Palo Alto Networks: Inside the Winter Olympics of Cybercrime

The Olympic Winter Games – this year hosted in Milano-Cortina – is an event adored by billions.

Despite being a stellar showcase of sportsmanship, it could also sadly be an icy battleground of cybercrime. 

Palo Alto Networks' Unit 42 Cyber Vigilance Threat Report looks at patterns from recent years.

From disrupted WiFi and digital infrastructure at PyeongChang 2018 to attempted sabotage of pre-Games activities in Tokyo 2020 by Russian threat actors and the extreme spike in DDoS attempts, and even Olympics-themed phishing attempts and scam traffic during the 2024 Paris Olympics, the 2026 Winter Games could be a hot bed for malicious cyber activity

With three billion keen eyes expeected on the Milano-Cortina 2026 Winter Games, Unit 42 says that “cyber threat actors are going for gold”. 

“We know from previous experience that large events with significant media coverage make lucrative targets for a diverse range of threat actors,” Kristopher Russo, Principal Threat Researcher at Unit 42, told Dark Reading.

“Objectives frequently include disruption, misinformation and profit. To achieve these objectives, there are any number of approaches on offer, ranging from low-skilled DDoS campaigns to highly targeted network intrusions and even physical offensives.”

Winter Olympics 2026 cyber threats: Ransomware, espionage, hacktivism and scams

High up on the threat radar of Palo Alto Networks' are ransomware gangs, waiting to bank large sums by disrupting the critical infrastructure, transit systems or even event-based ticketing systems and POS terminals.

By putting pressure on victim enterprises and frustrated fans, highly-organised ransomware gangs like the Dark Scorpius – with a victim tally of more than 500 – could be on the sprawl scouting new targets. 

Palo Alto Network's Unit 42 has observed that the notorious gang is highly skilled, moving from initial access to data exfiltration in under 14 hours by disabling security tools, deploying back doors and escalating their own privileges.

As the Winter Olympic games arrive in a geopolitically volatile environment, politically-motivated attacks and espionage that target diplomats, NGOs and think tanks to collect strategic intelligence should be expected. 

A glance through the operations of the Russia-backed cyber espionage group Fighting Ursa, also known as APT28, reveals attacks against the German and Norwegian parliaments in the run up to the 2024 Paris Olympics are standing proof that the threat of espionage at the Milano-Cortina Winter Games is more than hypothetical.

China’s Stately Taurus, also known as Mustang Panda, and North Korea’s Kimusky are some other notorious examples. 

Hacktivist groups also use such major sporting events to draw attention to their cause by creating major disruption targeting high-profile individuals.

A prime example are Anonymous’ attacks on a wide range of targets from the CIA to the Church of Scientology.

Like any major event, Palo Alto advises keeping an eye out for petty scammers who will run large using fake websites, bogus QR codes, fraudulent apps and other tools to scam fans and attendees. 

Threat actors to watch for Winter Olympics: Muddled Libra, Insidious Taurus and Salt Typhoon

Palo Alto Networks’ Unit 42 has observed the activity of a group called Muddled Libra – aka Scattered Spider or UNC3944 – in government, retail, insurance and aviation sectors.

Hence categorising Scattered Spider as a threat to watch out for in the upcoming Winter Games. 

While it is unknown if the group is sponsored by nation states, it has been linked to a range of massive cyber attacks in 2025 alone, including the M&S, Harrods, Co-op, JLR, Victoria Secret and Adidas cyberattacks.

Insidious Taurus and Salt Typhoon are Chinese state-sponsored groups with the potential to cause mass disruption at the Winter Games. 

Both these groups are known to play the long game, using living-off-the-land (LOTL) techniques.

Inside Taurus is infamous for compromising America’s critical Infrastructure while maintaining persistent access.

Salt Typhoon is prolific for conducting surveillance and espionage and was linked to recent compromise of telecommunication links of high-profile members of the US parliament, including US President Donald Trump and Vice President JD Vance.

Palo Alto Networks’ expects either or both to target the Milano-Cortina 2026 Winter Games.

Cybersecurity tips for Winter Games 2026 defenders

Defenders must incorporate comprehensive visibility tools to gain full visibility from network to endpoint to cloud and map internal and external attack surfaces to all assets and connections.

Palo Alto Networks recommends applying AI and machine learning to filter out noise and monitor security logs. 

Organisations should accelerate zero trust adoption by fully eliminating implicit trust, enforce least privilege access and continuously verify users and devices. 

Enterprises would do well to implement MFA, just-in-time access and continuous monitoring to reduce attack surfaces.

Using Al-driven automation to cut response times from hours to minutes is critical to ensure safety.