Russian Fancy Bear Hackers Planning Further Attacks Against WADA and USADA

ThreatConnect, a prominent cyber-security firm based in Arlington (Virginia), believes the Fancy Bears Hack Team may be preparing for additional attacks against anti-doping agencies ahead of the 2018 Winter Olympic Games in PyeongChang. The cyberespionage attacks may be motivated by retaliation for the International Olympic Committee’s (IOC) decision to ban Russia from the Winter Games.

ThreatConnect identified three internet domain names registered by Fancy Bears that were intentionally similar to legitimate domain names used by the World Anti-Doping Agency (WADA), the United States Anti-Doping Agency (USADA) and the Olympic Council of Asia (OCA). The legitimate domain names for the three agencies are wada-ama.org, usada.org and ocasia.org, respectively.

The registration of intentionally similar domain names is a common practice used by hackers planning a phishing attack. The similar domains could be used to imitate or spoof the legitimate WADA, USADA and OCA websites. This tactic is used to deceive users and trick them into believing the imitation domains are legitimate.  Once users think they have arrived at the legitimate website, they will have no hesitation submitting sensitive information such as usernames and passwords.

Security experts recommend that users check the internet domain name to ensure that they are on the correct website. But if the domain name is sufficiently similar, a slight difference in the URL may be overlooked upon casual inspection.

ThreatConnect has been tracking the activities of the Russian Fancy Bears Hack Team for the past couple of years. It was ThreatConnect who linked the Russian hacker persona Guccifer 2.0 to the Fancy Bears Hack Team. Guccifer 2.0 was responsible for the hack of the Democratic National Committee (DNC) email databases prior to the 2016 Presidential Elections.

In September 2016, Fancy Bears was also responsible for a hacking incident targeting WADA immediately following the 2016 Summer Olympic Games in Rio de Janeiro. Fancy Bear accessed the confidential medical data for athletes listed in the WADA Anti-Doping Administration and Management System (ADAMS) database.

The 2016 Fancy Bears hack of the ADAMS database revealed that dozens of American athletes had actually tested positive for prohibited substances but the results were never revealed. The failed drug tests were not published because they all had a therapeutic use exemption (TUE) that gave them explicit permission to use otherwise banned drugs. In other words, the athletes complied with anti-doping rules and did nothing wrong. Nonetheless, Fancy Bears attempted to create the perception of an American conspiracy and cover-up.

In January 2018, Fancy Bears illegally obtain access to the IOC email databases. The cyberespionage group released a series of email communications intended to embarrass both anti-doping officials and international sports officials. The emails revealed the internal disagreement between anti-doping officials and Olympic officials over what to do about the Russian athletes implicated in the country’s systematic state-sponsored doping program. 

Offficials with the World Anti-Doping Agency (WADA) were apparently pushing for greater independence from sports and Olympic officials.  Meanwhile, officials with the International Olympic Committee (IOC) were complaining about WADA’s failure to consult them before releasing details of the Russian doping investigation.

The Russian Fancy Bears Hack Group is also known as the Tsar Team (APT28) and Fancy Bear. The group has been linked to Russia’s largest foreign intelligence agency – the Main Intelligence Directorate or GRU.

There has been no evidence thus far that Fancy Bears has used the bogus WADA, USADA or OAC names for malicious purposes.

Source:

ingram, D. (January 11, 2018). Russians may be planning hack to cast shadow on Olympics: researchers. Retrieved from reuters.com/article/us-olympics-cyber/russians-may-be-planning-hack-to-cast-shadow-on-olympics-researchers-idUSKBN1F031G