Ransomware attack locked a football club's turnstiles

Cyber criminals are targeting sports teams, leagues and organisational bodies – and in many cases, their attacks are successful, warns the NCSC.
Written by Danny Palmer, Senior Writer

Cyber criminals and hackers are actively taking aim at sports teams, organisations and leagues with phishing, ransomware attacks and more in attempts to scam huge sums of money.

The UK's National Cyber Security Centre has detailed the cyber threats faced by the elite sports industry – and revealed that more than 70% of sports institutions have been the victim of some kind of attempted cyberattack or hacking incident over the past 12 months.

Almost a third had recorded at least five attempted attacks, which are predominantly conducted by financially motivated criminals – although the report warns there's a chance nation states could attempt campaigns against sports organisations, particularly those that are involved with international events such as the Olympic Games.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

The key cyberattacks that sports organisations are warned to protect themselves against are business email compromise phishing attacks, fraud, and ransomware campaigns being used to shut down critical event systems and stadiums – a quarter of malware attacks targeting sports organisations are said to have involved ransomware.

One incident includes the email account of a Premier League football club's managing director being hacked before a transfer negotiation, which almost led to the £1m fee being stolen by cyber criminals as part of a business email compromise scheme.

The director inadvertently entered their credentials into a spoof Office365 login page that provided the attackers with their details and the ability to monitor their emails – including one about the impending transfer of a player.

Attackers used the stolen credentials to start a dialogue between the two clubs and the deal was even approved – but the payment didn't go through because the bank identified the cyber criminals' account as fraudulent.

Meanwhile, a ransomware attack against an English football club crippled corporate and security systems, stopping the turnstiles from working, something that stopped fans being able to get in or out of the stadium and almost led to the cancellation of the league fixture, which would have cost the club hundreds of thousands of pounds in lost income.

It's believed that attackers got into the network via a phishing email or by remote access to the connected CCTV system. Once the hackers were in, they could spread across the network, as it was not segmented. The attackers demanded 400 bitcoin (almost £300,000) but the club didn't pay, eventually restoring the network themselves.

Another incident detailed in the NCSC's Cyber Threat to Sports Organisations report reveals that a member of staff at a racecourse had £15,000 stolen in a scam where attackers spoofed eBay.

The warning to sports clubs and league bodies to stay alert for cyberattacks comes at a time when many are already struggling with finances due to the impact of the coronavirus pandemic on sports fixtures, many of which have been cancelled or are being forced to be played behind closed doors. The prospect of losing more money because of a cyberattack could, therefore, be highly damaging.

"While cybersecurity might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real," said Paul Chichester, director of operations at the NCSC.

"I would urge sporting bodies to use this time to look at where they can improve their cybersecurity – doing so now will help protect them and millions of fans from the consequences of cybercrime."

SEE: Ransomware attacks jump as crooks target remote working

Almost a third of the reported incidents detailed by the NCSC paper resulted in direct financial damage at an average cost of £10,000 each time – with the biggest single loss coming in at over £4 million.

To help protect against cyberattacks, the NCSC recommends that sports organisations should implement email security controls, something that the report says "isn't routinely applied" throughout the sector. Organisations should also ensure that staff receive cybersecurity training and that cyber-risk management is taken seriously at all levels.

And to protect against ransomware and other cyberattacks targeting infrastructure, organisations should make sure that all systems are patched with the latest security updates to stop criminals exploiting known vulnerabilities. Remote access should also be restricted where it isn't necessary.


Editorial standards