Fancy Bears

AP

Microsoft: Russian group cyberhacked sports, anti-doping organizations

Leave a comment

Microsoft Corp. says a Russia-linked cyberhacking group has made “significant” attacks on at least 16 sports and anti-doping organizations across three continents since September.

The technology company said Monday the attacks are coming from a group associated with Fancy Bear, which has hacked into systems at the World Anti-Doping Agency and elsewhere to publish reams of confidential medical material on Olympic athletes.

Fancy Bear was among those cited in a 2018 indictment brought by U.S. officials who accused Russia of seeking revenge against WADA, the International Olympic Committee and others that penalized the country based on evidence it engineered a wide-ranging, state-sponsored doping scandal.

Microsoft says the latest round of attacks began Sept. 16, the same week reports surfaced that Russia had manipulated data it provided WADA as the agency tries to corroborate doping cases.

Microsoft did not identify which agencies had been hacked. An IOC spokesman said the IOC does not comment on cyberattack reports. WADA said there was no evidence of any breach of WADA systems.

MORE: U.S. Olympic champion swimmer retires after doping ban

OlympicTalk is on Apple News. Favorite us!

IAAF says it has been hacked, athlete medical info accessed

AP
Leave a comment

MONACO (AP) — The governing body of track and field has been hacked by Fancy Bears, the group that previously attacked the World Anti-Doping Agency.

The IAAF said Monday it believes the hack “has compromised athletes’ Therapeutic Use Exemption (TUE) applications stored on IAAF servers” during an unauthorized remote access to its network on Feb. 21.

TUEs are permissions for athletes to take substances that would normally be banned, and are used by athletes around the world.

“Our first priority is to the athletes who have provided the IAAF with information that they believed would be secure and confidential,” IAAF President Sebastian Coe said. “They have our sincerest apologies and our total commitment to continue to do everything in our power to remedy the situation.”

The IAAF said it had been in contact with athletes who have applied for TUEs since 2012.

Context Information Security, a British security company, said in a statement released by the IAAF that it discovered the attack.

“In January 2017, the IAAF contacted Context Information Security to conduct a proactive and thorough technical investigation across its systems, which led to the discovery of a sophisticated intrusion,” the company said. “Throughout the investigation, the IAAF have understood the importance and impact of the attack and have provided us comprehensive assistance.”

WADA has previously said Fancy Bears originate from Russia, citing information from law enforcement agencies.

Russian officials have denied any links with Fancy Bears, but have praised the group’s previous publications, which they say undermined Western countries’ criticism of widespread use of banned substances by Russians. The IAAF banned Russia’s team from competing internationally in 2015 after investigations by WADA found evidence of state-sponsored doping.

Fancy Bears began posting medical records of Olympians online last year, with U.S. and British athletes making up a large proportion of those targeted. Only selected records were released, and no Russians with TUEs were named, even though records show dozens of TUEs had been granted there in recent years.

As of Monday, Fancy Bears’ website contained no mention of IAAF information.

OlympicTalk is on Apple News. Favorite us!

MORE: IOC denies covering up 2008 Olympic doping cases from Jamaica

False clues make it tough to find WADA hackers

AP
Leave a comment

LONDON (AP) — Medical data from some of the world’s leading athletes has been posted to the web and the World Anti-Doping Agency says Russians are to blame. Even the hackers seem to agree, adopting the name “Fancy Bears” — a moniker long associated with the Kremlin’s electronic espionage operations.

But as cybersecurity experts pore over the hackers’ digital trail, they’re up against a familiar problem. The evidence has been packed with possible red herrings — including registry data pointing to France, Korean characters in the hackers’ code and a server based in California.

“Anybody can say they are anyone and it’s hard to disprove,” said Jeffrey Carr, the chief executive of consulting firm Taia Global and something of a professional skeptic when it comes to claims of state-backed hacking.

Many others in the cybersecurity industry see the WADA hack as a straightforward act of Russian revenge, but solid evidence is hard to find.

What’s known is that it was only days after scores of Russian athletes were banned from the Olympic Games that suspicious looking emails began circulating . Purporting to come from WADA itself, the booby trapped messages were aimed at harvesting passwords to a sensitive database of drug information about athletes worldwide. Among other things, the Anti-Doping Administration and Management System carries information about which top athletes use otherwise-banned substances for medical reasons — prize information for a spurned Olympic competitor seeking to embarrass its rivals.

On Sept. 1 someone registered a website titled “Fancy Bears’ Hack Team.” A few days later, a Twitter account materialized carrying a similar name. Just after midnight Moscow time on Sept. 13, the Fancy Bears Twitter account came alive, broadcasting the drugs being taken by gold medal-winning gymnast Simone Biles, seven-time Grand Slam champion Venus Williams and other U.S. Olympians. It followed up Thursday with similar information about the medication used by British cyclists Bradley Wiggins and Chris Froome, among many others.

There is no suggestion any of the athletes broke any rules, but Russians seized on the leak as evidence that U.S. and British players were using forbidden drugs with the blessing of anti-doping officials.

“Hypocrisy” Russia’s embassy to London tweeted in reaction to the news. Kremlin channel RT broadcast a cartoon showing a WADA official picking up a bulky American player’s steroid bottle with a smile. “All good! You’re cleared to compete!” he says.

Citing law enforcement sources, WADA said the attacks “are originating out of Russia.” Russian officials dismissed the allegation; in an email, WADA said it wouldn’t be commenting further.

With little to go on, independent investigators have still made some intriguing connections.

Virginia-based intelligence firm ThreatConnect said that whoever compromised WADA did so using websites registered through an obscure domain name company that also set up the fake sites used in a variety of other hacks blamed on the Kremlin, including the one that hit the Democratic National Committee. In a telephone interview, the company’s chief intelligence officer, Rich Barger said he had been cautious at first about tying the WADA breach to Russian hackers but that “confidence is certainly growing as more and more people weigh in and lend their voice.”

Even the meaning of the name “Fancy Bears” is unclear. California-based threat intelligence firm CrowdStrike has long applied that nickname to an allegedly Russian state-backed group, but the hackers’ adoption isn’t necessarily a brazen acknowledgement of CrowdStrike’s research. It might be an attempt to hold it up to ridicule. Which interpretation the group favors hasn’t been made clear. Repeated messages to email addresses associated with Fancy Bears have gone unreturned.

Fancy Bears’ website doesn’t necessarily provide any more insight. Some its artistry appears to have been lifted from a Russian clip art page. But tech podcaster Vince Tocce also found Korean script in the site’s code — characters which vanished shortly after he made his discovery public. In a telephone interview, he said that showed how difficult it was to take anything for granted.

Some pieces of Fancy Bears’ infrastructure were almost certainly structured to sow confusion.

The site, for example, appears to be hosted in California but was registered at an address in the town of Pomponne, east of Paris, under the name “Jean Guillalime.”

A man residing at that address, Jean-Francois Guillaume, told The Associated Press the registry information was bogus and that he was mystified as to why the hackers had picked on him.

“I have absolutely nothing to do with this,” he said, adding that he ran a consulting shop and a flower business and wasn’t particularly interested in sports. “I don’t know any Russians.”

MORE: Six of top seven from 2012 Olympic event could be disqualified