현장 위협: 2022년 카타르 FIFA 월드컵에 대한 사이버, 영향력, 물리적 위협

편집자 주: 이 내용은 보고서 전문에서 발췌한 것입니다. 각주가 포함된 전체 분석 내용을 읽으려면 여기를 클릭하여 보고서를 PDF로 다운로드하세요.

이 보고서는 2022년 11월 20일 카타르에서 개막하는 2022 FIFA 월드컵을 앞두고 위협 환경을 분석합니다. 분석된 위협에는 국가가 후원하는 사이버 작전, 재정적 동기를 가진 사이버 위협, 영향력 행사 작전, 물리적 보안 위협이 포함됩니다. 이 보고서는 2022 FIFA 월드컵의 주최, 운영 또는 후원과 관련된 조직과 대회에 참가하거나 참석하려는 개인이 가장 관심을 가질 것입니다.

Executive Summary

Whole-spectrum threats to the 2022 FIFA World Cup in Qatar are largely determined by Qatar’s unique geopolitical position on a contentious global stage, with the country enjoying good relations with major powers such as the United States (US), Europe, China, and Iran.

2022년 카타르 FIFA 월드컵 또는 대회 주최자, 후원사 또는 관련 인프라를 노리는 알려진 지능형 지속 위협(APT) 그룹과 관련된 임박했거나 계획 중이거나 진행 중인 국가 지원 사이버 작전은 확인되지 않았습니다. 중국, 이란, 북한은 카타르와의 관계, 경기 계획 및 실행에 관여하거나 다른 국가 우선순위 때문에 동기가 부족하기 때문에 대회에 대한 파괴적인 공격을 감행할 가능성은 낮습니다. 그럼에도 불구하고 해외 정보 수집을 담당하는 국가 지원 APT 그룹은 2022년 FIFA 월드컵을 외국 고위 인사 및 기업인을 대상으로 한 사이버 스파이 활동과 감시를 위한 표적이 풍부한 환경으로 간주할 가능성이 높습니다.

Russia is an outlier and very likely harbors a strong set of grievances and thus motivation for targeting the 2022 FIFA World Cup, such as wanting to embarrass Qatar as the host country for siding with the coalition of countries supporting Ukraine’s territorial integrity, as well as to retaliate for Russia being banned from participating in the tournament. There is historical precedent for Russia conducting cyberattacks against major sporting events, although Russian APT groups are very likely distracted with Russia’s war against Ukraine and are therefore unlikely to conduct a disruptive attack against the 2022 FIFA World Cup. However, we cannot rule out that the Russian government will encourage or otherwise tacitly approve of such attacks conducted by nationalistic Russian hacktivist groups or ransomware operators.

대규모 국제 스포츠 이벤트는 금전적 동기를 가진 사이버 범죄자들에게도 매력적인 표적이 됩니다. 토너먼트 관련 피싱 공격은 소위 티켓 경품, 경기 시청을 위한 무료 스트리밍 서비스, 가짜 베팅 웹사이트, 비자 및 여행, 호텔, 레스토랑 예약과 같은 토너먼트 관련 아이템 등 다양한 미끼를 사용합니다. 기타 사이버 범죄 위협에는 멀웨어를 배포하고 사용자 데이터를 수집할 수 있는 이벤트 관련 가짜 모바일 애플리케이션, 다크웹 마켓 및 상점에서의 위조 티켓 및 유출된 자격 증명 판매, 위와 같이 접근성, 기회, 거액의 몸값 지불 능력과 같은 요소를 기반으로 피해자를 기회주의적으로 노리는 랜섬웨어 공격 등이 포함되지만 이에 국한되지는 않습니다.

Iran, China, and Russia’s influence activities involving the 2022 FIFA World Cup are primarily being conducted through state-owned media organizations, which emphasize and promote bilateral relations with Qatar. Iran and Russia have also sought to highlight divisions and exacerbate tensions between Qatar and Western countries that have been critical of the tournament being hosted in Qatar due to human rights concerns in the country. Similarly, Iran’s “Endless Mayfly” influence operation identified by Citizen Lab in May 2019 involved an instance of disinformation around the 2022 FIFA World Cup, which sought to exacerbate geopolitical tensions between Qatar and other Arab countries following the Qatar diplomatic crisis in June 2017.

Qatar is unlikely to face a major physical security threat during the 2022 FIFA World Cup based on a range of factors including: the country having minimal terrorist incidents in recent years; the decreased capabilities of terrorist groups most likely to target the tournament, including Islamic State in Iraq and the Levant (ISIL) and Al-Qaeda in the Arabian Peninsula (AQAP); Qatar’s enhanced security posture, bolstered by security assistance from countries such as the US, United Kingdom, France, Italy, Türkiye, and Pakistan; and Qatar’s geographical orientation.

주요 판단

• 레코디드 퓨처는 2022년 카타르 FIFA 월드컵을 겨냥한 국가 지원 사이버 작전이 임박했거나, 계획 중이거나, 진행 중인 것을 확인하지 못했습니다. 그럼에도 불구하고 해외 정보 수집을 담당하는 국가 지원 APT 그룹은 2022년 FIFA 월드컵을 사이버 스파이 활동과 감시를 위한 표적이 풍부한 환경으로 간주할 가능성이 높습니다.
• Russia very likely harbors a strong set of grievances and has the greatest motivation to conduct a disruptive cyberattack against the 2022 FIFA World Cup, and there is historical precedent for Russia targeting major sporting events. However, Russian APT groups are unlikely to conduct a disruptive attack against the tournament due to their preoccupation with Russia’s war against Ukraine.
• 러시아 정부가 2022년 FIFA 월드컵을 겨냥한 민족주의적 러시아 핵티비스트 그룹이나 랜섬웨어 운영자의 파괴적 공격을 장려하거나 암묵적으로 승인할 가능성도 배제할 수 없습니다. 이러한 공격은 크렘린궁에 그럴듯한 부인 가능성을 제공할 수 있습니다.
• 사이버 범죄자들은 결제 카드 정보와 같은 금융 정보를 포함한 개인 식별 정보(PII)를 수집하거나 멀웨어를 배포하기 위해 소위 티켓 경품과 같은 일반적인 미끼를 사용하여 토너먼트 관련 피싱 공격을 시작하고 있습니다.
• 이란과 러시아는 카타르에서 대회가 개최되는 것에 비판적인 카타르와 서방 국가 간의 분열을 부각하고 긴장을 악화시키려고 노력해 왔습니다. 이란과 연계된 단체인 엔드리스 메이플라이는 2022년 FIFA 월드컵을 영향력 행사 작전에 이용하기도 했습니다.
• 카타르는 2022년 FIFA 월드컵 기간 동안 큰 물리적 보안 위협에 직면할 가능성은 낮지만, 무인 항공 시스템(UAS)은 카타르 당국이 외교 안보 지원을 통해 완화하기 위해 노력하고 있는 독특한 파괴적 위협입니다.

