Liam Morgan

Early last Saturday (February 15) evening, a strange message appeared simultaneously across Twitter accounts controlled by the International Olympic Committee (IOC).

A quick Google search of the group which had claimed responsibility for the posts - OurMine - confirmed what those of us in the office had almost immediately thought: the IOC had been hacked.

While it did not take a cyber analyst to figure out what had happened, a subsequent statement from OurMine itself suggested it was not much harder to infiltrate the IOC’s social media accounts.

OurMine, thought to comprise five members and reportedly based in Saudi Arabia, claimed it had gained access through a "third-party app".

"We accessed it by security issues on FC Barcelona and Olympics employees, which allowed us to access the third-party app," the group told Business Insider.

The hack appeared to be relatively minor. Save for the message advertising the services of OurMine, which had simultaneously targeted Spanish giants FC Barcelona and lists the likes of the National Football League and Facebook among its previous victims, little damage seemed to have been done.

OurMine has also long insisted it is a "white hat" group that exists to highlight security vulnerabilities, rather than take advantage of them.

That may be the case, but what the incident served to further highlight was that sports organisations and the events they govern are often not sufficiently equipped to deal with the growing threat of cyberattacks.

The IOC was hacked by OurMine earlier this week ©ITG
The IOC was hacked by OurMine earlier this week ©ITG

The IOC administration will be acutely aware it could have been much worse, yet any breach of security - even if it just Twitter accounts that are affected - should still be treated as a concern.

After all, the IOC is a secretive organisation and has plenty of information which it would rather keep from the public domain. It also employs hundreds of people across its various departments, all of whom will be keen for their personal details to be protected.

The IOC will almost certainly look to strengthen its systems, the deficiencies of which were exposed by the hack, particularly with this year’s Olympic Games in Tokyo looming large on the horizon.

In a brief statement sent to insidethegames, the IOC said: "You will understand that maintaining secure operations is our focus, and in line with best practices for cyber security, we cannot comment on our policies."

More generally, the hack on the IOC and Barcelona - the second one on the Spanish club orchestrated by OurMine in recent years - got me thinking about cyberattacks and the increasing threat they pose to sport.

As technology develops at a rapid pace, so does the skill and ability of those who conduct these attacks. As has often been the case with anti-doping, the perpetrators are often way ahead of the protectors, a worrying imbalance for the organisations tasked with tackling what is often an invisible crime.

Such is the regularity of cyberattacks worldwide that agencies in Japan have warned to expect them during Tokyo 2020. The pessimists and doom-merchants may point to a phishing campaign uncovered by organisers late last year as evidence the foundations are already being laid for assault on the Games in the Japanese capital.

A cyberattack which caused unprecedented disruption hit the 2018 Winter Olympics in Pyeongchang ©Getty Images
A cyberattack which caused unprecedented disruption hit the 2018 Winter Olympics in Pyeongchang ©Getty Images

A possible ban on the Russian flag at the Games as part of a range of sanctions set to be imposed on the country as punishment for the state-sponsored doping scandal has only exacerbated the chance of a cyberattack at Tokyo 2020.

Tokyo 2020 will be desperate to avoid a repeat of the 2018 Winter Olympic Games in Pyeongchang, an event hit by what Andy Greenberg described in his book Sandworm as the "most deceptive" cyberattack to date.

In an excerpt from the book, published by American technology magazine WIRED, Greenberg describes the scale of the attack, a tangled web built on layer upon layer of "false flags" designed to point investigators in entirely different directions.

The United States has pinned the blame on the Russian for the attack which plunged the systems of Pyeongchang 2018 into crisis minutes before the start of the Opening Ceremony. But Greenberg highlights how reaching such a conclusion is not that simple, citing how the hackers planted Chinese and North Korean tells in an attempt to conceal who was behind "Olympic Destroyer".

This is another issue for sports bodies: if cyber security analysts who are experts in the field cannot determine with 100 per cent certainty who is responsible for these types of attacks, what chance does sport have?

Given the impending threat of a cyberattack, Pyeongchang 2018 embarked on a concerted effort in the lead-up to the Winter Olympics and Paralympics, while the South Korean Government reportedly invested around KR₩1.3 billion (£836,000/$1.1 million/€997,000) in cyber security protection in 2017.

Yet the event was still marred by arguably the most damaging cyberattack the Games has ever seen, which caused unprecedented disruption to numerous elements of the event, ranging from WiFI to ticketing.

Other organisations in the Olympic Movement, including the IOC and the World Anti-Doping Agency, have been targeted by the Russian hacking group Fancy Bear, which has released a raft of confidential information including the medical records of high-profile athletes such as Sir Mo Farah and Serena Williams.

A month after the conclusion of Pyeongchang 2018, UK Anti-Doping (UKAD) were subjected to a suspected attack by the group, linked to Russia's military intelligence service. 

In an unconnected development, The Commentator revealed earlier this month that UKAD had been sent 11,148 malicious emails in the final three months of 2019, around of third of which were examples of "phishing" - defined as a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.

The degree and extent of cyberattacks to have hit sport in recent years vary in severity, from the hacking of Twitter accounts to bringing an entire Olympic Games technology system to its knees, and the threat is unlikely to disappear anytime soon.

As OurMine warned: "Everything is hackable".