The Fancy Bear hackers, believed to be sponsored by Russia’s main intelligence arm, the GRU, are back at it and have successfully breached the International Association of Athletics Federations. The IAAF is the world governing body for track and field.
Just as with the 2016 attacks on the World Anti-Doping Agency (WADA), also allegedly perpetrated by Kremlin-backed hackers, data on Therapeutic Use Exemption (TUE) applications were targeted. TUEs allow athletes to take normally-prohibited substances where they’re required, such as when they suffer from an illness.
Sebastian Coe, an Olympic champion and current IAAF president, said the organization apologized to athletes affected by the hack, which dated back to at least February 21. It was only this weekend, however, that the IAAF and partner organizations carried out a “complex remediation across all systems and servers in order to remove the attackers’ access to the network,” according to the official statement.
On first inspection, it appeared data on TUEs was collected from a file server and stored in a newly created file, though it wasn’t clear if the information had been taken outside the network. “Our first priority is to the athletes who have provided the IAAF with information that they believed would be secure and confidential,” said Coe.
The IAAF’s contractor, Context Information Security, discovered the breach. The find came after the security firm was asked by the IAAF in January to “conduct a proactive and thorough technical investigation across its systems, which led to the discovery of a sophisticated intrusion,” a Context spokesperson told Forbes via email. The company was confident Fancy Bear, also known as APT28, was responsible.
“The threat intelligence team at Context Information Security has tracked the tools, techniques and procedures of Fancy Bear/APT28 for a number of years, through our own investigations and through collaboration with many other cyber security researchers [and] organizations. Our findings in this investigation give us a high degree of confidence that this cyber attack can be attributed to Fancy Bear/APT28.”
In response to a question about the time it took from discovery in February to throwing the hackers off the network at the start of April, the spokesperson said the parties needed to collect forensic images to “better understand how the attacks were carried out, what information may have been compromised.” “By taking the time to fully investigate the attack, the IAAF was able to remove the attackers’ access to the network as effectively as possible,” the spokesperson added.
If IAAF had gone public with this before the investigation was complete and before the attackers’ access was removed, the attackers may have been tipped off to the investigation and performed further malicious actions.
The Facebook page for the WADA hackers, who posted under the pluralized name Fancy Bears, has not been updated since December 2016.
Though the TUEs show athletes legally use normally-banned substances, the Fancy Bear hacks still caused trouble for some athletes. Those affected by last year’s attacks on WADA and the USADA hit huge names across a range of sports, including tennis giants Serena and Venus Williams, and Rafael Nadal, as well as cycling superstar Bradley Wiggins, who continues to contest rumors about Team Sky’s operations.
The Fancy Bear group was accused by multiple security companies, the DHS and the FBI of being sponsored by the Russian government and of carrying out the significant breach of the Democratic National Committee (DNC).