국가가 후원하는 사이버 위협

올림픽이나 월드컵과 같은 대규모 국제 스포츠 이벤트는 사이버 범죄자나 국가가 후원하는 APT 그룹 모두에게 재정적, 파괴적, 스파이 활동을 목적으로 하는 매력적인 공격 대상입니다. 이러한 이벤트는 수년 동안 준비되고, 수십억 달러의 인프라 투자가 수반되며, 개최국이 국제 무대에서 상당한 명성을 얻고, 고위급 정부 관리와 기업인을 포함한 다양한 관중을 끌어모으는 경우가 많습니다. 결과적으로 행사 중단은 주최 정부와 주최 측에 난처한 상황을 초래할 수 있으며, 전통적인 정보 수집 중심의 사이버 첩보 및 감시 활동은 타깃이 풍부한 환경을 고려할 때 수익성이 높습니다. 이러한 위험을 줄이기 위해 2022 FIFA 월드컵을 위해 카타르를 방문하는 여행자는 가능한 한 암호화된 통신 애플리케이션을 사용하고, 알 수 없는 공용 Wi-Fi 네트워크(호텔 포함)에 연결할 때 주의를 기울이며, 여행 기간 동안 개인 또는 회사 기기 대신 버너 기기 사용을 고려하는 등 디지털 통신에 대한 추가 예방 조치를 취해야 합니다.

이 글을 쓰는 현재, 다가오는 2022년 카타르 FIFA 월드컵, 대회 주최자(FIFA 또는 유럽 축구 협회 연합[UEFA] 등), 스폰서 또는 관련 인프라를 노리는 알려진 APT 그룹과 관련된 임박했거나 계획 중이거나 진행 중인 국가 지원 위협 활동은 아직 파악되지 않았습니다. 여기에는 분산 서비스 거부 공격이나 와이퍼 멀웨어와 같이 본질적으로 파괴적이거나 파괴적인 공격 또는 스파이 활동에 초점을 맞춘 공격이 포함됩니다. 또한 월드컵 또는 월드컵 관련 조직이나 참석자를 대상으로 컴퓨터 네트워크 운영을 용이하게 하기 위해 국가가 후원하는 APT 그룹이 네트워크 인프라를 구축한 정황은 관찰되지 않았습니다. 마찬가지로, 스피어피싱 공격에 사용되는 무기화된 유인 문서는 이 글을 쓰는 시점까지 발견되지 않았습니다.

In this section, we review the likely motivators for state-sponsored APT groups’ targeting of the 2022 FIFA World Cup, with a focus on the most prominent state-sponsored threat actors — those linked to China, Russia, Iran, and North Korea. Overall, we assess that the Russian government is the most strongly motivated to carry out disruptive attacks against the event, but is very likely focusing its resources on supporting its war against Ukraine instead. And while Iran, China, and North Korea all likely possess the technical capabilities to do so, they are unlikely to pose a disruptive threat to the games as they lack the motivation due to their relations with Qatar, their involvement in the planning and execution of the games themselves, or other national priorities.

중국

Chinese state-sponsored APT groups are unlikely to target the World Cup and its affiliates for the purposes of disruption of the event. Nevertheless, those groups tasked with the collection of foreign intelligence, and particularly those falling under the Ministry of State Security (MSS) — China’s primary civilian intelligence service — are likely to view the World Cup as a target-rich environment for cyber espionage and surveillance against foreign dignitaries and businesspersons alike. Likely MSS-linked cyber-espionage groups include, but are not limited to, APT10, APT17, APT27, APT40, APT41, TAG-22, RedBravo, and RedDelta.

China and Qatar have enjoyed increasingly close relations in recent years, with Beijing and Doha announcing cooperation on a host of regional and global issues in defense, energy, and economic development, including Qatar's involvement in Beijing’s marquee international development project, the Belt and Road Initiative (BRI). Moreover, Chinese companies maintain a considerable presence in Qatar, and the Chinese Railway Construction Corporation in 2016 won the bid to build the largest World Cup venue, the Lusail Stadium, which was completed in 2020.

Significantly, there is no historical precedent for Chinese threat activity groups targeting major international sporting events or sporting bodies, and China has shown more restraint compared to other nations in conducting wide-reaching destructive and disruptive attacks in general. Therefore, while Chinese APT groups have regularly targeted specific organizations and governments ahead of key talks, and Beijing’s cyber-enabled monitoring of ethnic and religious minorities domestically and internationally is well-documented, it is unlikely that China poses a disruptive threat to the 2022 FIFA World Cup. This is made even more unlikely due to China’s direct involvement in developing the infrastructure to support the event — giving it a vested interest in ensuring that it unfolds smoothly — as well as Beijing’s desire to continue to strengthen its relationship with Doha as a major strategic partner in the region.

러시아

러시아 정부는 2022년 카타르에서 열리는 FIFA 월드컵을 목표로 강력한 불만을 품고 있을 가능성이 매우 높습니다. 러시아가 이 대회를 겨냥한 활동은 본질적으로 대회를 방해하거나 FIFA, UEFA 또는 공공 및 민간 국제 스폰서 등 대회 조직을 담당하는 국제 단체를 곤란하게 만들려는 의도가 있을 수 있습니다.

