Hunter’s Lens: Russian Influence Operations Targeting the Paris Olympics 2024

The Russian influence operations aimed at the Paris Olympics 2024 differ in a number of meaningful ways from earlier campaigns, revealing a major evolution in tactics, technology, and strategic focus of the disinformation machine. It now looks more like a holistic, multihead hydra in an effort to maximize the impact and reach of disinformation efforts.

1. Increased Use of Artificial Intelligence

Perhaps most prominently, many of these operations integrate artificial intelligence (AI) technologies. AI complements and improves upon classic propaganda techniques:

• AI-Generated Audio:  Fake audio generated by AI (such as imitations of celebrity voices, like Tom Cruise’s voice, have sometimes been used to provide background authenticity and appeal to narrative parts of disinformation content; for instance, the film ‘Olympics Has Fallen’ used AI-generated audio to increase its persuasiveness.

This novel technology allows such messages to be more believable and personalized, and they’re, therefore, harder for audiences to pick apart.

2. Enhanced Production Quality

The aesthetic has received an upgrade. Earlier efforts, based on cheap and amateur propaganda productions, pale in comparison with the level of professionalism seen in recent campaigns:

• Feature-Length Films: The high quality of a well-polished, major commercial feature—such as The Olympics Has Fallen—reflects a major investment of money and expertise. The film goes well beyond CGI in its visuals (above, the White House blown up) and is supported by major marketing.

This shift marks a strategic view toward pleasing, involving content, but content that is able to make more effective claims on its viewers in new ways.

3. Multi-Platform Approach

The influence operations are now leveraging a broader range of platforms and content formats. In addition to traditional media channels, they include:

• Films and Videos: One reference to videos adds ‘And feature-length films.’ Short clips and status updates have flattened websites; full-length films take vertically-oriented video delivery to the next stage. 
• Expanded Digital Presence: Such operations are not limited to one particular social media or language but leverage the power of diverse social media, websites, blogging, online video, etc., to take their messages to a wider audience.

Such a multi-platform strategy widens the sphere within which the operations could be carried out, and the more it captures the public’s attention, the harder it is to dismantle through countermeasures.

4. Expanded Language Focus

Initially focused on French-language content, the operations are now broadening their linguistic scope:

• Multilingual Content: There is a growing emphasis on producing content in English, German, and other languages, aiming to reach international audiences beyond the French-speaking population.

Enlarging the linguistic radius in this way will enable the operations to reach a more diverse audience and, in turn, may allow them to expand their global reach. 

5. Potential Real-World Provocations

Unlike previous campaigns, which were primarily digital, there are concerns that the current operations may involve real-world actions:

• Staged Events or Protests: Enlarging the linguistic radius in this way will enable the operations to reach a more diverse audience, which in turn may allow for an enlargement of their global reach. 

This element adds a new dimension to the operations, blending online and offline tactics to enhance the overall impact.

6. Exploitation of Current Events

The influence operations are adept at capitalizing on recent global issues to lend credibility and urgency to their messages:

• References to Global Conflicts: For instance, the campaigns have referenced the Israel-Hamas conflict to fabricate threats against Israeli Olympic attendees, exploiting contemporary geopolitical tensions to stoke fear and division.

Tying their narratives to ‘recent events du jour in the world,’ these campaigns gained an aura of credibility and currency that made them all the more compelling.

7. Increased Focus on Creating Fear

The operations that are currently prevalent are especially oriented toward fear-inducing matters such as violence and terrorism.

• Deterrence of Attendance: Deterrence of overt focus on ‘dangers of attendance’, on potential threats to be met or avoided, as a means of deterring both participation in and attendance at the Olympics. It is an attempt, in other words, to create a culture of fear.

This kind of focus on fear is different from earlier disinformation attempts, which were more about eroding trust and credibility than about mobilizing fear.

8. Broader Targeting

The scope of these operations extends beyond the Olympics themselves:

• Political Targets: There is an obvious attempt to discredit French President Emmanuel Macron and his government and to use the Games to weaken public confidence in his administration.

This broader targeting strategy seeks political goals by impacting the social and political landscape in the host country.

This differs significantly from their past campaigns, which were much cruder. Using AI, better production values, and a multi-platform strategy, the Russian influence ops against the Paris Olympics 2024 and similar operations are vastly more effective and, moreover, more difficult to counter. The move to real-world provocation and to targeting major international events of the day lead in the same direction, towards generating real-world impact rather than just making noise or fomenting polarisation online. More reliance on fear and a broader targeting strategy demonstrate a truly all-out disinformation approach, full frontal and multi-channel, to the integrity and security of the Games.

Storm-1679 and Storm-1099: Key Actors in Olympic-Focused Influence Operations

Storm-1679 and Storm-1099 are distinct entities involved in Russian influence operations targeting the Paris Olympics 2024. These groups use a variety of tactics to undermine the credibility and security of the event, leveraging sophisticated techniques to manipulate public perception and spread disinformation. While both groups share a common goal, there are notable differences in their methods, sophistication, and areas of focus.

