Fielding Threats: Cyber, Influence, and Physical Threats to the 2022 FIFA World Cup in Qatar

Fielding Threats: Cyber, Influence, and Physical Threats to the 2022 FIFA World Cup in Qatar

insikt-group-logo-updated-3-300x48.png
Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

This report analyzes the threat landscape ahead of the 2022 FIFA World Cup hosted in Qatar that begins on November 20, 2022. The threats analyzed include state-sponsored cyber operations, financially motivated cyber threats, influence operations, and physical security threats. This report will be of most interest to organizations involved in the hosting, running, or sponsoring of the 2022 FIFA World Cup, as well as individuals intending to participate in or attend the tournament.

Executive Summary

Whole-spectrum threats to the 2022 FIFA World Cup in Qatar are largely determined by Qatar’s unique geopolitical position on a contentious global stage, with the country enjoying good relations with major powers such as the United States (US), Europe, China, and Iran.

We have not identified any imminent, planned, or ongoing state-sponsored cyber operations linked to known advanced persistent threat (APT) groups targeting the 2022 FIFA World Cup in Qatar or its organizers, sponsors, or associated infrastructure. China, Iran, and North Korea are unlikely to conduct a disruptive attack against the tournament as they lack motivation due to their relations with Qatar, their involvement in the planning and execution of the games, or other national priorities. Nevertheless, state-sponsored APT groups tasked with foreign intelligence collection likely view the 2022 FIFA World Cup as a target-rich environment for cyber espionage and surveillance against foreign dignitaries and businesspersons alike.

Russia is an outlier and very likely harbors a strong set of grievances and thus motivation for targeting the 2022 FIFA World Cup, such as wanting to embarrass Qatar as the host country for siding with the coalition of countries supporting Ukraine’s territorial integrity, as well as to retaliate for Russia being banned from participating in the tournament. There is historical precedent for Russia conducting cyberattacks against major sporting events, although Russian APT groups are very likely distracted with Russia’s war against Ukraine and are therefore unlikely to conduct a disruptive attack against the 2022 FIFA World Cup. However, we cannot rule out that the Russian government will encourage or otherwise tacitly approve of such attacks conducted by nationalistic Russian hacktivist groups or ransomware operators.

Large international sporting events are also attractive targets for financially motivated cybercriminals. Tournament-related phishing attacks use various lures such as so-called ticket giveaways, free streaming services to watch games, fake betting websites, and tournament-adjacent items like visas and travel, hotel, and restaurant bookings. Other cybercriminal threats include, but are not limited to: fake mobile applications around the event that can distribute malware and harvest user data; sales on dark web markets and shops for counterfeit tickets and compromised credentials; and as above, ransomware attacks that would likely seek to opportunistically target victims based on accessibility, opportunity, and factors such as the ability to pay large ransom amounts.

Iran, China, and Russia’s influence activities involving the 2022 FIFA World Cup are primarily being conducted through state-owned media organizations, which emphasize and promote bilateral relations with Qatar. Iran and Russia have also sought to highlight divisions and exacerbate tensions between Qatar and Western countries that have been critical of the tournament being hosted in Qatar due to human rights concerns in the country. Similarly, Iran’s “Endless Mayfly” influence operation identified by Citizen Lab in May 2019 involved an instance of disinformation around the 2022 FIFA World Cup, which sought to exacerbate geopolitical tensions between Qatar and other Arab countries following the Qatar diplomatic crisis in June 2017.

Qatar is unlikely to face a major physical security threat during the 2022 FIFA World Cup based on a range of factors including: the country having minimal terrorist incidents in recent years; the decreased capabilities of terrorist groups most likely to target the tournament, including Islamic State in Iraq and the Levant (ISIL) and Al-Qaeda in the Arabian Peninsula (AQAP); Qatar’s enhanced security posture, bolstered by security assistance from countries such as the US, United Kingdom, France, Italy, Türkiye, and Pakistan; and Qatar’s geographical orientation.