Following Russia’s invasion of Ukraine in late February 2022, FIFA and UEFA issued a blanket ban against Russian football clubs from competitions, including the upcoming World Cup, in protest of the invasion. Subsequently, the Football Union of Russia abruptly withdrew its appeal of the decision in early April, resulting in the ban remaining in place.

러시아 국가가 후원하는 APT 그룹은 2016년부터 국제 스포츠 단체와 이벤트를 표적으로 삼은 전력이 있으며, 이는 일련의 도핑 스캔들로 인해 자국 선수들의 올림픽과 같은 주요 국제 대회 참가가 금지된 데 대한 보복으로 추정됩니다. 이러한 조직을 대상으로 한 과거 러시아의 국가 후원 활동에는 다음이 포함됩니다:

• The Russian Main Intelligence Directorate’s (GRU) reconnaissance against the 2020 Tokyo Olympics in an alleged effort to disrupt the event
• Sandworm’s disruption of the 2018 Pyeongchang Winter Olympics with the Olympic Destroyer malware
• APT28’s hack-and-leak campaign targeting the World Anti-Doping Agency (WADA) and Western athletes’ personally identifiable and personal health information (PII and PHI) during the 2016 Rio de Janeiro Summer Olympics
• 리우데자네이루와 스위스 로잔의 반도핑 관계자들이 사용하는 호텔의 와이파이 네트워크와 라우터를 노린 GRU 공격자들은 관심 대상에 대한 액세스 권한을 확보한 후 맞춤형 멀웨어를 배포했습니다.

While Moscow and Doha are engaged both diplomatically and economically with one another, there are signs of significant strain in the relationship, especially since Russia’s invasion of Ukraine. First and foremost, Qatar has expressed its support for Ukraine and the territorial integrity of the country along its internationally recognized borders. Moreover, the US formally designated Qatar as a “major non-NATO [North Atlantic Treaty Organization] ally” in March 2022 — a move that is very likely interpreted as signaling Qatar’s long-term strategic alignment with NATO and Washington instead of with Moscow. As a result, the Kremlin likely has a particularly strong grievance against Qatar and may view the World Cup as an opportunity to embarrass Qatar’s government.

Nevertheless, despite having the motivation to conduct such disruptive attacks against the World Cup and Qatar, the Russian government is very likely distracted with the war in Ukraine, which has turned into a grinding conflict requiring Moscow to marshal as many of the state’s resources as possible in an attempt to achieve its strategic aims in the face of Ukraine’s staunch armed resistance. It is therefore very likely that Russian APT groups that may otherwise be tasked with disruption of an international event such as the World Cup — especially those aligned with military intelligence such as APT28 or Sandworm, based on historical activity — are instead tasked with prioritizing operations that are directly in support of the war effort in Ukraine.

While we assess it is thus unlikely that established Russian state-sponsored APT groups will conduct such disruptive operations against the World Cup, we cannot rule out that the Russian government will encourage or otherwise tacitly approve of such attacks conducted by nationalistic Russian “hacktivist” groups — such as KillNet or XakNet — or by ransomware operators. Such groups, whether financially or politically motivated, are useful proxy forces that can on occasion further the Russian government’s strategic objectives and provide plausible deniability.

이란

While Iranian state-sponsored APT groups frequently target public and private entities across the Middle East in both destructive and espionage-focused campaigns, they are not known for executing hacktivist-like attacks against international sporting federations. Moreover, due to the strong trade and diplomatic ties between the 2 countries, Iran’s participation in the World Cup despite calls for its banning, and due to domestic Iranian instability, it is unlikely that Iran will seek to use cyberattacks to disrupt the games as doing so provides no obvious benefit to the regime and risks upsetting a key regional partner in Qatar.

This does not rule out Ministry of Intelligence and Security (MOIS)- or Islamic Revolutionary Guard Corps (IRGC)-linked espionage activity in-country, however, likely primarily directed against high-profile foreign attendees of the game and dissidents and/or critics of the Iranian regime. Such groups, including APT34 OilRig, APT35, APT39, APT42, and MuddyWater are known to routinely carry out espionage operations against Middle Eastern and Western governments and private sector companies in support of Tehran’s economic, political, and military objectives. APT35 has been reported to seek strategic and tactical information and has also undertaken counterintelligence operations at the behest of the IRGC, including in attacks against international conferences and related organizations such as the Munich Security Conference and Think20 Summit in Saudi Arabia. For its part, APT39 has also been reported to focus on counterintelligence and long-term espionage activity with the goals of protecting the regime.

Iran and Qatar have an abnormally close relationship given the latter’s membership in the Gulf Cooperation Council (GCC) regional bloc, and Doha carefully balances its alliance with the US and its economic and security ties with Tehran. These ties only strengthened during and following the 2017 Qatar diplomatic crisis in which Doha sought to replace its traditional trading partners — who instituted an embargo against the country — with imports from Iran and Türkiye. Qatar’s geographic position in the Persian Gulf, as well as its sharing of the world’s largest natural gas field with Iran, induce the 2 to closer relations despite Iranian discomfort with Qatar’s hosting of the largest US military base in the region at Al Udeid. Relations between Iran and Qatar have become so cordial that Iran offered — and Qatar accepted — assistance in hosting hundreds of thousands of visitors to the World Cup on the resort island of Kish, offshore of Iran, thus giving Iran an economic and political stake in the success of the games.

Finally, Iran has in recent months been rocked by domestic instability and widespread protests following the death of Mahsa Amini while in police custody. The protests — the largest in over a decade — have turned violent, resulting in the government issuing lockdowns of the information environment within the country and cutting off the internet from the outside world, as well as deploying security forces authorized to use lethal force to quell the unrest. In order to preserve the regime, maintaining and stabilizing the domestic situation is very likely to be the primary task of the Iranian intelligence and security services in the near term. This suggests that little resourcing would likely be devoted to externally oriented cyber operations during the World Cup, even if Iran had the requisite motivation to do so.

북한

북한 국가가 후원하는 APT 그룹은 다가오는 2022년 카타르 월드컵을 방해하거나 파괴적인 공격을 수행할 가능성은 낮습니다.

