This morning, the UK’s National Cyber Security Centre and the United States Justice Department accused the Russian government of carrying out cyberattacks against a number of international bodies, including the World Anti-Doping Agency and the U.S.A Anti-Doping Agency. The coordinated announcements came on the heels of news that Dutch authorities had foiled a plot by Russian spies to break into the Amsterdam-based Organisation for the Prohibition of Chemical Weapons.
The revelation that agents of the Russian government hacked international sports organizations should come as no surprise, since the Kremlin’s campaign to get back at anti-doping authorities for banning Russian athletes from the 2016 Rio Olympics has been well publicized and widely known for two years now. But today’s announcements explicitly showed that Fancy Bears, an alleged hacktivist collective that obtained and published WADA data two years ago supposedly in the name of “fair play and clean sport,” were in fact simply agents of the Russian Main Intelligence Directorate (GRU). Domains associated with the group were seized and shut down by the government.
Authorities have long suspected a link between Fancy Bears and the Russian government, and a June indictment from Robert Mueller connected one Fancy Bear hacker to the attack on the Democratic National Committee. The United States indicted seven men on computer fraud charges today, all of whom work for the Russian military, and several of whom were intimately involved in the release of confidential medical information obtained from several anti-doping databases.
That information made waves. Several prominent cyclists were revealed to have applied for previously unreported therapeutic use exemptions, and other famous athletes like Serena Williams and Simone Biles also had their files published. Data on over 250 athletes from 30 countries was published, and while most of the information was not as explosive as Fancy Bears touted it to be, the leaks were significant, and British cyclist Bradley Wiggins had to defend his potentially shady TUEs.
The timing of the hack and its targets sure made the plot seem like revenge against those involved in the groundbreaking WADA report into Russia’s staggeringly complex state-sponsored doping program, although Fancy Bears instead held themselves out as a civic-minded group of hackers who cared about doping and justice, which was unlikely on its face even then. Not only do we now know that to be bullshit, but some of the leaked documents were as well—per the U.S. government, they were “modified from their original form” before being released. Fancy Bears also conducted an extensive outreach campaign to spread the hacked information, and “parroted or supported themes that the Russian government had used in its official narrative regarding the anti-doping agencies’ investigative findings.”
Fancy Bears agents allegedly carried out a spate of phishing attacks on officials from WADA, USADA, and the IAAF; if that didn’t work, they also physically traveled to their targets to try another method, which is how the spies in the Netherlands got caught. Here is a lengthy breakdown on their efforts from the Justice Department’s release:
Likely as a result of the conspirators’ failure to capture necessary log-in credentials, or because those victim accounts that were successfully compromised did not have the necessary access privileges for the sought-after information, defendants Morenets and Serebriakov, in at least one instance with the remote support of Yermakov, deployed to Rio to conduct hacking operations targeting and maintaining persistent access to Wi-Fi networks used by anti-doping officials. As a result of these efforts, in August 2016, the conspirators captured that IOC official’s credentials and thereafter used them, and another set of credentials belonging to the same official to gain unauthorized access to an account in WADA’s ADAMS database and medical and anti-doping related information contained therein. (The broader ADAMS database was not compromised in the intrusion.)
Also in 2016, a senior USADA anti-doping official traveled to Rio de Janeiro for the Olympics and Paralympic games. While there, the USADA official used Wi-Fi at the hotel and other Wi-Fi access points in Rio to remotely access USADA’s computer systems and conduct official business. While the USADA official was in Rio, conspirators successfully compromised the credentials for his or her USADA email account, which included summaries of athlete test results and prescribed medications.