Key Judgments

State-Sponsored Cyber Threats

Large international sporting events such as the Olympic Games or the World Cup are attractive targets for cybercriminals and state-sponsored APT groups alike for either financial, disruptive, or espionage purposes. Such events are often years in the making, involve the investment of billions of dollars in infrastructure to support, bring the host country considerable prestige on the international stage, and attract a wide range of spectators, including high-level government officials and businesspersons. As a result, disruption of the event can prove embarrassing for the host government and organizers, while traditional intelligence-gathering-focused cyber-espionage and surveillance activities are likely lucrative given the target-rich environment. To mitigate this risk, travelers to Qatar for the 2022 FIFA World Cup should take additional precautions around their digital communications such as using encrypted communications applications whenever possible, exercising caution when connecting to unknown and public Wi-Fi networks (including in hotels), and considering the use of burner devices for the duration of the trip rather than personal or corporate devices.

As of this writing, we are not aware of any imminent, planned, or ongoing state-sponsored threat activity linked to known APT groups targeting the upcoming 2022 FIFA World Cup in Qatar, its organizers (such as FIFA or the Union of European Football Associations [UEFA]), its sponsors, or associated infrastructure. This includes attacks that may be disruptive or destructive in nature (such as distributed denial-of-service (DDoS) attacks or wiper malware) or more espionage-focused operations. Additionally, we have not observed the establishment of network infrastructure attributed to state-sponsored APT groups intended to facilitate computer network operations against the World Cup or its affiliate organizations or attendees. Similarly, we have not as of this writing found weaponized lure documents for use in spearphishing attacks.

In this section, we review the likely motivators for state-sponsored APT groups’ targeting of the 2022 FIFA World Cup, with a focus on the most prominent state-sponsored threat actors — those linked to China, Russia, Iran, and North Korea. Overall, we assess that the Russian government is the most strongly motivated to carry out disruptive attacks against the event, but is very likely focusing its resources on supporting its war against Ukraine instead. And while Iran, China, and North Korea all likely possess the technical capabilities to do so, they are unlikely to pose a disruptive threat to the games as they lack the motivation due to their relations with Qatar, their involvement in the planning and execution of the games themselves, or other national priorities.

China

Chinese state-sponsored APT groups are unlikely to target the World Cup and its affiliates for the purposes of disruption of the event. Nevertheless, those groups tasked with the collection of foreign intelligence, and particularly those falling under the Ministry of State Security (MSS) — China’s primary civilian intelligence service — are likely to view the World Cup as a target-rich environment for cyber espionage and surveillance against foreign dignitaries and businesspersons alike. Likely MSS-linked cyber-espionage groups include, but are not limited to, APT10, APT17, APT27, APT40, APT41, TAG-22, RedBravo, and RedDelta.

China and Qatar have enjoyed increasingly close relations in recent years, with Beijing and Doha announcing cooperation on a host of regional and global issues in defense, energy, and economic development, including Qatar's involvement in Beijing’s marquee international development project, the Belt and Road Initiative (BRI). Moreover, Chinese companies maintain a considerable presence in Qatar, and the Chinese Railway Construction Corporation in 2016 won the bid to build the largest World Cup venue, the Lusail Stadium, which was completed in 2020.

Significantly, there is no historical precedent for Chinese threat activity groups targeting major international sporting events or sporting bodies, and China has shown more restraint compared to other nations in conducting wide-reaching destructive and disruptive attacks in general. Therefore, while Chinese APT groups have regularly targeted specific organizations and governments ahead of key talks, and Beijing’s cyber-enabled monitoring of ethnic and religious minorities domestically and internationally is well-documented, it is unlikely that China poses a disruptive threat to the 2022 FIFA World Cup. This is made even more unlikely due to China’s direct involvement in developing the infrastructure to support the event — giving it a vested interest in ensuring that it unfolds smoothly — as well as Beijing’s desire to continue to strengthen its relationship with Doha as a major strategic partner in the region.

Russia

The Russian government very likely harbors a strong set of grievances and thus motivation for targeting the 2022 FIFA World Cup in Qatar. Russian activity targeting the event would likely be disruptive in nature, or otherwise seek to embarrass the international entities responsible for organizing the event such as FIFA, UEFA, or international sponsors, both public and private.

