Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Hackers Dump US Olympic Athletes' Drug-Testing Results

Database Compromise Traced to Spear-Phishing Attack
Hackers Dump US Olympic Athletes' Drug-Testing Results
U.S. gymnast Simone Biles at Olympic Games Rio 2016. Photo: Agência Brasil Fotografias (Flickr/CC)

Confidential drug-testing results for four U.S. Olympic athletes have been released by a suspected Russian hacking group, one month after the World Anti-Doping Agency warned that one of its critical enforcement databases had been illegally accessed.

See Also: Considerations for Choosing an ATO (Account Takeover) Security Solution

On Sept. 13, WADA confirmed that Russian hackers known as Fancy Bear accessed the Anti-Doping Administration and Management System, which organizes drug testing schedules and is used by athletes to keep authorities up-to-date on their locations.

"WADA condemns these ongoing cyber attacks that are being carried out in an attempt to undermine WADA and the global anti-doping system," says WADA Director General Olivier Niggli. "WADA has been informed by law enforcement authorities that these attacks are originating out of Russia."

In response to those allegations, a Kremlin spokesman denied that Russia was involved, speaking to Russian state-sponsored broadcaster RT, formerly known as Russia Today.

WADA says the leak greatly compromises "the effort by the global anti-doping community to re-establish trust in Russia," following WADA discovering that Russia has been running a state-sponsored doping program for its athletes.

Fancy Bears' Hack Team

A group calling itself Fancy Bears' Hack Team says the leaks are the start of what it's calling #OpOlympics.

Meanwhile, the attackers - who have referred to themselves as the "Fancy Bears' Hack Team," warned of more releases. "This is just the tip of the iceberg," the group said. "Today's sport is truly contaminated while the world is unaware of a large number of American doping athletes."

The leak adds to what's been an unprecedented run of high-profile leaks with seeming political intent that have come to light in the past three months, starting with the Democratic National Committee. That organization's internal emails, believed to have been compromised by Fancy Bear, were passed to WikiLeaks, causing a scandal within the Democratic Party and leading to the resignation of DNC chair Debbie Wasserman Schultz. Other Democratic Party organizations were also hacked, including Hillary Clinton's campaign team (see DNC Breach More Severe Than First Believed).

Some experts theorize that Russia is aggressively exerting its influence through low-budget but high-impact cyberattacks aimed at leaking sensitive internal information. Organizations have struggled to cope with attacks such as phishing, where users are tricked into revealing login credentials through cleverly crafted emails.

The U.S. government says it's continuing to investigate whether the Russian government is directly involved in the attacks. Several private security companies have linked Fancy Bear and another Russian group, Cozy Bear, to the DNC attacks. Many security firms suspect that Fancy Bear is linked with the GRU, a Russian intelligence agency (see Did Russia - or Russian-Built Malware - Hack the DNC?).

Politically speaking, it's no surprise that WADA would be a prime target. Prior to the Olympics in Rio, WADA recommended banning Russia's entire Olympic squad, although about two-thirds of its team was later cleared for competition. WADA's opinion came after revelations from Russian whistleblowers that the country ran an extensive, secretive doping program between 2011 and 2015, flouting international rules against using performance-enhancing drugs.

The WADA hackers set up an amusing website, www.fancybear.net, with animated bears and a background graphic meshing the headless suited symbol used by the hacktivist group Anonymous with the iconic Olympic rings. But while the site bombastically claims it has uncovered evidence of doping by U.S. athletes, it doesn't deliver.

The documents include confidential medical information for gymnast Simone Biles, the tennis duo Venus and Serena Williams, and Elena Delle Donne, who was on the U.S. women's Olympic basketball team. While the documents show the athletes tested positive for banned drugs, all had received what are known as "therapeutic use exemptions" for the medications, and those documents were included in the leak.

Travis T. Tygart, CEO of the U.S. Anti-Doping Agency, says the four athletes had adhered to global rules for clearing medication.

"It's unthinkable that in the Olympic movement, hackers would illegally obtain confidential medical information in an attempt to smear athletes to make it look as if they have done something wrong," he says.

The hacking group, however, dismissed the therapeutic use exemption documents. "The Rio Olympic medalists regularly used illicit strong drugs justified by certificates of approval for therapeutic use," it says. "In other words, they just got their licenses for doping."

Breached: ADAMS Database

The leak comes from the Anti-Doping Administration & Management System - or ADAMS database - which as of July 2014 contained profiles on more than 264,000 athletes and was actively used by 50,000 athletes worldwide.

Launched in mid-2005, the database was intended to simplify drug-testing coordination by allowing all agencies testing athletes to have access to a secure reporting system. Athletes must keep it up-to-date on their whereabouts so they can be available for testing. ADAMS also holds information on results, testing schedules and processes for hearings and appeals if an athlete tests positive.

On Aug. 13, WADA warned that the ADAMS password for Yuliya Stepanova had been obtained and her account was illegally accessed. Stepanova, a runner, participated in a German documentary broadcast in late 2014 that alleged systemic doping by Russia, which caused WADA to launch its investigation.

Other ADAMS users received suspicious emails that were designed to appear to have come from WADA, the organization said. The emails tried to convinced recipients to click on a link and then enter their account credentials, via a classic ruse known as spear phishing. It warned of two lookalike domain names, wada-awa.[org] and wada-arna.[org], and advised users to be cautious.

Attack Infrastructure Mirrored WADA

Shortly after WADA issued its warning, the computer security firm ThreatConnect published research on the domains. The company found that wada-awa.[org] used a name server provided by domain name registrar I.T. Itch. That same registrar was linked to suspicious domains that were used in the Democratic Party hacks and linked to other Fancy Bear attacks, ThreatConnect says.

WADA says it believes the latest leaks came via spear-phishing attacks that compromised an ADAMS account that was created for use by the International Olympic Committee at the Rio Games. That's because the exposed information only appears to pertain to the Rio Games. "At present, we have no reason to believe that other ADAMS data has been compromised," the agency says.

The ADAMS website is a public portal that requires users to log in using a username and password. But it's not clear if WADA has also implemented two-factor authentication, for example, requiring users to enter a time-sensitive passcode. Many web services, including Dropbox, Facebook and Twitter, have implemented that defense to help block account takeovers. But security experts say too few users employ these additional security features.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.