There is very limited precedence for North Korea-linked APT groups targeting international sporting events or organizations. In the 1 instance in which this was observed — in a campaign using the fileless malware “Gold Dragon” targeting Olympics-related organizations in the period surrounding the 2018 Winter Olympics in Pyeongchang, South Korea — the campaign appears to have been focused on intelligence gathering, which is consistent with the majority of North Korea state-sponsored cyber campaigns against the South and likely a part of their routine operations.

게다가 과거 북한 국가가 후원한 APT 캠페인의 대부분은 글로벌 시장에 대한 접근을 제한하는 엄격한 국제 제재로 인해 계속 쇠퇴하고 있는 평양 정권의 수익 창출에 초점을 맞춰왔습니다. 이러한 공격은 주로 금융 기관의 침해, ATM 현금 인출 사기 또는 암호화폐 도난으로 이루어졌습니다. 랜섬웨어나 워너크라이 캠페인과 같은 다른 형태의 갈취 공격을 제외하면, 파괴적인 공격은 수익을 창출하기 어렵기 때문에 정권의 관심과 우선 순위가 떨어질 가능성이 높습니다.

With respect to the 2022 World Cup, North Korea likely lacks the political motivation to engage in disruptive or destructive activity against the games. Pyongyang voluntarily withdrew from World Cup qualifiers in May 2021 likely due to concerns over COVID-19, but unlike Russia was never formally banned from participation by the organizing bodies. Moreover, Qatar has — at least until the imposition of recent United Nations (UN) sanctions that went into effect at the end of 2019 — been host to thousands of North Korean migrant laborers. Many of these laborers were integral to the construction of the venues for the upcoming World Cup games, including the aforementioned Lusail Stadium which was built by a Chinese firm. Overall, Qatar has proven more willing than many governments to continue some form of direct relations with North Korea, and Pyongyang is unlikely to see a benefit to damaging relations via disruptive cyberattacks against the World Cup.

사이버 범죄 위협

앞서 언급했듯이 2022년 FIFA 월드컵과 같은 대규모 국제 스포츠 이벤트는 금전적 동기를 가진 사이버 범죄자들에게 매력적인 표적이 됩니다. 2022 FIFA 월드컵에 대한 사이버 범죄 위협에는 대회 관련 피싱 공격, 멀웨어를 배포하고 사용자 데이터를 수집할 수 있는 대회 관련 가짜 모바일 애플리케이션, 다크웹 마켓 및 위조 티켓 판매점, 랜섬웨어 위협 등이 포함되지만 이에 국한되지는 않습니다.

피싱 및 사기

사이버 범죄자들은 2022년 FIFA 월드컵을 피싱 공격과 기타 사기 행위에 악용하고 있습니다. 사이버 범죄자들은 피싱 캠페인에서 피해자로부터 결제 카드 정보와 같은 금융 정보를 포함한 개인 정보를 수집하거나 멀웨어를 배포하는 데 사용할 수 있는 2022 FIFA 월드컵과 관련된 사기 웹사이트를 거의 확실하게 만들고 있습니다.

2021년 10월 31일부터 2022년 10월 31일 사이에 확인되었습니다:

• fifa[.]com에 등록된 타이포스쿼트 도메인 130개, 이 중 30개는 2022년 FIFA 월드컵이 다가옴에 따라 2022년 10월에 만들어졌습니다.
• 143 registered domains that include the terms “Qatar” and “2022”, some of which are impersonating the official 2022 FIFA World Cup website, qatar2022[.]qa, such as in Figure 1
• 889 registered domains that include the terms “World” and “Cup”
• 56 registered domains that either include the terms ([“FIFA” or “Qatar”] and “Ticket”), or (“World” and “Cup” and “Ticket”).

그림 1: 합법적인 qatar2022[.]qa 도메인을 사칭한 타이포스쿼트 도메인 예시 다른 의심스러운 웹사이트로 리디렉션되는 웹사이트(출처: qatar2022[.]pro)

We identified 669 references to 2022 FIFA World Cup phishing campaigns between October 31, 2021 and October 31, 2022. These phishing attacks have targeted both organizations and individuals, though as the tournament approaches, phishing attempts are very likely to focus on targeting individuals. Phishing attacks targeting individuals relate to various components of the tournament, including: tickets to the games (typically so-called “ticket giveaways; free streaming services for when the tournament begins; betting websites; and tournament-adjacent items like visas and travel, hotel, and restaurant bookings. In November 2021, Kaspersky reported that they detected 11,000 phishing emails between August 15 and October 15, 2021 primarily targeting organizations by inviting bids on contracts to supply goods or services for the 2022 FIFA World Cup, where recipients were asked to pay a commission to participate.

Another attack vector used by cybercriminals is creating fraudulent mobile applications that impersonate legitimate ones, such as the “Hayya to Qatar 2022” mobile application created by Qatar’s Supreme Committee for Delivery and Legacy (Apple, Google Play). We identified multiple mobile applications posing as the official 2022 FIFA World Cup application, with thousands of downloads. Although we have not conducted an analysis of these mobile applications, we strongly recommend that individuals only download official 2022 FIFA World Cup mobile applications such as those created by Qatar’s Supreme Committee for Delivery and Legacy and by FIFA.

다크 웹 활동

We identified 277 references to the 2022 FIFA World Cup on dark web special-access forums between October 31, 2021 and October 31, 2022. We observed discussions of individuals claiming to be selling tickets to the 2022 FIFA World Cup, as well as other individuals posting in an effort to purchase tickets. We also observed an individual sharing the likely compromised login details of 2 accounts for beIN CONNECT, a state-owned global sport and entertainment network headquartered in Doha, Qatar, with the individual stating “SAVE FOR WORLD CUP”.

그림 2: 다크웹 포럼에서 2022년 FIFA 월드컵 티켓 판매를 광고하는 게시물의 예(출처: Recorded Future)

Another notable post includes an October 4, 2022 post on Cracked Forum by “xAcordx” advertising a malicious .doc exploit file that is claimed to be fully undetectable (FUD) by all antivirus solutions, that “can be sent via Gmail and other popular email providers”, and that “downloads and executes any file when ran [sic]”. The file is advertised at $600 for a single full FUD build, or $2,400 for the builder allowing unlimited builds with a weekly update to maintain its FUD status. The post advertises many different lures for the document, including “world cup” and “world cup qualifying”, demonstrating that the 2022 FIFA World Cup is being used as a lure in malicious documents. The threat actor also includes in their listing a proof-of-concept video that demonstrates the exploit’s functionality.