Following Russia’s invasion of Ukraine in late February 2022, FIFA and UEFA issued a blanket ban against Russian football clubs from competitions, including the upcoming World Cup, in protest of the invasion. Subsequently, the Football Union of Russia abruptly withdrew its appeal of the decision in early April, resulting in the ban remaining in place.

Russian state-sponsored APT groups have a history of targeting international sporting organizations and events beginning as early as 2016, likely in retribution for similar bans of its athletes from participation in major international events, such as the Olympic Games, due to a string of doping scandals. Past Russian state-sponsored activity targeting such organizations includes:

While Moscow and Doha are engaged both diplomatically and economically with one another, there are signs of significant strain in the relationship, especially since Russia’s invasion of Ukraine. First and foremost, Qatar has expressed its support for Ukraine and the territorial integrity of the country along its internationally recognized borders. Moreover, the US formally designated Qatar as a “major non-NATO [North Atlantic Treaty Organization] ally” in March 2022 — a move that is very likely interpreted as signaling Qatar’s long-term strategic alignment with NATO and Washington instead of with Moscow. As a result, the Kremlin likely has a particularly strong grievance against Qatar and may view the World Cup as an opportunity to embarrass Qatar’s government.

Nevertheless, despite having the motivation to conduct such disruptive attacks against the World Cup and Qatar, the Russian government is very likely distracted with the war in Ukraine, which has turned into a grinding conflict requiring Moscow to marshal as many of the state’s resources as possible in an attempt to achieve its strategic aims in the face of Ukraine’s staunch armed resistance. It is therefore very likely that Russian APT groups that may otherwise be tasked with disruption of an international event such as the World Cup — especially those aligned with military intelligence such as APT28 or Sandworm, based on historical activity — are instead tasked with prioritizing operations that are directly in support of the war effort in Ukraine.

While we assess it is thus unlikely that established Russian state-sponsored APT groups will conduct such disruptive operations against the World Cup, we cannot rule out that the Russian government will encourage or otherwise tacitly approve of such attacks conducted by nationalistic Russian “hacktivist” groups — such as KillNet or XakNet — or by ransomware operators. Such groups, whether financially or politically motivated, are useful proxy forces that can on occasion further the Russian government’s strategic objectives and provide plausible deniability.

Iran

While Iranian state-sponsored APT groups frequently target public and private entities across the Middle East in both destructive and espionage-focused campaigns, they are not known for executing hacktivist-like attacks against international sporting federations. Moreover, due to the strong trade and diplomatic ties between the 2 countries, Iran’s participation in the World Cup despite calls for its banning, and due to domestic Iranian instability, it is unlikely that Iran will seek to use cyberattacks to disrupt the games as doing so provides no obvious benefit to the regime and risks upsetting a key regional partner in Qatar.

This does not rule out Ministry of Intelligence and Security (MOIS)- or Islamic Revolutionary Guard Corps (IRGC)-linked espionage activity in-country, however, likely primarily directed against high-profile foreign attendees of the game and dissidents and/or critics of the Iranian regime. Such groups, including APT34 OilRig, APT35, APT39, APT42, and MuddyWater are known to routinely carry out espionage operations against Middle Eastern and Western governments and private sector companies in support of Tehran’s economic, political, and military objectives. APT35 has been reported to seek strategic and tactical information and has also undertaken counterintelligence operations at the behest of the IRGC, including in attacks against international conferences and related organizations such as the Munich Security Conference and Think20 Summit in Saudi Arabia. For its part, APT39 has also been reported to focus on counterintelligence and long-term espionage activity with the goals of protecting the regime.

Iran and Qatar have an abnormally close relationship given the latter’s membership in the Gulf Cooperation Council (GCC) regional bloc, and Doha carefully balances its alliance with the US and its economic and security ties with Tehran. These ties only strengthened during and following the 2017 Qatar diplomatic crisis in which Doha sought to replace its traditional trading partners — who instituted an embargo against the country — with imports from Iran and Türkiye. Qatar’s geographic position in the Persian Gulf, as well as its sharing of the world’s largest natural gas field with Iran, induce the 2 to closer relations despite Iranian discomfort with Qatar’s hosting of the largest US military base in the region at Al Udeid. Relations between Iran and Qatar have become so cordial that Iran offered — and Qatar accepted — assistance in hosting hundreds of thousands of visitors to the World Cup on the resort island of Kish, offshore of Iran, thus giving Iran an economic and political stake in the success of the games.