Storm-1679

• Sophistication and Production Quality: Storm-1679 is characterized by its high level of sophistication in producing content. This group has been noted for its use of slick computer-generated special effects and a broad marketing campaign to maximize the reach and impact of its messages. A hallmark of their work is the feature-length film “Olympics Has Fallen,” which demonstrates a significant increase in skill and effort compared to typical influence operations. This production quality is indicative of a well-resourced operation capable of creating convincing and engaging content.
• Content Format: Storm-1679 focuses on creating elaborate productions, including a mix of feature-length films and a collection of deceptive videos. These productions often utilize high-quality visuals and narrative techniques designed to engage and manipulate viewers.
• Language Focus: Initially, Storm-1679 produced content primarily in English, occasionally branching out into French and German. Recently, the group has increased its output of French-language content, likely in response to the local relevance of the Paris Olympics 2024 and to target a broader audience within France and neighboring countries.
• Targeting: This group appears to have a broader international focus, aiming to deter spectators from attending the Games by instilling fear and uncertainty. They have employed various themes, including the potential for violence and terrorism, to discourage international travel and participation.
• Tactics: Storm-1679 employs advanced techniques such as AI-generated audio, including fake celebrity voices like that of Tom Cruise, and deepfakes. These technologies enhance the plausibility and impact of their disinformation campaigns, making it more challenging for audiences to discern truth from fiction.
• Timeline: Storm-1679 began its Olympics-focused campaign earlier, starting in June 2023 with the release of “Olympics Has Fallen.” This early start allowed them to establish a presence and begin influencing public perception well ahead of the Games.
• Specific Themes: The group’s content heavily emphasizes themes designed to create fear, particularly focusing on the risks of violence and terrorism at the Games. This narrative is aimed at creating a climate of fear and uncertainty, potentially impacting attendance and participation.

Storm-1099

• Sophistication and Production Quality: While Storm-1099 is also engaged in influence operations, the group is generally less sophisticated than Storm-1679. Their operations are less polished, focusing more on volume and spread rather than high production values.
• Content Format: Storm-1099 produces a variety of content types, including simple videos and written posts. Unlike Storm-1679, they do not engage in elaborate productions but instead focus on a more direct and widespread dissemination of disinformation.
• Language Focus: The group’s content primarily targets local and regional audiences, with a strong emphasis on French language material, reflecting a more localized approach.
• Targeting: Storm-1099 appears to focus more narrowly on specific audiences within France and neighboring regions. Their campaigns often aim to exploit local concerns and controversies, creating discontent and division.
• Tactics: This group uses basic techniques such as social media manipulation and spreading false news articles. They do not typically employ advanced technologies like AI-generated content or deepfakes, making their operations easier to detect but still potentially impactful due to their volume and reach.
• Timeline: Storm-1099’s activities have intensified in recent months, indicating a more reactionary approach compared to the premeditated and planned operations of Storm-1679.
• Specific Themes: Their content often touches on more general disinformation, including false information about the safety and organization of the Games, without the same focused narrative on violence and terrorism seen with Storm-1679.

Key Differences Between Storm-1679 and Storm-1099

1. Sophistication and Production Quality: Storm-1679 is noted for its high production values and sophisticated use of technology, including AI and deepfakes, whereas Storm-1099 operates with a more straightforward approach.
2. Content Format: Storm-1679 produces elaborate and polished productions, such as feature-length films, while Storm-1099 focuses on simpler and more frequent content dissemination.
3. Language and Targeting: Storm-1679 has an international focus with multilingual content, whereas Storm-1099 primarily targets French-speaking audiences.
4. Tactics: Storm-1679 employs advanced technologies like AI and deepfakes, while Storm-1099 relies on more traditional disinformation techniques.
5. Timeline: Storm-1679 started its campaign earlier and has been more consistent, while Storm-1099 has shown a recent increase in activity.
6. Specific Themes: Storm-1679 emphasizes fear of violence and terrorism, while Storm-1099 focuses on broader disinformation themes.

These differences highlight the multi-faceted nature of Russian influence operations targeting the Paris Olympics 2024, with each group playing a distinct role in the overall campaign. Understanding these distinctions is crucial for developing effective countermeasures and ensuring the integrity and security of the Games.

How Threat Intelligence Can Help Protect the Olympics

Threat intelligence plays an important role in cybersecurity, and it’s no different for the Paris Olympics 2024. We mentioned that one of the challenges in defending the Olympics is the diversity of threats at various scales. By providing timely, actionable information, threat intelligence can enable Paris Olympics 2024 to take preemptive action and bolster the security posture of the sports venue. Here are some ways to employ threat intelligence to protect the Olympics:

1. Early Detection of Threats

Using threat intelligence aligned with the information model, organizations can continuously monitor control systems, underlying networks, and the larger context from a wide range of information sources, including the dark web, social media, and attacker sites and forums. This can allow for early detection of potential cyber threats before they actually attack. For example, threat intelligence monitors could track communications from the People’s Cyber Army and NoName057(16), along with other groups of AI bots who have made explicit threats against the Olympics. With this insight, security teams can develop mitigation strategies before a risk materializes.