그림 3: xAcordx가 광고하는 기능을 갖춘 익스플로잇 (출처: 크랙드 포럼)

Furthermore, Recorded Future’s Identity Intelligence Module identified credential leaks for 14 unique *@qatar2022[.]qa email addresses on both clearnet and dark web sources, including 8 unique email addresses with associated passwords. These credential leaks were included in database dumps including GoNitro Database Dump, Cit0day Dump, ShareThis Data Dump, Zynga Data Dump, Dropbox Credential Dump, and Qatar National Bank Data Dump, while other credentials were stolen through infostealer malware such as Vidar. Credential leaks can be abused by threat actors to obtain initial access into an organization or to perform additional fraudulent activities such as social engineering, spearphishing, and business email compromise (BEC). However, the passwords associated with the email addresses in the aforementioned breaches could be passwords for other websites where the owner used their qatar2022[.]qa email address for a different online service, and are not necessarily the passwords for the owner’s email account or corporate network. Using unique passwords for each online service mitigates the risk that leaked credentials can be used by threat actors to access more than 1 online service.

마지막으로 티켓[.]fifa[.]com에 대한 269개의 참조를 확인했습니다. 및 hayyar[.]qatar2022[.]qa 다크웹 상점, 특히 러시안 마켓, 제네시스 스토어, 2easy Shop에서 사용할 수 있습니다. 이 두 도메인은 각각 2022 FIFA 월드컵 티켓 구매와 헤이야 카드 신청에 사용됩니다. 모든 대회 방문객은 카타르 입국, 경기장 입장, 경기 당일 대중교통 무료 이용 등을 위해 헤이야 카드가 필요합니다. Hayya 카드를 신청하는 방문자는 개인 정보를 제공해야 합니다. 아래에 설명된 것처럼 이러한 다크 웹 상점에서는 유출된 계정 세부 정보와 사용자 로그 패키지를 판매하며, 사이버 범죄자는 이러한 상점과 다른 다크 웹 상점 및 마켓플레이스에서 유출된 계정 세부 정보를 구매하여 더 많은 PII 데이터 도용과 매칭 티켓으로 이어질 수 있는 정보를 얻을 수 있습니다.

• 러시안 마켓은 위협 행위자인 러시안마켓(RussianMarket)이 운영하는 다크웹 상점으로 덤프, RDP 및 SSH 액세스, 로그 및 다양한 계정 세부 정보를 판매합니다. 인증 정보를 구매한 위협 행위자는 일반적으로 피해자로부터 스크랩한 인증 정보 및 쿠키의 출처에 대한 광범위한 정보를 바탕으로 계정에 로그인하여 BEC, 권한 상승, 전반적인 온라인 신원 탈취와 같은 악의적인 활동을 수행합니다.
• Genesis Store sells packages of compromised account credentials and associated user data designed to allow threat actors to bypass anti-fraud solutions. Victim data is sold in a single package referred to as a “bot”, which includes account credentials, IP address, browser fingerprint (system information), and cookies. After purchasing a bot, the victim data can be imported into a browser plugin called Genesis Security, allowing the attacker to masquerade as the victim to perform attacks such as account takeovers or card-not-present fraud. The price for each bot varies depending on the amount of account credentials, types of accounts, and geographical location of the victim
• 2easy Shop sells stealer logs harvested from victims infected with infostealers. The prices for logs vary between $3 and $200 per listing and include compromised user logs and accounts from hundreds of organizations worldwide. When compromised data is purchased on 2easy Shop, a buyer typically receives a victim’s browser cookie data, browser history, screenshots, general system information about compromised machines, and other data. The compromised account credentials and associated user data are commonly used by threat actors to bypass targeted organizations’ defenses and anti-fraud solutions.

랜섬웨어(Ransomware)

2022년 FIFA 월드컵을 표적으로 삼으려는 의도를 보이는 랜섬웨어 그룹의 구체적인 위협은 확인되지 않았지만, 이러한 대화가 공개적으로 이루어지지는 않을 것으로 예상됩니다. 2022년 동계 올림픽에 대한 위협 보고서에서 설명한 것과 유사하게, 2022년 FIFA 월드컵은 대회 관련 조직들이 대회가 최대한 원활하게 진행되기를 원하기 때문에 상당한 수익을 얻을 수 있다는 점에서 랜섬웨어 공격의 매력적인 표적으로 간주될 수 있습니다. 잠재적 대상에는 교통, 미디어, 의료, 물류 및 보안 부문의 조직을 포함하여 2022 FIFA 월드컵을 지원하는 조직이 포함될 수 있습니다. 그러나 랜섬웨어 공격자들은 대규모 조직적인 공격을 수행하기보다는 접근성, 기회, 거액의 몸값을 지불할 수 있는 능력과 같은 요인에 따라 기회주의적으로 피해자를 표적으로 삼을 가능성이 더 높습니다. 저희는 랜섬웨어 샘플과 동작을 탐지하는 데 사용할 수 있는 랜섬웨어 제품군에 대한 수십 개의 헌팅 패키지를 만들었습니다.

As discussed above, as a result of Russia being banned from participating in the 2022 FIFA World Cup due to their war against Ukraine and their strained relations with Qatar, we cannot rule out that the Russian government will encourage or otherwise tacitly approve disruptive attacks conducted by nationalistic Russian “hacktivist” groups — such as KillNet or XakNet — or by ransomware operators. Such threat groups, whether financially or politically motivated, are useful proxy forces that can on occasion further the Russian government’s strategic objectives and provide plausible deniability. We have previously documented the ties between the Russian state and Russia-based cybercriminals in our report “Dark Covenant: Connections Between the Russian State and Criminal Actors”.