Finally, Iran has in recent months been rocked by domestic instability and widespread protests following the death of Mahsa Amini while in police custody. The protests — the largest in over a decade — have turned violent, resulting in the government issuing lockdowns of the information environment within the country and cutting off the internet from the outside world, as well as deploying security forces authorized to use lethal force to quell the unrest. In order to preserve the regime, maintaining and stabilizing the domestic situation is very likely to be the primary task of the Iranian intelligence and security services in the near term. This suggests that little resourcing would likely be devoted to externally oriented cyber operations during the World Cup, even if Iran had the requisite motivation to do so.

North Korea

North Korean state-sponsored APT groups are unlikely to conduct disruptive or destructive attacks against the upcoming 2022 World Cup in Qatar.

There is very limited precedence for North Korea-linked APT groups targeting international sporting events or organizations. In the 1 instance in which this was observed — in a campaign using the fileless malware “Gold Dragon” targeting Olympics-related organizations in the period surrounding the 2018 Winter Olympics in Pyeongchang, South Korea — the campaign appears to have been focused on intelligence gathering, which is consistent with the majority of North Korea state-sponsored cyber campaigns against the South and likely a part of their routine operations.

Moreover, the majority of historical North Korean state-sponsored APT campaigns have been focused on revenue generation for the regime in Pyongyang, which continues to languish under strict international sanctions that limit its access to global markets. These attacks have primarily consisted of compromises of financial institutions, ATM cash-out schemes, or theft of cryptocurrency. Apart from ransomware or other forms of extortion attacks, such as the WannaCry campaign, disruptive or destructive attacks are difficult to monetize and thus are likely of less interest and priority to the regime.

With respect to the 2022 World Cup, North Korea likely lacks the political motivation to engage in disruptive or destructive activity against the games. Pyongyang voluntarily withdrew from World Cup qualifiers in May 2021 likely due to concerns over COVID-19, but unlike Russia was never formally banned from participation by the organizing bodies. Moreover, Qatar has — at least until the imposition of recent United Nations (UN) sanctions that went into effect at the end of 2019 — been host to thousands of North Korean migrant laborers. Many of these laborers were integral to the construction of the venues for the upcoming World Cup games, including the aforementioned Lusail Stadium which was built by a Chinese firm. Overall, Qatar has proven more willing than many governments to continue some form of direct relations with North Korea, and Pyongyang is unlikely to see a benefit to damaging relations via disruptive cyberattacks against the World Cup.

Cybercriminal Threats

As mentioned above, large international sporting events such as the 2022 FIFA World Cup are attractive targets for financially motivated cybercriminals. Cybercriminal threats to the 2022 FIFA World Cup include but are not limited to tournament-related phishing attacks, fake mobile applications around the event that can distribute malware and harvest user data, sales on dark web markets and shops for counterfeit tickets, and threats of ransomware.

Phishing and Fraud

Cybercriminals are leveraging the 2022 FIFA World Cup as a lure in phishing attacks and in other fraudulent activities. Cybercriminals are almost certainly creating fraudulent websites related to the 2022 FIFA World Cup that can be used in phishing campaigns to collect PII from victims, including financial information like payment card details, or to distribute malware.

Between October 31, 2021 and October 31, 2022, we identified:

fielding_cyber_influence-and_physical_threats_to_2022_fifa_world_cup_in_qatar_figure_1.png

Figure 1: Example of a typosquat domain impersonating the legitimate qatar2022[.]qa website, with redirects to other suspicious websites (Source: qatar2022[.]pro)

We identified 669 references to 2022 FIFA World Cup phishing campaigns between October 31, 2021 and October 31, 2022. These phishing attacks have targeted both organizations and individuals, though as the tournament approaches, phishing attempts are very likely to focus on targeting individuals. Phishing attacks targeting individuals relate to various components of the tournament, including: tickets to the games (typically so-called “ticket giveaways; free streaming services for when the tournament begins; betting websites; and tournament-adjacent items like visas and travel, hotel, and restaurant bookings. In November 2021, Kaspersky reported that they detected 11,000 phishing emails between August 15 and October 15, 2021 primarily targeting organizations by inviting bids on contracts to supply goods or services for the 2022 FIFA World Cup, where recipients were asked to pay a commission to participate.