2. Understanding Attack Vectors

That requires understanding what happened before in attacks and threats, as well as what is happening currently. Threat intelligence helps anticipate where the next attack is most likely to come from, the tactics, techniques, and procedures that will be used by the human actors behind them, or, as we say, what a bad actor is seeking to exploit. For example, Distributed Denial-of-Service (DDoS) attacks, phishing, ransomware, and supply chain attacks are all possible threat vectors we commonly see in the intelligence we produce for clients. Based on this knowledge, we can prepare and strengthen defenses accordingly to make sure that any investment of time and money is focused on the most likely types of attacks.

3. Real-Time Threat Monitoring

To find anomalies (both regular so-called ‘normal’ anomalies as well as potential intrusions) in real-time across the network and system levels, we need to continuously monitor those two levels of abstraction. An effective detection strategy, therefore, employs advanced threat detection systems – state-of-the-art systems of signatures and patterns that can warn of unusual behavior that may otherwise not be detected by exception-based detection rules. For example, we would like to detect signature markers of malware, such as the Olympic Destroyer that hit systems at the 2018 PyeongChang Olympics, so that we can take immediate preventive actions in case of potential malicious intent.

4. Strengthening Cybersecurity Posture

Threat intelligence enables the development and application of targeted cybersecurity measures, such as the use of multi-layered protection measures (often termed ‘defense in depth’, such as firewalls, intrusion detection systems, and advanced encryption strategies), to protect systemic critical infrastructure, such as the power grid, and critical information held by governments, corporations, and individuals. Without insight into the nature of the threat, it is considerably more difficult to design and apply security measures effectively.

5. Incident Response Planning

Integrating threat intelligence into incident response plans means that cyber incidents can be better handled, faster. Regular top-down cybersecurity drills and exercises based on realistic threat intelligence scenarios familiarise the security teams with the signs and symptoms of a real-world cyberattack and hasten response times and effectiveness. This enables the whole company to rehearse its incident response behaviours and allows teams to refine incident response strategies and ensure company-wide familiarity with cyber roles.

6. Collaboration and Information Sharing

By sharing threat intelligence with law enforcement, sponsors, and any other cybersecurity company that could help, you’re helping maximize ‘collective defense in cyberspace,’ he says. In fact, the FrenchSSI, whose dedicated cybersecurity staff coordinates all stakeholders of the Paralympic and Olympic Games in Paris 2024. That way, everyone knows everyone else who’s behaving badly, as well as who is out there trying to stop them.

7. Securing Sponsors and Partners

If one is able to identify a threat that is specifically targeting an Olympic sponsor or partner (such as Intel or Deloitte), you can ensure that those sponsors and partners take appropriate protective measures, as well. For example, if these organizations know that their security is the target of attacks, they’ll bolster their cybersecurity systems to protect their technology and services. Securing their components helps to secure the whole.

8. Safeguarding Critical Infrastructure

Processes related to critical infrastructure – including transportation, telecommunications, and event-management systems – will use threat and malware intelligence to detect potential compromise and prevent operational degradation. To shield attendees and athletes from potential data breaches and other operational failures, security teams will monitor the security of mobile apps and online platforms in real time. The intricate process of securing the Rio event illustrates the complex but necessary efforts that should be undertaken before, during, and after major events. While our research at VUB center C-mine focuses on the Tor anonymity network and other related technologies, our security recommendations can also be applied by threat-intelligence services, law enforcement agencies, and infrastructure providers, including transportation operators, accommodation providers, and retailers, among others.

9. Preventing Financial Fraud

Threat intelligence can be applied to detect and mitigate cybercriminal activities surrounding the event, especially financially motivated attacks like ticket scams and ransomware. Monitoring for fake websites and phishing campaigns during the Olympic ticket sales process and related financial transactions not only ensures that financial fraud is reduced but also protects the event’s revenue stream and helps to safeguard ticket buyers’ financial credentials.

With threat intelligence, the Paris 2024 Olympics will have the tools it needs to implement a well-thought-out cybersecurity strategy. Early detection of threats, awareness of the possible attack vectors, real-time analysis of events to quickly implement a corrective course of action, and support for improved defensive measures across different threat vectors are just some examples of how threat intelligence can aid in safeguarding the event. A comprehensive cybersecurity strategy, aided by threat intelligence, is required because cyber-attacks are targeted and not random. Figures can be misleading, as often the number of cyber-attacks is counted by the number of probes. However, in these cases, it is noteworthy that the target was of little significance. While cyber-attacks have become more common than in the past, attackers have become more selective about pursuing their intended targets. Threat intelligence helps to understand whether a specific target, like a sponsor or a segment of infrastructure vital to the Olympics or financial transactions, has been marked as an intended target of an attack. A proactive and informed cybersecurity strategy is crucial to ensure a safe Paris 2024 Olympics, thanks to threat intelligence.