영향력 있는 운영

As a result of Qatar’s unique geopolitical position, influence operations involving the 2022 FIFA World Cup will likely attempt to “win over” Qatar by emphasizing and promoting bilateral relations while creating and exacerbating tensions between Qatar and the influencer’s adversaries. As discussed above, Qatar maintains good relations with Iran and China, and previously had good relations with Russia that have since been strained as a result of Qatar siding with the coalition of countries supporting Ukraine’s territorial integrity. Meanwhile, Qatar enjoys good relations with the US, UK, Germany, and many other Western countries. Qatar also offers Europe an alternative to their dependency on Russian gas exports during Russia’s war against Ukraine.

긍정적인 영향력

이란, 중국, 러시아가 국영 언론 매체를 통해 카타르의 2022년 FIFA 월드컵 개최 지지를 강조하고 양국 관계를 홍보하려는 노력을 목격했습니다. 예를 들어

• Iran’s Mehr News Agency published an article on October 18, 2022 entitled “Iran calls for boosting Tehran-Doha economic cooperation”, citing “the readiness of the Islamic Republic of Iran to provide any kind of assistance for holding the 2022 World Cup in Doha”.
• China’s Global Times published an article on October 24, 2022 entitled “China-Qatar relations exemplified in World Cup preparation, giant panda fostering, joint efforts in energy crisis: ambassador” following an interview with Qatar’s Ambassador to China Mohammed bin Abdullah Al Dehaimi.
• Russia’s RT published an article on October 13, 2022 citing Putin’s support of Qatar hosting the 2022 FIFA World Cup, stating that Russia is “doing everything we can in terms of transferring [our] experience of preparing for the World Cup”, with the Emir of Qatar, Sheikh Tamim bin Hamad al-Thani, responding that “Russian friends have provided great support to Qatar, especially in terms of organization, with the organizing committee of the 2022 World Cup …​​ We thank you for this and we are proud of this relationship”.

부정적인 영향

Western countries (including Germany, Denmark, France, and others) have been critical of Qatar’s hosting of the 2022 FIFA World Cup, citing human rights concerns in the country. This criticism presents an opportunity for adversaries to highlight divisions and exacerbate tensions between Qatar and the West. We have not observed China taking advantage of this opportunity, whereas Iran and Russia have used state-owned media organizations to highlight Western criticism of Qatar. For example:

• Iranian state media highlighted multiple examples of Western countries criticizing Qatar due to human rights concerns, including: remarks from Germany’s Interior Minister Nancy Faeser; the Netherlands’ House of Representatives asking the Dutch government to not send a delegation (though the Dutch government ultimately decided to send a delegation); German football player Toni Kroos stating that he’s against the 2022 FIFA World Cup being hosted in Qatar; and more.
• Russia’s RT also highlighted multiple examples of Western countries criticizing Qatar due to human rights concerns, including: multiple men’s football teams protesting with their football kits ; remarks from Germany’s Interior Minister Nancy Faeser; reports that some French cities will not be broadcasting the 2022 FIFA World Cup in public areas in protest against Qatar; and more.
• Global Research’s French-language website, Mondialisation[.]ca, published an article on October 28, 2022 stating that Western countries have launched a campaign to criticize Qatar on “LGBT issues, or the conditions of foreign workers” because Qatar has “not bowed to Western pressure on gas supplies to replace Russian gas”. Global Research is a documented pillar of Russian disinformation and propaganda, and has previously “published or republished seven authors attributed by Facebook to be false online personas created by The Main Directorate of the General Staff of the Armed Forces of the Russian Federation, popularly known as the GRU”.
• Both Iran’s Fars News and Russia’s RT France published articles on October 25, 2022 citing the Emir of Qatar, who stated that Qatar has faced unprecedented criticism since winning the bid to host the 2022 FIFA World Cup and that the criticism included “fabrications and double standards that were so ferocious that it has unfortunately prompted many people to question the real reasons and motives behind the campaign".

그림 4: 이란, 중국, 러시아 국영 미디어의 2022 FIFA 월드컵 관련 언급에 대한 감성 분석(출처: Recorded Future)

끝없는 하루살이

There is a particular precedent in Iran for using influence operations in an attempt to sow discord between Qatar and its international partners and regional neighbors, such as the Endless Mayfly influence operation uncovered by Citizen Lab in May 2019. This influence operation was “an Iran-aligned network of inauthentic websites and online personas” used to amplify geopolitical tensions by spreading false and divisive information critical of Saudi Arabia, the US, and Israel, among others, since at least early 2016.

The Endless Mayfly influence operation included 1 instance of disinformation specifically involving the 2022 FIFA World Cup, namely that 6 Arab countries had asked FIFA to strip Qatar’s right to host the FIFA World Cup in 2022. This disinformation attempted to exacerbate geopolitical tensions between Qatar and Arab countries following the Qatar diplomatic crisis in June 2017, whereby Gulf countries and other Arab nations including Saudi Arabia, the United Arab Emirates (UAE), Egypt, Bahrain, and others severed diplomatic relations with Qatar, blaming Qatar for “[embracing] various terrorist and sectarian groups aimed at destabilising the region”, including the Muslim Brotherhood, al-Qaeda, Islamic State, and Iran-supported proxy groups within Gulf nations. The 1 instance of disinformation involving the 2022 FIFA World Cup was part of 11 inauthentic articles identified by Citizen Lab that aimed to exacerbate Saudi-Qatar tensions.

Endless Mayfly’s disinformation campaign involving the 2022 FIFA World Cup involved the creation of an inauthentic The Local article on July 15, 2017 alleging that 6 Arab countries had asked FIFA to strip Qatar’s right to host the 2022 FIFA World Cup. The inauthentic article was hosted on a lookalike domain, telocal-xt3c[.]com, instead of thelocal[.]com. Reuters then published an article on July 16, 2017 citing the inauthentic The Local article, with the heading "Boycott nations demand FIFA strips Qatar of 2022 FIFA World Cup – report".