Another attack vector used by cybercriminals is creating fraudulent mobile applications that impersonate legitimate ones, such as the “Hayya to Qatar 2022” mobile application created by Qatar’s Supreme Committee for Delivery and Legacy (Apple, Google Play). We identified multiple mobile applications posing as the official 2022 FIFA World Cup application, with thousands of downloads. Although we have not conducted an analysis of these mobile applications, we strongly recommend that individuals only download official 2022 FIFA World Cup mobile applications such as those created by Qatar’s Supreme Committee for Delivery and Legacy and by FIFA.

Dark Web Activity

We identified 277 references to the 2022 FIFA World Cup on dark web special-access forums between October 31, 2021 and October 31, 2022. We observed discussions of individuals claiming to be selling tickets to the 2022 FIFA World Cup, as well as other individuals posting in an effort to purchase tickets. We also observed an individual sharing the likely compromised login details of 2 accounts for beIN CONNECT, a state-owned global sport and entertainment network headquartered in Doha, Qatar, with the individual stating “SAVE FOR WORLD CUP”.

fielding_cyber_influence-and_physical_threats_to_2022_fifa_world_cup_in_qatar_figure_2.png

Figure 2: Example of a post on a dark web forum advertising 2022 FIFA World Cup ticket sales (Source: Recorded Future)

Another notable post includes an October 4, 2022 post on Cracked Forum by “xAcordx” advertising a malicious .doc exploit file that is claimed to be fully undetectable (FUD) by all antivirus solutions, that “can be sent via Gmail and other popular email providers”, and that “downloads and executes any file when ran [sic]”. The file is advertised at $600 for a single full FUD build, or $2,400 for the builder allowing unlimited builds with a weekly update to maintain its FUD status. The post advertises many different lures for the document, including “world cup” and “world cup qualifying”, demonstrating that the 2022 FIFA World Cup is being used as a lure in malicious documents. The threat actor also includes in their listing a proof-of-concept video that demonstrates the exploit’s functionality.

fielding_cyber_influence-and_physical_threats_to_2022_fifa_world_cup_in_qatar_figure_3.png

Figure 3: Exploit with features advertised by xAcordx (Source: Cracked Forum)

Furthermore, Recorded Future’s Identity Intelligence Module identified credential leaks for 14 unique *@qatar2022[.]qa email addresses on both clearnet and dark web sources, including 8 unique email addresses with associated passwords. These credential leaks were included in database dumps including GoNitro Database Dump, Cit0day Dump, ShareThis Data Dump, Zynga Data Dump, Dropbox Credential Dump, and Qatar National Bank Data Dump, while other credentials were stolen through infostealer malware such as Vidar. Credential leaks can be abused by threat actors to obtain initial access into an organization or to perform additional fraudulent activities such as social engineering, spearphishing, and business email compromise (BEC). However, the passwords associated with the email addresses in the aforementioned breaches could be passwords for other websites where the owner used their qatar2022[.]qa email address for a different online service, and are not necessarily the passwords for the owner’s email account or corporate network. Using unique passwords for each online service mitigates the risk that leaked credentials can be used by threat actors to access more than 1 online service.

Finally, we identified 269 references to tickets[.]fifa[.]com and hayyar[.]qatar2022[.]qa on dark web shops, specifically Russian Market, Genesis Store, and 2easy Shop. These 2 domains are used to purchase tickets to the 2022 FIFA World Cup, and to apply for a Hayya Card, respectively. All tournament visitors need a Hayya Card to be permitted entry to Qatar, for access to match stadiums, and for free use of public transportation on match days. Visitors applying for a Hayya Card need to provide their personal details. As explained below, these dark web shops sell packages of compromised account details and user logs; cybercriminal actors could purchase compromised account details from these, and other, dark web shops and marketplaces that could lead to greater theft of PII data and possibly match tickets.

