Over the last six weeks, the Russian attack group known as Fancy Bear has targeted more than a dozen organizations in the sports and anti-doping communities with spear-phishing and other attacks as athletes preparing for the 2020 Summer Olympics begin to enter the doping control system leading up to the games.
The attacks began just a few days before the World Anti-Doping Agency (WADA), which enforces anti-doping regulations for sports around the world, announced potential new sanctions against Russia for alleged doping violations. Russia has had a long history of such sanctions, including a ban that prevented its athletes from competing in the 2018 Winter Olympics under the Russian flag. In mid-September, Microsoft detected a new wave of attacks by Fancy Bear, also known as Strontium and APT28, that targeted sports and anti-doping organizations in a number of different countries.
“Some of these attacks were successful, but the majority were not. Microsoft has notified all customers targeted in these attacks and has worked with those who have sought our help to secure compromised accounts or systems,” Tom Burt, corporate vice president of customer security and trust at Microsoft, said.
“The methods used in the most recent attacks are similar to those routinely used by Strontium to target governments, militaries, think tanks, law firms, human rights organizations, financial firms and universities around the world. Strontium’s methods include spear-phishing, password spray, exploiting internet-connected devices and the use of both open-source and custom malware.”
This kind of operation is not unheard of, and the Fancy Bear group itself has conducted similar ones in the past. Last year, the Department of Justice unsealed indictments against seven members of the Russian GRU intelligence agency for allegedly targeted similar organizations as way of gathering information, medical records, and other data related to investigations into state-sponsored Russian athlete doping programs. The group then allegedly conducted a disinformation campaign through social media and other channels, releasing some of the stolen medical records and other information.
“Among other instances, the indictment alleges that following a series of high-profile independent investigations starting in 2015, which publicly exposed Russia’s systematic state-sponsored subversion of the drug testing processes prior to, during, and subsequent to the 2014 Sochi Winter Olympics (according to one report, known as the “McLaren Report”), the conspirators began targeting systems used by international anti-doping organizations and officials. After compromising those systems, the defendants stole credentials, medical records, and other data, including information regarding therapeutic use exemptions (TUEs), which allow athletes to use otherwise prohibited substances,” the DOJ press release said.
The Fancy Bear attackers have been known to target a wide range of organizations, often ones with political or diplomatic missions. In August 2018, Microsoft took over several domains used by Fancy Bear attackers to target some non-profits and the Senate itself in an effort to mimic those organizations and potentially go after individuals associated with them.