Russia vs. the World Anti Doping Association: Fancy Bear Goes to the Olympics

For Russia, the Olympic games have always been more than a sporting event. They have always had political implications, and that’s exactly what the Russian government wanted. In Soviet times, the Olympics offered the chance to show the world that Russian society could produce top quality athletes. It was their belief that this reflected positively on the Russian political system itself. It gave them a certain international prominence that was vitally important to them at the time.

Recently, however, the Olympics have become important for another reason. The games are now being used to rebuild flagging support for the Russian government among an increasingly disgruntled citizenry. As stated in their Russian Olympic Committee Development Strategy 2020, “Russian athletes inspire citizens of the country with their sports results and instill a sense of national pride and respect for Russia in them.” The internal unification of Russian citizens is especially important for Putin and the Russian state due to Putin’s sudden and precipitous drop in approval among the Russian electorate. In January of this year, Putin’s level of trust fell to an all time low among his compatriots when it dipped to an abysmal 33.4%. In such an environment, it is not surprising to find the Russian government banking on the Olympics to save the day.

But there is a problem. We know for a fact that Russia has been doping athletes from at least 2005. How do we know? We have this information from the former head of Russia’s Anti-Doping Center himself, Grigory Mikhailovich Rodchenkov. Rodchenkov admitted to participating in an extensive, state-sponsored, doping program which involved thousands of Russian athletes. His revelations have since been confirmed by the McClaren Report.

With such evidence in hand, the World Anti-Doping Association (WADA) in coordination with the International Olympic Committee (IOC) had no choice but to ban Russian track and field athletes from the 2016 Summer Olympics and all athletes from the 2018 Winter Olympics.

It should be clear from the foregoing that the Russian government didn’t see its banning from the Olympics as a simple slap on the wrist. For them, it was an unprovoked attack on Russia and its people; at least that’s what they wanted their fellow Russians to believe. With this perspective, it was not surprising that they would try to retaliate, and retaliate they did. Almost immediately after receiving the 2016 ban, they launched a successful data stealing cyber attack against WADA. They were not shy in admitting that they were behind the theft as they published it on a website named, FancyBears.net.

fancynet

Fancy Bear is the name given to a Russian-government-supported cyber espionage group that has been implicated in numerous cyber attacks around the globe. Thus, releasing the stolen data on a site with their hacking name was unusually brazen. However, if you want to get revenge, you would like the people from whom you are extracting revenge to know you were behind it. That’s the whole point.

But didn’t WADA protect this data? Sure, but this is not your average basement hacking team. They, according to sources, used realistic phishing emails which seemed to come from WADA officials. In these emails, they asked targeted individuals, individuals who had access to the WADA database, to go to a fake but legitimate-looking site and login with their credentials. The login was sent to the hackers who then had full access to the WADA database. Once again, this makes a strong case for protecting endpoints with top-notch security.

When Russia was banned from the 2018 Winter Olympics, The International Olympic Committee was attacked. This time, Fancy Bear leaked email communications it had stolen. It was impossible to tell if the emails were authentic or doctored because Fancy Bear has the habit of hacking in order to alter data.

To the surprise of many, in September, 2018, WADA reinstated the Russian Anti-Doping Association. They received widespread criticism for doing so. The reinstatement proved to be a bad decision. This month (December, 2019) WADA instituted the most serious ban on Russian participation in international sports to date when they found that the Russian Anti-Doping Agency (RUSADA) had deleted or altered thousands of records. In addition, they had attempted to make it appear as if Rodchenkov had concocted a scheme to extort money from athletes. Their attempt at deception did not fool WADA officials. As a result, Russia will not be able to participate in any international sporting event that is subject to the WADA code of conduct. This includes the Olympics (both the 2020 Summer Games and 2022 Winter Games), Youth Olympic Games, Paralympics, and the FIFA World Cup. They will also be prohibited from hosting any major sporting event. Vladamir Putin won’t even be allowed to attend the Tokyo 2020 games. However, Russia has until the end of the month to protest this ban.

But, according to Microsoft, Russia has been expecting this ban since earlier in the year. They noted that 16 sporting and anti-doping organizations around the world have been targeted with cyber attacks since September. That shouldn’t come as much of a surprise to those who have followed this story through the years. Microsoft also predicted the hacking to continue. They predict that the hacking group will likely use “spear-phishing, password spray, exploiting internet-connected devices and the use of both open-source and custom malware.” The common Fancy Bear attack strategy follows this general schema.

Untitled 2

It is unlikely that Fancy Bear would try to target the major IOC-related organizations directly. By now, these organizations are probably well-prepared to flag such attacks. It is far more likely that these hackers will target the IOC by attacking smaller firms and organizations that are obliquely connected to them, More specifically, they will seek out the endpoints (smartphones, tablets) used by employees whose firms may have permission to access the networks of these larger organizations. Once in control of the endpoint, they will work their way through the network to access the targets they need with their ultimate goal of disrupting  the 2020 Tokyo Olympic games.

No one would be more surprised than Russia if they won their appeal of the recent IOC ruling. In fact, most experts know what Russia will do next because they’ve seen what they did during the 2018 Winter Games. Their retaliation for being banned from the 2018 games took the form of an extremely well-organized cyber attack on the event. Just before the opening ceremony, Wi-Fi shutdown, display monitors turned off, and the Olympic website went offline, making it impossible for people to purchase tickets. In one attack it disabled ski lifts and gates. The malware was appropriately named, Olympic Destroyer.

Without being overly technical, the malware operated a lot like ransomware without asking for a ransom. It destroyed files or collected information as it wormed is way through the Olympic Games network. Kaspersky Labs gives some excellent details on how they traced the malware’s course through the network. One of the attacker’s launch points was a hotel at a ski resort. The attack began with a spearphishing attack with a weaponized Word document attachment. As I pointed out above, endpoints of companies and organizations affiliated with the Olympics were targeted. Kaspersky confirmed this by noting that “spearphishing emails were used to target the networks of official partners of the Winter Olympics. The attackers probably went to the official website to find out the names of the partner companies, figured out their domain names, collected known email addresses and started bombarding them with spearphishes.”

I mention this because nearly all cybersecurity experts expect a similar attack on the 2020 Tokyo Olympics. Here were some of the targets of the hackers who deployed the Olympic Destroyer malware. Expect similar targets in Tokyo.

targets

In some ways, it appears that Fancy Bear pulled its punches in its attack. Kasperesky claims it could have been much worse and that maybe it was only a trial run. If this is so, then the upcoming attack on the 2020 Olympics could be truly devastating. This is because Tokyo is planning to highlight its technology in the upcoming games and, no doubt, there will be even more endpoints for Fancy Bear to use as entrance ways into the Olympic network. This attack is probably underway as you read this. It will be triggered later. Tokyo realizes the threat but odds are they will not be able to stop it. In cyberattacks, the advantage is always on the side of the attackers. Good luck Tokyo.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s