Ransomware

We have not identified any specific threats made by ransomware groups demonstrating intent to target the 2022 FIFA World Cup, though we would not expect such conversations to appear in the open. Similar to what we described in our report on Threats to the 2022 Winter Olympics, the 2022 FIFA World Cup may be seen as an attractive target for ransomware attacks given the potential for significant profit, as organizations involved in the tournament will want to ensure the tournament goes as smoothly as possible. Potential targets could include organizations that support the 2022 FIFA World Cup, including those in the transportation, media, healthcare, logistics, and security sectors. However, it is more likely that ransomware operators would seek to opportunistically target victims based on accessibility, opportunity, and factors such as the ability to pay large ransom amounts, as opposed to conducting a large-scale coordinated attack. We have created dozens of Hunting Packages for ransomware families that can be used to detect ransomware samples and behavior.

As discussed above, as a result of Russia being banned from participating in the 2022 FIFA World Cup due to their war against Ukraine and their strained relations with Qatar, we cannot rule out that the Russian government will encourage or otherwise tacitly approve disruptive attacks conducted by nationalistic Russian “hacktivist” groups — such as KillNet or XakNet — or by ransomware operators. Such threat groups, whether financially or politically motivated, are useful proxy forces that can on occasion further the Russian government’s strategic objectives and provide plausible deniability. We have previously documented the ties between the Russian state and Russia-based cybercriminals in our report “Dark Covenant: Connections Between the Russian State and Criminal Actors”.

Influence Operations

As a result of Qatar’s unique geopolitical position, influence operations involving the 2022 FIFA World Cup will likely attempt to “win over” Qatar by emphasizing and promoting bilateral relations while creating and exacerbating tensions between Qatar and the influencer’s adversaries. As discussed above, Qatar maintains good relations with Iran and China, and previously had good relations with Russia that have since been strained as a result of Qatar siding with the coalition of countries supporting Ukraine’s territorial integrity. Meanwhile, Qatar enjoys good relations with the US, UK, Germany, and many other Western countries. Qatar also offers Europe an alternative to their dependency on Russian gas exports during Russia’s war against Ukraine.

Positive Influence

We have observed efforts by Iran, China, and Russia to emphasize their support for Qatar in hosting the 2022 FIFA World Cup and to promote bilateral relations through state-owned media outlets. For example:

Negative Influence

Western countries (including Germany, Denmark, France, and others) have been critical of Qatar’s hosting of the 2022 FIFA World Cup, citing human rights concerns in the country. This criticism presents an opportunity for adversaries to highlight divisions and exacerbate tensions between Qatar and the West. We have not observed China taking advantage of this opportunity, whereas Iran and Russia have used state-owned media organizations to highlight Western criticism of Qatar. For example:

fielding_cyber_influence-and_physical_threats_to_2022_fifa_world_cup_in_qatar_figure_4.png

Figure 4: Sentiment analysis of references to the 2022 FIFA World Cup on Iranian, Chinese, and Russian state media sources (Source: Recorded Future)

Endless Mayfly

There is a particular precedent in Iran for using influence operations in an attempt to sow discord between Qatar and its international partners and regional neighbors, such as the Endless Mayfly influence operation uncovered by Citizen Lab in May 2019. This influence operation was “an Iran-aligned network of inauthentic websites and online personas” used to amplify geopolitical tensions by spreading false and divisive information critical of Saudi Arabia, the US, and Israel, among others, since at least early 2016.

The Endless Mayfly influence operation included 1 instance of disinformation specifically involving the 2022 FIFA World Cup, namely that 6 Arab countries had asked FIFA to strip Qatar’s right to host the FIFA World Cup in 2022. This disinformation attempted to exacerbate geopolitical tensions between Qatar and Arab countries following the Qatar diplomatic crisis in June 2017, whereby Gulf countries and other Arab nations including Saudi Arabia, the United Arab Emirates (UAE), Egypt, Bahrain, and others severed diplomatic relations with Qatar, blaming Qatar for “[embracing] various terrorist and sectarian groups aimed at destabilising the region”, including the Muslim Brotherhood, al-Qaeda, Islamic State, and Iran-supported proxy groups within Gulf nations. The 1 instance of disinformation involving the 2022 FIFA World Cup was part of 11 inauthentic articles identified by Citizen Lab that aimed to exacerbate Saudi-Qatar tensions.

