Fancy Bears release data on footballers' TUE drug use after new hack

News by SC Staff

Russian hacking group Fancy Bear, believed to be a front for Russian Military Intelligence (GRU), has leaked the names of 25 footballers given therapeutic use exemptions (TUEs) during the 2010 World Cup in South Africa and also claims 160 players failed drugs tests in 2015, reports the BBC.

Former Premier League footballers Carlos Tevez, Dirk Kuyt and Gabriel Heinze are among those named as having been given TUEs - but no England players were named. Use of TUEs is perfectly legal to treat certain medical conditions – however naming people appears to have previously been used to discredit political opponents of Russia, with the implication that performances have been enhanced by drug use ostensibly taken for medical reasons.

Fancy Bears hacked Wada (the World Anti-Doping Agency) last year and released the medical records of athletes in September, including British cyclist Bradley Wiggins and athlete, Mo Farah, then the IAAF - athletics' world governing body - said it was hacked in April this year, ahead of the recent IAAF World Athletics Championships in London, from which Russian athletes were banned due to what was viewed as state-sponsored illegal drug use.

An IAAF official who does not wish to be identified told SC that one of the organisation's member countries (which turned out to be Qatar) had its systems hacked and thus the attacker was able to send an email containing malware from the official Qatar account to the IAAF headquarters in Monaco – which was fortunately spotted by a member of staff who had recently had cyber-security training.  At that time – 2016 – the IAAF had very basic cyber-security despite having ‘provoked' one of the most capable cyber-adversaries, the Russian state, by having earlier banned Russian athletes from the Olympics.

Kyle Wilhoit, senior cyber-security threat researcher at DomainTools emailed SC to comment:  “This data dump is yet another example of the importance of security measures to protect all kinds of data. While it's safe to assume the release of this information has been done for politically motivated reasons, such data being released means they could have had access to player's medical records. It is therefore not such a gigantic leap to assume that other private information about these individuals could also be accessed, compromised, and leveraged for more financially sensitive information. Additionally, this attack could be chained with something like spearphishing attacks to further target individuals.”

A spokesperson for Recorded Future, Insikt Group added in an email to SC: “Previous Fancy Bear dumps were almost always retaliatory and in response to sanctions from various international sports organisations. As international pressure on Russia intensifies, with open calls to strip Russia of the World Cup in 2018 and recent the FIFA investigation into suspected prohibited substance abuse by the national soccer team, today's release was almost guaranteed to surface. The message reads very clear and loud - "Dare to touch us, we'll come after you. Don't expect us to remain silent and maintain status quo."

A different perspective is provided by Javvad Malik, security advocate at AlienVault, who said: "The Fancy Bears breach illustrates how important it is to protect personal information; even more so than financial information. While financial fraud can impact individuals, there are usually safeguards in place that can help recover from a loss. However, once personal information is revealed, particularly information that can impact someone's livelihood or public image, it is not as easy to manage.

"It serves as a sobering reminder of how all organisations that process, or store any form of personal data need to have adequate threat detection and response controls in place so that any breach or potential breach can be addressed quickly to minimise the damage."

Ross Rustici, senior manager of intelligence research at Cybereason, provided a fuller critique, labelling the move a publicity stunt.  He told SC: “Regardless of whether the latest data dump contains actual files the message from this group is clear. Russia may be blamed for doping scandals in international sports on a regular basis (the most recent of which involves the 2014 World Cup team), but look at all the other countries that have issues too. No one side is worse than the other. What is lost in the rush to discuss the scandal of doping players and the stories about how Russia is back to its old tricks regarding information operations is that private citizens are being used as chess pieces in what essentially amounts to a PR game."

Rustici also points out that hacking of health records is not a new phenomenon:" 'Fullz' as they are referred to on the darknet are so bountiful that the price per record is often below US $5. Cyber-criminals used to find value in these records because they usually included private identification information such as social security numbers in the United States and write ups that would allow for blackmail and/or social engineering. As the market became saturated, cyber-criminals started to move onto other, more lucrative endeavours. While still a popular target of hackers medical records are now more often subject to ransom than theft."

China has also hacked at least two health care providers stealing millions of records says Rustici, however, he says that in this case, the intention was not to monetise the records, but rather likely to suppose a counter intelligence initiative that culminated in the hacking of the Office of Personnel Management. The ability to track and combine medical records, with visa/passport information, and security clearance information would greatly enhance China's ability to conduct effective espionage against US citizens he says.

Consequently Rustici views Russia's response to doping scandals as fundamentally different from either of these cases . Rather, the public release and repeated attempts to get the information into publications is an attempt to:"... use private information, most of which to date does not demonstrate transgressions, to change the narrative and media spotlight on its own nefarious practices. To allow states to weaponise private citizens information opens a whole new front in the shadow wars that are taking place on the Internet. While institutions that collect and house this information need to be held accountable for increasing security practices and reducing the frequency of successful intrusions"

Finally, Rustici  says the case drives the need for a discussion about societal norms and responsible journalism, saying: "The only way to prevent this style of hack from becoming the new normal is by having a concerted effort to ignore information illegally obtained that is intended to distract from an existing story. If the media cycle plays into these Actors by highlighting the activity it will only increase the frequency that this tactic is used by Russia and others to bury headlines they would rather not see.”

Unfortunately, it is not possible to unknow something, so while such illegally obtained information would need to be verified by responsible media before publication, it is unlikely to be ignored simply because of its source  - as the hackers will know.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews