A government official told Kyodo News on Wednesday that login IDs and passwords for the Tokyo Olympic ticket portal had been posted to a leak website following a breach.
The official said the leak was “not large” but admitted that the IDs and passwords would give someone access to a person’s name, address, bank account information and more.
Speaking anonymously, the government source said the body organizing the Games has launched an investigation. The leak also included names, addresses and bank account information of people who bought tickets to the Paralympics as well as another portal for volunteers. They did not say how many accounts had been leaked.
The news came one day after the FBI released a private industry alert urging organizations working with the Tokyo 2020 Summer Olympics to prepare for a wave of “DDoS attacks, ransomware, social engineering, phishing campaigns, or insider threats to block or disrupt live broadcasts of the event, steal and possibly hack and leak or hold hostage sensitive data, or impact public or private digital infrastructure supporting the Olympics.”
“Malicious activity could disrupt multiple functions, including media broadcasting environments, hospitality, transit, ticketing, or security,” the FBI notice said on Tuesday. “The FBI to date is not aware of any specific cyber threat against these Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments.”
The notice goes on to reference the Pyeongchang cyberattack that took place during the last Olympics in February 2018, where Russian hackers deployed the OlympicDestroyer malware and damaged web servers during the opening ceremony.
The hackers “obfuscated the true source of the malware by emulating code used by a North Korean group, creating the potential for misattribution,” according to the notice. In October, the Justice Department indicted six Russian intelligence operatives for the attack on the Pyeongchang Games.
In addition to widespread spearphishing campaigns and more targeted at Olympic officials in Japan, the notice also warns of potential attacks on “hotels, mass transit providers, ticketing services, event security infrastructure or similar Olympics support functions.”
The FBI added that two months ago, Japanese IT giant Fujitsu reported a breach that leaked data from many of its government clients including the Tokyo 2020 Organizing Committee and the Japanese Ministry of Land, Infrastructure, Transport, and Tourism.
In October, the UK released a similar warning explicitly naming the Russian government as backers of a widespread campaign to launch attacks against the coming Olympic Games.
Foreign Secretary Dominic Raab said Russia’s military intelligence service, the GRU, was conducting “cyber reconnaissance” against officials and organizations at the 2020 Olympic and Paralympic Games. He added that the GRU’s actions against the Olympic and Paralympic Games were “cynical and reckless.”
Tony Cole, CTO of Attivo Networks, said that in discussions with Olympic organizers focused on cyberdefense in Rio 2016 and Tokyo 2021, some told him that even years of preparation may not be enough to protect everything.
“Well-resourced and determined adversaries will find a path into the environment sooner or later, so early detection is the key to countering these attacks and mitigating possible impacts,” Cole said.