Endless Mayfly’s disinformation campaign involving the 2022 FIFA World Cup involved the creation of an inauthentic The Local article on July 15, 2017 alleging that 6 Arab countries had asked FIFA to strip Qatar’s right to host the 2022 FIFA World Cup. The inauthentic article was hosted on a lookalike domain, telocal-xt3c[.]com, instead of thelocal[.]com. Reuters then published an article on July 16, 2017 citing the inauthentic The Local article, with the heading "Boycott nations demand FIFA strips Qatar of 2022 FIFA World Cup – report".

fielding_cyber_influence-and_physical_threats_to_2022_fifa_world_cup_in_qatar_figure_5.png

Figure 5: Reuters article citing the inauthentic The Local article involving the 2022 FIFA World Cup (Source: Reuters)

Then, an Endless Mayfly online persona, @Shammari_Tariq, published an article on Buzzfeed Community, which allows for user-submitted content, amplifying the story and citing the inauthentic The Local article and the Reuters article. Another Endless Mayfly online persona, @GerouxM, published a story on Medium reiterating the claim and citing the inauthentic The Local article. Furthermore, after the Reuters article was published, several other media outlets such as Global News, The Jerusalem Post, Bleacher Report, and Haaretz also reported on the story, quickly propagating the disinformation to a wider audience.

Physical Threats

Qatar is unlikely to face a major physical security threat during the 2022 FIFA World Cup based on the event's substantive security apparatus and decreased capabilities of global terrorist organizations. An externally directed terrorist attack, while unlikely for reasons enumerated below, would have the greatest potential impact, and unmanned aerial systems (UAS) represent a unique threat vector for targeting attendees and disrupting the event. Qatar has taken steps to mitigate this risk by bolstering its defenses and is receiving security assistance from multiple countries for the duration of the 2022 FIFA World Cup, particularly to defend against any UAS attacks.

Terror Tactics and UAS

Terrorist attacks typically use unconventional methods to inflict casualties, disrupt societies, and damage economies. These tactics vary based on the environment in which the terrorists operate, but have included solo knife attacks, coordinated small arms operations, suicide bombings, vehicle ramming, and UAS, including so-called “suicide drones”. The use of UAS represent a potentially significant evolution in terrorist operations since it utilizes commercial off-the-shelf technology readily available in many countries, which can be modified to deploy explosive payloads or perform target reconnaissance. UAS may also be operated beyond line of sight, enabling operators to control them from a place of relative seclusion. More advanced UAS –– such as those reportedly supplied by Iran to the Ansar Allah (Houthis) movement for use against the Saudi-led coalition in Yemen –– are capable of traveling long distances and could reach Qatari territory. Even unarmed UAS can pose a threat to critical infrastructure, as demonstrated by the standstill created by UAS flying near London’s Gatwick Airport in December 2018 and Dubai Airport in 2016 and 2019.

Qatar has faced minimal terrorist attacks in recent years. According to the US Department of State, there were no reported terrorist incidents in Qatar in 2020 (the most recent year they published such data) or 2019. Recorded Future’s Geopolitical Intelligence Module did not identify any notable references to terrorist attacks in Qatar in the last 3 years. There have also not been any recent UAS attacks against Qatar. However, the Houthis have used UAS against targets in nearby Saudi Arabia and the UAE in the past few years. For example, the Houthis launched UAS attacks against the UAE as recently as January and February of 2022, and have regularly targeted critical infrastructure in Saudi Arabia including oil facilities and pipelines and airports. Islamist terrorist groups such as ISIL have also used UAS, and the United Nations’s top official on counter-terrorism, Vladimir Voronkov, reportedly told the UN Security Council in August 2022 that ISIL “has also significantly increased the use of UAS in the past year, including reported [sic] in northern Iraq”.

