{
	"id": "fb7966fa-6ec1-436c-8b4d-789e33b5c153",
	"created_at": "2026-04-06T00:08:14.176183Z",
	"updated_at": "2026-04-10T03:36:45.644584Z",
	"deleted_at": null,
	"sha1_hash": "259e4b43356e95cc44a6ae34dbb1ad803ab006de",
	"title": "Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61951,
	"plain_text": "Winter Olympics 2026: Hacktivism Surges Ahead of Protests and\r\nSuspected Sabotage\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 13:48:09 UTC\r\nThe 2026 Milan–Cortina Winter Olympics are a global stage — nearly three weeks of competition spread across\r\nNorthern Italy, with thousands of athletes from 90 countries under the constant spotlight of international media.\r\nThis visibility also makes the Games attractive to cyber threat actors, especially hacktivists who use the stage to\r\namplify their ideological narrative through disruptive attacks. Indeed, since the opening of the games on Feb 6,\r\nIntel 471 have observed a surge in pro-Russia hacktivist activity targeting entities connected to the Olympics. As\r\nevents continue to unfold, the security picture is also shaped by Russia linked advanced persistent threat (APT)\r\ngroup activity, and localized physical threats orchestrated by state-linked proxies. These large events also\r\nhistorically have triggered social activism with known or suspected links to state-backed hybrid warfare activity\r\nsuch as propaganda and disinformation operations.\r\nIn the lead up to the 2026 Winter Olympics, users on Telegram and X aligned with pro-Russian hacktivist\r\ncampaigns highlighted previous efforts from Russia-linkedAPT groups that focused on reconnaissance and\r\ntargeted attacks of the International Olympic Committee and adjacent organizations. This activity primarily\r\noccurred off the back of Russian athletes being banned from participating in the 2018 Winter Olympics as a result\r\nof the sports doping scandal and excluding Russia from the Olympics after its full-scale invasion of Ukraine in\r\n2022. The 2016 to 2020 attacks consisted of state-backed spear-phishing campaigns and the destructive Olympic\r\nDestroyer malware, but activity targeting the Olympics that has been attributed to Russia since its invasion of\r\nUkraine primarily has been aligned to low-level groups or hacktivists. This report is based on collections drawn\r\nfrom Intel 471’s Cyber Geopolitical Intelligence, which monitors for geopolitical drivers of digital risk, and\r\nAdversary Intelligence, which tracks threat actors and groups using automated collection and on-the-ground\r\nhuman intelligence (HUMINT).\r\nHacktivist claims about the 2026 Winter Olympics\r\nAmid several ongoing geopolitical events in Europe, NoName057(16), a dominant pro-Russian hacktivist,\r\nfocused its cyclical distributed denial-of-service (DDoS) attacks against Italian entities located in the Olympics’\r\nhost cities. Its initial claims behind the attacks spoke to Italy’s ongoing support for Ukraine and propaganda\r\ncommenting on the economic cost of hosting the Olympics. As the Olympic events kicked off February 6, 2026,\r\nthe group narrowed its focus and claimed to have attacked three Olympic national teams. Several similar claims\r\nemerged, including:\r\nThe NoName057(16) group taunted the head of Italy’s National Cybersecurity Agency, questioning his\r\nability to secure the country’s national infrastructure.\r\nThe BD Anonymous group announced an #Opitaly campaign and allegedly targeted websites of two\r\nItalian airports.\r\nhttps://www.intel471.com/blog/winter-olympics-2026-hacktivism-surges-ahead-of-protests-and-suspected-sabotage\r\nPage 1 of 4\n\nThe Z-Pentest Alliance and Server Killers groups claimed to attack an Italian human-machine interface\r\n(HMI) system and infrastructure in Italy, respectively.\r\nThe NoName057(16) group allegedly conducted DDoS attacks against the Lithuanian, Polish and Spanish\r\nnational Olympic committees, as well as a Cortina d’Ampezzo tourism website and Milan Malpensa\r\nAirport.