blindspot. Prioritize misconfigurations, vulnerabilities, and excessive permissions by risk, so teams can achieve the most coverage for their effort. During the CI/ACD process, run continuous scans that detect issues before they reach production. Apply real-time threat detection and proactive controls to protect apps, APIs, and workloads.
Strengthen detection and automated response
Use AI-driven automation to cut response time from hours to minutes. Automate analysis of security logs to surface high-priority threats faster. Use artificial intelligence and machine learning to sift through vast datasets, identifying hidden threats and anomalous behaviors. AI-assisted behavioral analytics help predict attacks before they fully materialize. The SOC should measure MTTD to gauge improvements. Regular threat hunting and correlation of signals from multiple sources tackle the “needle in a haystack” problem.
Palo Alto Networks: Your Teammate in Cyber Vigilance
Our Cyber Vigilance program equips CISOs and their teams to mitigate threats for high-profile events. The program leverages Unit 42’s unique experience with large-scale events and deep threat intelligence to put defenders ahead of malicious actors.
Pre-event | Anticipate and prepare
We work alongside organizations and governments of all types and sizes, all over the globe. No one is more in touch with the threat landscape — who’s making moves, how they operate and what tactics they employ to achieve their ends.
Technical Capabilities Assessment: Map your existing tech stack and architecture to ensure your security posture has visibility into potential threats.
Threat Profiling and Executive Briefing: Based on our threat intelligence gained by working with organizations and governments across the globe, discern who might attack you, why, and how.
Attack Surface Assessment: Using our cutting-edge Cortex platform, map your attack surface to pinpoint assets that may be at risk.
Ransomware Readiness Assessment: Evaluate how your response capabilities perform when triaging ransomware breach scenarios from real cases we’ve investigated. We’ll also assess your environment to find indicators of compromise associated with sophisticated ransomware groups.
Crisis and Response Training: Workshops and training for senior leadership and your SecOps team to practice managing a cyber crisis during the event.
During and post-event | Monitor and respond
Threat Monitoring and Incident Response on Standby: As the event goes live, we’ll continue monitoring the Dark Web for any mention of participating organizations during the event. We’ll also have incident response experts on standby with 2-hour SLA should an incident occur.
Lessons Learned Workshop: After the event, we’ll conduct a lessons-learned workshop to capture what went well and what could be improved.
World-renowned threat research
We work alongside organizations and governments of all types and sizes, all over the globe. No one is more in touch with the threat landscape — who’s making moves, how they operate and what tactics they employ to achieve their ends.
For the latest threat intelligence and research, please visit Unit42.com.
Go from reactive to proactive
Our consultants serve as your trusted advisors to assess and test your security controls, transform your security strategy with an intelligence-informed approach, and respond to incidents in record time.