Figure 5: Reuters article citing the inauthentic The Local article involving the 2022 FIFA World Cup (Source: Reuters)

그러자 Endless Mayfly 온라인 페르소나 @Shammari_Tariq가 사용자가 제출한 콘텐츠를 허용하는 버즈피드 커뮤니티에 기사를 게시하여 진위가 확인되지 않은 The Local 기사와 로이터 기사를 인용하며 이야기를 증폭시켰습니다. 또 다른 엔드리스 메이플라이 온라인 인물인 @GerouxM은 진위가 확인되지 않은 The Local 기사를 인용하여 이 주장을 되풀이하는 기사를 Medium에 게시했습니다. 또한 로이터 기사가 게재된 후 글로벌 뉴스, 예루살렘 포스트, 블리처 리포트, 하레츠 등 다른 여러 언론 매체에서도 이 이야기를 보도하면서 허위 정보가 더 많은 사람들에게 빠르게 전파되었습니다.

물리적 위협

카타르는 월드컵의 실질적인 보안 장치와 글로벌 테러 조직의 역량 감소로 인해 2022 FIFA 월드컵 기간 동안 중대한 물리적 보안 위협에 직면할 가능성은 낮습니다. 외부에서 지시한 테러 공격은 아래에 열거된 이유로 가능성이 낮지만 잠재적으로 가장 큰 영향을 미칠 수 있으며, 무인 항공기(UAS)는 참석자를 표적으로 삼고 행사를 방해하는 독특한 위협 벡터입니다. 카타르는 방어를 강화하여 이러한 위험을 완화하기 위한 조치를 취했으며, 특히 UAS 공격을 방어하기 위해 2022 FIFA 월드컵 기간 동안 여러 국가로부터 보안 지원을 받고 있습니다.

테러 전술 및 UAS

Terrorist attacks typically use unconventional methods to inflict casualties, disrupt societies, and damage economies. These tactics vary based on the environment in which the terrorists operate, but have included solo knife attacks, coordinated small arms operations, suicide bombings, vehicle ramming, and UAS, including so-called “suicide drones”. The use of UAS represent a potentially significant evolution in terrorist operations since it utilizes commercial off-the-shelf technology readily available in many countries, which can be modified to deploy explosive payloads or perform target reconnaissance. UAS may also be operated beyond line of sight, enabling operators to control them from a place of relative seclusion. More advanced UAS –– such as those reportedly supplied by Iran to the Ansar Allah (Houthis) movement for use against the Saudi-led coalition in Yemen –– are capable of traveling long distances and could reach Qatari territory. Even unarmed UAS can pose a threat to critical infrastructure, as demonstrated by the standstill created by UAS flying near London’s Gatwick Airport in December 2018 and Dubai Airport in 2016 and 2019.

Qatar has faced minimal terrorist attacks in recent years. According to the US Department of State, there were no reported terrorist incidents in Qatar in 2020 (the most recent year they published such data) or 2019. Recorded Future’s Geopolitical Intelligence Module did not identify any notable references to terrorist attacks in Qatar in the last 3 years. There have also not been any recent UAS attacks against Qatar. However, the Houthis have used UAS against targets in nearby Saudi Arabia and the UAE in the past few years. For example, the Houthis launched UAS attacks against the UAE as recently as January and February of 2022, and have regularly targeted critical infrastructure in Saudi Arabia including oil facilities and pipelines and airports. Islamist terrorist groups such as ISIL have also used UAS, and the United Nations’s top official on counter-terrorism, Vladimir Voronkov, reportedly told the UN Security Council in August 2022 that ISIL “has also significantly increased the use of UAS in the past year, including reported [sic] in northern Iraq”.

테러리스트 그룹

In June 2017 several Arab countries, including but not limited to Saudi Arabia, the UAE, Egypt, Jordan, and Bahrain, broke diplomatic ties with Qatar, accusing Qatar of embracing “various terrorist and sectarian groups aimed at destabilising the region”, including the Muslim Brotherhood, al-Qaeda, ISIL, and groups supported by Iran in Saudi Arabia’s eastern province of Qatif. This rupture came after years of similar concerns expressed in the US by Congressional members, Treasury Department officials, and foreign policy experts. Relations between Qatar and its fellow Gulf countries began to be restored in January 2021, and the US government has partnered with Qatari counterparts to stem the flow of terrorist financing on the Arabian peninsula, indicating that Doha is taking steps to address these concerns. Nevertheless, Qatar’s unique geopolitical position, as discussed in the Influence Operations section of this report –– particularly its good relations with Iran –– likely contributes to the lack of terrorist attacks that have affected Qatar.

2022 FIFA 월드컵을 겨냥한 외부의 테러 공격 가능성은 낮지만, 이 행사는 글로벌 협력과 서방 국가와 무슬림이 다수인 아랍 국가 간의 관계를 상징하는 대회에 대한 상징적인 공격의 기회가 될 수 있습니다. 월드컵에 대한 공격은 다음과 같은 테러 조직 및 행위자들의 역사적 목표와 일치한다는 점에 주목합니다:

• ISIL — Since the collapse of its caliphate under a US-led military campaign in March 2019, followed by the subsequent death of its founder, Abu Bakr al-Baghdadi, ISIL has endured a steady decline in its operational capacity, but still likely retains the capability to coordinate or inspire an attack on Qatari soil. Although ISIL has not conducted a large-scale external attack outside of the Levant since the 2019 Easter bombings in Sri Lanka, the 2022 FIFA World Cup would likely be a target of interest for the organization. This assessment is based on the high-profile nature of the event, which will draw numerous political delegations from major Western countries that ISIL has attacked previously, as well as threats ISIL has issued against the Qatari government for a number of perceived sins. These grievances include: hosting US and other foreign forces at Al Udeid air base; supporting the Iraqi Awakening Movement; and collaborating with the Iranian government, the IRGC, and Hezbollah (delivered in a May 2020 audio statement by the former ISIL spokesman, Abu Hamza al-Qurashi, and published in an article in a June 2020 edition of Al-Naba). Also, an infographic in the most recent edition of Islamic State Khorasan Province (ISK)’s Voice of Khurasan magazine celebrated the recent death of Doha-based Sheikh Yusuf al-Qaradawi and denounced his service to the “Taghut of the at-Thani’s house in Qatar” –– using the same derogatory term that ISK reserves for the Taliban, its primary antagonist in Afghanistan.