\r\nPro-Russia hacktivism alliances and Kremlin connections\r\nThe Z-Pentest Alliance and Server Killers group routinely are aligned with activity observed from\r\nNoName057(16). Separately, BD Anonymous claimed its focus on Italy was due to the country not recognizing\r\nthe independent Palestine state, although it is possible the group was influenced by NoName057(16)’s posts. The\r\nimpact of NoName057(16)’s activity mostly was significant because the attacks were timed around the start of the\r\nOlympics. However, the group began claiming alleged attacks against Danish entities under its #OpDenmark tag\r\nFebruary 9, 2026, suggesting it already moved on to a new area of focus.\r\nIn December, a Joint Cybersecurity Advisory and indictments assessed the Center for the Study and Network\r\nMonitoring of the Youth Environment (CISM) — established on behalf of the Kremlin — created the\r\nNoName057(16) group as a covert project within the organization. The documents claimed officials within CISM\r\ndeveloped NoName057(16)’s proprietary DDoS tool DDoSia, paid for the group’s network infrastructure, served\r\nas administrators on NoName057(16) Telegram channels and selected DDoS targets. The indictment also alleged\r\nCyberArmyofRussia_Reborn aka Z-Pentest Alliance was founded, funded and directed by the Main Directorate\r\nof the General Staff of the Armed Forces of the Russian Federation aka GRU.\r\nBeyond cyber: protests and suspected sabotage\r\nOpen-source reports have detailed protests and railway damage in Italy linked to the Olympic Games in recent\r\ndays. The protests, which included violent demonstrations, seemingly were spurred by Italian citizens’\r\ndiscontentment with the economic situation in the country. The protestors specifically commented on cost-of-living issues in Italy and the long-term unsustainability of the Olympics. In situations where the protestors were\r\narmed and demonstrations turned violent against the police; several people were arrested. New security initiatives\r\nhave been enacted in an attempt to keep unrest from spreading throughout the country while the Olympics are\r\nongoing. Meanwhile, Italy’s transport ministry is conducting an investigation into an arson attack on the Bologna-Venice railway line that disrupted transportation for several hours. It is currently being described as a suspected\r\nact of sabotage, as severed cables and explosive devices were identified in locations “nearby.” No individuals or\r\ngroups have claimed responsibility for the attack at the time of this report.\r\nThere are distinct parallels that can be drawn between protests and reported sabotage around the 2026 Milan-Cortina Winter Olympics and what was observed in the lead up to the 2024 Paris Summer Olympics. France\r\ndeemed the reported sabotage targeting the Summer Olympics as acts of terrorism and the Italian prime minister\r\nhas not minced her words regarding the violent activity from Italians. Some have also considered the additional\r\narrest measures introduced after the physical altercations at the protests in Milan to be “repressive.”\r\nThe combination of protests, transport disruption and amplified hacktivist activity creates a familiar challenge for\r\nhost nations that can expect to face multiple pressure points at once competing for responder attention during a\r\nhttps://www.intel471.com/blog/winter-olympics-2026-hacktivism-surges-ahead-of-protests-and-suspected-sabotage\r\nPage 2 of 4\n\npeak-demand period.\r\nWhat’s next in the cyber-geopolitical nexus?\r\nThe observed prevalence of hacktivism activity in the lead up to and start of the 2026 Winter Olympics is a\r\ncontinuation of expected cyber activity around highly publicized events. Italian authorities noted the activity and\r\nclaimed to have stopped the attacks without any notable impact to the targeted entities. We cannot completely\r\ndismiss the possibility that Russian state-backed threat groups have conducted persistence attacks against entities\r\ninvolved in the 2026 Winter Olympics. However, this type of influence and the suggested need to defend Russia’s\r\nimage on the world stage likely are secondary or tertiary intelligence objectives for the Kremlin at present.\r\nWithout a dramatic reprioritization of strategic intelligence issues from Russia or other adversarial nations — such\r\nas China, North Korea or Iran — hacktivism likely will remain the most obvious and immediate threat\r\nencountered in high-profile global events. The diversity of state-aligned or adjacent cyber capabilities at these\r\ncountries’ disposal means it is no longer a requirement for more sophisticated threat groups to be deployed to\r\ncarry out cyberattacks in such instances. Russia’s offensive cyber groups will highly likely remain focused on the\r\ncountry’s hybrid warfare efforts across Europe as it relates to targeted attacks against key strategic personnel and\r\norganizations dealing with policy decision making and military contributions to Ukraine in the ongoing war.\r\nSeparately, the social activity mirroring events in France around the 2024 Summer Olympics can be characterized\r\nas a statement on the current political, economic and social climate in some European countries. With expanding\r\ndefense budgets and controversial international deals under consideration at the European Council, the cost of\r\ninfrastructure to host the Olympics certainly will remain a contentious matter. Several ongoing geopolitical issues\r\nincluding the Russia-Ukraine war and Israel’s actions in Gaza also have continued to fuel activism across Europe\r\n— notable in the sense that some established basis for civil activism creates an environment ripe for continued\r\nsocietal-led pressure against the government and state authorities. Because it is possible these collective issues\r\nculminated into a pattern of activity across the last two Olympics, protests can be expected to emerge at similar\r\nevents in the near term.\r\nThe sabotage events noted in France and Italy echo several similar attacks against transportation infrastructure in\r\nPoland and the Netherlands, as well as arson attacks against businesses in Lithuania and the U.K. in recent years.\r\nThese events largely have been suspected or directly attributed to Russia’s expanding hybrid warfare activity\r\nacross the continent. The attacks against Polish and Dutch rail lines seemingly align with initial reports about the\r\nsabotage attack in Italy, although Italian authorities have offered no suggestion that a foreign actor was involved.\r\nIt is unlikely the Bologna-Venice rail attack can be attributed to Russia, although the potential for such an attack\r\ncannot be ruled out given the general heightened security risk across Europe at the time of this report.\r\nQuick wins for organizers, partners and agencies\r\nAssume DDoS attempts and plan communications: Pre-draft outage messaging, alternate domains/status\r\npages, and escalation paths.\r\nHarden identity and email: Enable MFA everywhere possible and phishing-resistant MFA for high-risk\r\nroles.\r\nhttps://www.intel471.com/blog/winter-olympics-2026-hacktivism-surges-ahead-of-protests-and-suspected-sabotage\r\nPage 3 of 4\n\nMonitor brand abuse: Fake Olympic ticketing, travel domains, social accounts will spike during the\r\nGames.\r\nMonitor third parties: Contractors, venues, and local suppliers often have weaker security postures.\r\nSource: https://www.intel471.com/blog/winter-olympics-2026-hacktivism-surges-ahead-of-protests-and-suspected-sabotage\r\nhttps://www.intel471.com/blog/winter-olympics-2026-hacktivism-surges-ahead-of-protests-and-suspected-sabotage\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.intel471.com/blog/winter-olympics-2026-hacktivism-surges-ahead-of-protests-and-suspected-sabotage"
	],
	"report_names": [
		"winter-olympics-2026-hacktivism-surges-ahead-of-protests-and-suspected-sabotage"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b05a0147-3a98-44d3-9b42-90d43f626a8b",
			"created_at": "2023-01-06T13:46:39.467088Z",
			"updated_at": "2026-04-10T02:00:03.33882Z",
			"deleted_at": null,
			"main_name": "NoName057(16)",
			"aliases": [
				"NoName057",
				"NoName05716",
				"05716nnm",
				"Nnm05716"
			],
			"source_name": "MISPGALAXY:NoName057(16)",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6c532a3a-8977-4f5e-aa4f-311e19952e2f",
			"created_at": "2026-03-24T02:00:04.630235Z",
			"updated_at": "2026-04-10T02:00:03.989041Z",
			"deleted_at": null,
			"main_name": "Z-Pentest Alliance",
			"aliases": [
				"Z-Pentest"
			],
			"source_name": "MISPGALAXY:Z-Pentest Alliance",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434094,
	"ts_updated_at": 1775792205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/259e4b43356e95cc44a6ae34dbb1ad803ab006de.pdf",
		"text": "https://archive.orkl.eu/259e4b43356e95cc44a6ae34dbb1ad803ab006de.txt",
		"img": "https://archive.orkl.eu/259e4b43356e95cc44a6ae34dbb1ad803ab006de.jpg"
	}
}