Threat actors have notoriously taken advantage of the Olympic Games’s popularity to launch malicious campaigns. The “OlympicDestroyer” malware was most notable, using a domain related to the Pyeongchang 2018 Winter Olympics. But the COVID-19 bubble in the 2022 Olympic Winter Games may have increased the danger, as even those living near the competition venues in Beijing followed the games online since spectators weren’t allowed without invitation. This situation could make the 2022 Olympics a prime lure for phishing, malware, and other malicious campaigns targeting online viewers.

WhoisXML API researchers examined the Domain Name System (DNS) to uncover recently added Olympics-related domains. Our analysis revealed:

• 1,600+ domains and subdomains added since 1 January 2022 contain Olympics-related text strings
• 2,200+ IP resolutions of 1,400+ Olympics-related domains and subdomains
• 750+ unique IP addresses geolocated in 35 different countries
• A few malicious domains, despite being recently registered

You may download the complete list of Olympics-related cyber resources and their enrichment from our website.

1,600+ Newly Added Olympics-Related Domains and Subdomains

We uncovered 1,696 domains and subdomains related to the 2022 Winter Olympics that were added from 1 January to 16 February 2022. This number yielded 1,609 unique Internet properties containing the following text strings:

• “olympics”
• “paralympics”
• “beijing”
• “2022” + “beijing”
• “2022” + “winter”
• “olympics” + “game”
• “winter” + “game”
• “olympics” + “live”

IP Geolocation of Olympics-Related Domains and Subdomains

Subjecting the domains and subdomains to a bulk IP geolocation lookup returned 2,248 IP resolutions for 1,410 Olympics-related cyber resources, amounting to 780 unique IP addresses. This number roughly translates to around a 2:1 ratio, meaning two domains share one IP address.

The IP addresses are located in various countries, although 51% point to the U.S. The other countries with the highest number of IP addresses were Germany, Canada, China, Russia, Hong Kong, the Netherlands, the U.K., Brazil, and the British Virgin Islands.

Top 10 ISPs

Around 25% of the IP addresses were managed by Amazon, while the rest were distributed across 188 other Internet service providers (ISPs). The chart below shows the top 10 ISPs, most of whom are based in the U.S., Germany, and China. Amazon took the lead, followed by Cloudflare, Hetzner, Google, Alibaba, Worldsite WS, DataWeb Global, Shenzhen Tencent, and China Internet Network Information Center.

Types of Content Hosted on the Domains

A screenshot analysis of the domains and subdomains revealed that several were parked, while many subdomains returned error pages. Other subdomains resolved to login pages as shown below.

We also noticed that quite a few domains hosted content related to cryptocurrency, such as those below.

The presence of news websites labeled “Simcast - Powered by Microsoft News” was quite interesting since similar content was observed when we analyzed crypto-related cyber resources in our Crypto DNS Report.

Scrutinizing the Malicious Domains

Although the domains and subdomains were only added to the DNS recently, a few were already being flagged as malicious, including beijingxclq[.]com and beijingzhengwuyun[.]com.

Other possibly suspicious properties were found using domain and WHOIS heuristics and pivoting off relevant WHOIS details. For one, beijingxclq[.]com appears to have been created using a repetitive pattern. Several domains in the study seemed to be so as well, including:

• beijing512[.]ws
• beijing520[.]com[.]cn
• beijing12314[.]ws
• beijing12330[.]ws
• beijing12530[.]com[.]ph
• beijinghytm[.]com
• beijinghzmy[.]com

On the other hand, a reverse WHOIS search using the nameserver and registrant country of beijingzhengwuyun[.]com and the text string “beijing” returned 92 domains.

Replacing the nameserver parameter to that of beijingxclq[.]com returned 165 additional domains.

Threat actors will continue to use major sporting events like the Olympics to lure the public to their malicious sites. Suspicious and interesting Internet properties tend to appear in the DNS weeks or months before such an event, in fact, so DNS monitoring may help people stay safe from malicious campaigns.

If you are a threat researcher or cybersecurity professional interested in the Internet properties presented in this study, please contact us to learn more about our cyberthreat intelligence sources and possible research collaboration.