Terrorist Groups

In June 2017 several Arab countries, including but not limited to Saudi Arabia, the UAE, Egypt, Jordan, and Bahrain, broke diplomatic ties with Qatar, accusing Qatar of embracing “various terrorist and sectarian groups aimed at destabilising the region”, including the Muslim Brotherhood, al-Qaeda, ISIL, and groups supported by Iran in Saudi Arabia’s eastern province of Qatif. This rupture came after years of similar concerns expressed in the US by Congressional members, Treasury Department officials, and foreign policy experts. Relations between Qatar and its fellow Gulf countries began to be restored in January 2021, and the US government has partnered with Qatari counterparts to stem the flow of terrorist financing on the Arabian peninsula, indicating that Doha is taking steps to address these concerns. Nevertheless, Qatar’s unique geopolitical position, as discussed in the Influence Operations section of this report –– particularly its good relations with Iran –– likely contributes to the lack of terrorist attacks that have affected Qatar.

Although an externally directed terrorist attack against the 2022 FIFA World Cup is unlikely, the event does present an opportunity for a symbolic strike against a gathering that represents global cooperation and a relationship between Western countries and Muslim-majority and Arab nations. We note that an attack on the World Cup aligns with historic targeting objectives of the following terrorist organizations and actors:

Security Defenses

Qatar has enhanced its own security in the lead-up to the 2022 FIFA World Cup. The government plans to use its own drones to enhance surveillance and security patrols, and the Qatari government reportedly deployed 32,000 government security forces and 17,000 private security forces during a 5-day security exercise across the country in October 2022, indicating the scale of Qatar’s security defenses. Furthermore, Qatar is receiving security assistance from multiple countries for the duration of the 2022 FIFA World Cup, including:

An additional mitigating factor decreasing the threat of terrorism to the 2022 FIFA World Cup is Qatar’s geographical orientation. Qatar only shares 1 land border with Saudi Arabia and is a peninsula in the Persian Gulf. The border with Saudi Arabia is isolated, has a flat desert topography, and is small enough for security forces to control. While the borders of Bahrain and the UAE are only roughly 10 to 20 miles across the Persian Gulf, these countries, like Saudi Arabia, have cordial relations with Qatar and are not primary incubators of terrorist groups that would seek to target Qatar. A lack of accessible ingress opportunities for terrorist organizations into Qatar, along with Qatar's security defenses discussed above, mitigate (but do not eliminate) the threat of terrorism to the 2022 FIFA World Cup.

Outlook

Qatar’s unique geopolitical position on a contentious global stage means it’s unlikely that state-sponsored APT groups from China, Russia, Iran, and North Korea will conduct a disruptive attack against the 2022 FIFA World Cup, despite Russia having the greatest motivations for doing so. Instead, nationalistic Russian hacktivist groups or ransomware operators could conduct disruptive attacks against the tournament, which as previously noted can provide the Kremlin with plausible deniability.

Cybercriminal phishing attacks are almost certainly going to continue throughout the 2022 FIFA World Cup tournament, before dispersing after the tournament concludes. It’s very unlikely that tournament-themed phishing attacks targeting businesses will continue to use lures that invite victims to bid on contracts or supply goods or services to the tournament given that the tournament begins soon.

It is very likely that Iran and Russia will continue to highlight divisions and exacerbate tensions between Qatar and Western countries that are critical of the tournament being hosted in Qatar, while also promoting their own bilateral relations. Furthermore, Iran, China, and Russia are likely to use the 2022 FIFA World Cup in future influence operations as an example of where the West has sought to impose “Western values” on other countries.

Finally, Qatar is unlikely to face a major physical security threat during the 2022 FIFA World Cup based on the factors explained above. Although Iran, China, Russia are emphasizing and promoting bilateral relations with Qatar through discourse, countries like the US, UK, France, Italy, Türkiye, and others are providing material security assistance to Qatar for the tournament. This security assistance, building on other security cooperation, in addition to the US formally designating Qatar as a “major non-NATO ally” in March 2022, is likely to lead to further security cooperation between Qatar and Western countries.

The sources used in this report are the Recorded Future® Platform and open sources.