The International Association of Athletics Federations has announced it has suffered a data breach, which it believes was orchestrated by the APT group Fancy Bear.
The attack targeted the IAAF server which stores the applications for Therapeutic Use Exemption (TUE) applications. TUE's are papers an athlete would file in order to use drugs on WADA's prohibited list, but can still be taken, only need to be declared.
The IAAF says: “The presence of unauthorised remote access to the IAAF network by the attackers was noted on 21 February where metadata on athlete TUEs was collected from a file server and stored in a newly created file.”
“It is not known if this information was subsequently stolen from the network, but it does give a strong indication of the attackers' interest and intent, and shows they had access and means to obtain content from this file at will.”
The attack was detected in early January.A cyber-incident response team was subsequently contracted by the IAAF to undertake a technical investigation across IAAF systems.
The organisation has pinned the attack on hacking group APT 28/29. Despite it being widely believed that the group originates from Russian, and is state-sponsored, Chris Turner,
IAAF's deputy director of PR spoke with SC Media UK and said: “We do not state anywhere in the release that it is a Russian cyber-attack. We clearly state it was an attack made by Fancy Bear.”
Turner added: “That has been ascertained by the cyber-security company we are working with in conjunction with the national agencies mentioned in the release.”
SecureWorks' Counter Threat Unit has written a detailed analysis of the connection between the threat group and Russia's Main Intelligence Directorate (GRU) as well as a look at the comprehensive toolkit Fancy Bear has built to aid the Russian government with activity beyond covert intelligence gathering using tactics such as email credential theft, exploit kits, the XAgent (also known as Chopstick) RAT and XTunnel backchannel tool, and endpoint kit Scaramouche.
The threat report details how these tactics have been deployed to target individuals in Russia and the former Soviet states, current and former military and government personnel, military and government organisations in the U.S. and Europe, and authors and journalists with an interest in Russia.
The IAAF has consulted the National Cyber Security Centre (NCSC) and the Agence Monégasque de Sécurité Numérique (Monaco AMSN) on what it has described as a ‘complex' remediation process.
Any athletes who applied for TUEs since 2012 is affected, and has been notified of the incident. The IAAF is providing a dedicated email address to contact the IAAF if they have any questions.
IAAF President Sebastian Coe said: “Our first priority is to the athletes who have provided the IAAF with information that they believed would be secure and confidential,” adding "They have our sincerest apologies and our total commitment to continue to do everything in our power to remedy the situation and work with the world's best organisations to create as safe an environment as we can."
Thomas Fischer, security advocate and threat researcher at Digital Guardian told SC Media UK: “My guess is that the outcome is simply to discredit the organisation. The image of Russian athletes has been tarnished in recent times and if anything, the Russians are out to undermine any organisation they believe is discriminating against them. Some claimed that the Russian athletes that were banned or had their medals removed were using drugs for medical purposes and so by drawing attention to athletes from other nations with TUEs, it helps stir up the controversy. Albeit less likely, this could also be a ploy to blackmail the athletes.”
An IAAF task force concluded that Russia's drug testing reforms in the wake of a series of doping scandals were inadequate and recommended that it should not return to world athletics until November 2017.
This is seen by commentators such as SecureWorks as providing the motivation for a Russian attack in the IAAF, which has been subjected to increasing numbers of attempted attacks, including the hijack of its Qatar office server to send apparently legitimate emails containing malware from Qatar to its head office in Monaco November last year - though that particular attack was spotted and prevented.