• AQAP — AQAP represents the Al-Qaeda branch that is most capable of conducting an operation targeting the 2022 FIFA World Cup, although operational limitations imposed by Yemen’s intractable civil war very likely will reduce AQAP’s ability to launch such an attack. As noted by a recent UN Security Council report, despite battlefield setbacks in recent years, AQAP remains a serious threat in Yemen and seeks to reconstitute its ability to conduct international operations. However, the realities of fighting a multifront war against the Houthis, Saudi-led coalition forces, and members of the Islamic State’s Yemen affiliate have required AQAP to retrench significantly. Aside from 2 attacks in 2019, occurring in Saudi Arabia and the US, the group has focused its operations on targets within Yemen –– indicating that the World Cup presents an unlikely target.

• Lone Wolves — Despite not sending a significant number of foreign fighters to Iraq and Syria during the rise of ISIL’s self-declared caliphate (and thus having a limited rate of returnee extremists), Qatar contends with an elevated risk of domestic violent extremism; a lone wolf attack targeting the World Cup is thus a possibility, although such an event is unlikely. In 1 social media study conducted in 2014, 47% of Qatar-based social media posts about ISIL expressed positive sentiment, a significant deviation from the much lower percentages found across Europe and the Middle East. Although the US Department of State believes Qatar is making strides in addressing violent extremism, its most recent country report pointedly observed that state-supported intolerance, sectarianism, and violence is still found in textbooks and disseminated through media.

보안 방어

Qatar has enhanced its own security in the lead-up to the 2022 FIFA World Cup. The government plans to use its own drones to enhance surveillance and security patrols, and the Qatari government reportedly deployed 32,000 government security forces and 17,000 private security forces during a 5-day security exercise across the country in October 2022, indicating the scale of Qatar’s security defenses. Furthermore, Qatar is receiving security assistance from multiple countries for the duration of the 2022 FIFA World Cup, including:

• The US: the US made a number of commitments “to strengthen Qatar’s event security, port security, screening, contraband interdiction, and risk management capabilities”, such as helping Qatar “to identify air passengers linked to terrorism and trafficking of narcotics, weapons, currency, and people”. The New York Police Department also met with Qatar’s police forces to exchange expertise. More recent memorandums of understanding have been signed between the US and Qatar on defense cooperation around the 2022 FIFA World Cup.
• The UK: the Royal Air Force (RAF) and Royal Navy “will support Qatar with military capabilities to counter terrorism and other threats to the tournament” including “maritime security support from the Royal Navy, advanced venue search training, operational planning and command and control support, and further specialist advice”.
• 프랑스: France is sending around 220 police officers to provide “high-level expertise and specialised logistical support”. The officers primarily consist of anti-drone policing, in addition to bomb-disposal experts, sniffer dogs, anti-terror police, and police offers specialized in tackling football hooliganism. Other French support reportedly includes “a BASSALT anti-drone system that detects and identifies incoming drones” and an E-3F Airborne Warning and Control System (AWACS) aircraft.
• 이탈리아: the Italian Air Force is “deploying a Counter-Unmanned Aerial Anti-Drone Task group to further support the Qatari Armed Forces' defense” against UAS, with Italian armed forces troops being stationed in the country during the tournament.
• Türkiye: Türkiye is providing 3,000 riot police, 100 special operations police, 50 bomb specialists, and 80 sniffer dogs and riot dogs to Qatar.
• 파키스탄: 파키스탄: 파키스탄은 대회 기간 동안 보안을 제공하기 위해 군대를 파견합니다.
• 요르단: 요르단은 2022년 FIFA 월드컵의 보안을 지원하겠다는 의사를 밝혔으며, 6,000명에 달하는 전직 요르단 군인들이 대회를 위한 보안 업무에 고용되었다는 보도가 있었으며, 이들 중 일부는 급여 분쟁 후 요르단으로 돌아온 것으로 알려져 있습니다.

An additional mitigating factor decreasing the threat of terrorism to the 2022 FIFA World Cup is Qatar’s geographical orientation. Qatar only shares 1 land border with Saudi Arabia and is a peninsula in the Persian Gulf. The border with Saudi Arabia is isolated, has a flat desert topography, and is small enough for security forces to control. While the borders of Bahrain and the UAE are only roughly 10 to 20 miles across the Persian Gulf, these countries, like Saudi Arabia, have cordial relations with Qatar and are not primary incubators of terrorist groups that would seek to target Qatar. A lack of accessible ingress opportunities for terrorist organizations into Qatar, along with Qatar's security defenses discussed above, mitigate (but do not eliminate) the threat of terrorism to the 2022 FIFA World Cup.

전망

Qatar’s unique geopolitical position on a contentious global stage means it’s unlikely that state-sponsored APT groups from China, Russia, Iran, and North Korea will conduct a disruptive attack against the 2022 FIFA World Cup, despite Russia having the greatest motivations for doing so. Instead, nationalistic Russian hacktivist groups or ransomware operators could conduct disruptive attacks against the tournament, which as previously noted can provide the Kremlin with plausible deniability.

Cybercriminal phishing attacks are almost certainly going to continue throughout the 2022 FIFA World Cup tournament, before dispersing after the tournament concludes. It’s very unlikely that tournament-themed phishing attacks targeting businesses will continue to use lures that invite victims to bid on contracts or supply goods or services to the tournament given that the tournament begins soon.

It is very likely that Iran and Russia will continue to highlight divisions and exacerbate tensions between Qatar and Western countries that are critical of the tournament being hosted in Qatar, while also promoting their own bilateral relations. Furthermore, Iran, China, and Russia are likely to use the 2022 FIFA World Cup in future influence operations as an example of where the West has sought to impose “Western values” on other countries.

Finally, Qatar is unlikely to face a major physical security threat during the 2022 FIFA World Cup based on the factors explained above. Although Iran, China, Russia are emphasizing and promoting bilateral relations with Qatar through discourse, countries like the US, UK, France, Italy, Türkiye, and others are providing material security assistance to Qatar for the tournament. This security assistance, building on other security cooperation, in addition to the US formally designating Qatar as a “major non-NATO ally” in March 2022, is likely to lead to further security cooperation between Qatar and Western countries.

The sources used in this report are the Recorded Future® Platform and open sources.