Russia 'offers to rein in WADA hackers' in exchange for dropping sport investigation
Russia 'offers to rein in WADA hackers' in exchange for dropping sport investigation

SCMagazineUK.com is being told by sources close to the Russian Presidential Administration that the Russian government is willing to help prevent further disclosures from hacks on the World Anti Doping Agency (WADA).  It has not been possible to independently verify either the claims themselves nor how they might be implemented, but they would have significant implications if proven correct.

Previous WADA hacks, claimed by the Fancy Bears hacking group, exposed the confidential legal use of potentially performance-enhancing medical drugs for health reasons by some western athletes. Known as Therapeutic Use Exemptions (TUE), WADA justifies TUEs on the basis that athletes may have illnesses or conditions that require them to take particular medications, but the medications must be authorised by a doctor.

Via what is purported to be its website, Fancy Bear says that the recently published documents are just the beginning, and new revelations, no less high-profile than those already announced, may follow in the coming weeks.

Thomas Bach, head of the International Olympics Committee (IOC), has reportedly asked the Russian government to help prevent further cyber-attacks on the web-resources of WADA and the IOC.

Dmitry Peskov, Russian president Vladimir Putin's head of press-service, told SCMagazineUK.com's St Petersburg correspondent Eugene Gerden that the Russian government is aware that hackers could be located on Russian territory and that Russia may provide all the necessary support to WADA in its fight with cyber-criminals.

Gerden informed SC that unnamed sources within the Russian Presidential Administration have told him, “Further attacks on WADA and structures affiliated with it will probably end if Russia is offered guarantees that proceedings against its athletes and investigation of the entire Russian sport system by international regulators were to be dropped.”

This is quite a dramatic statement as it simultaneously implies that the Russian government is in a position to exert control over the group (if it should choose to do so), while also distancing itself from the group being a part of the Russian government.

This stance is contradicted by many western analysts who see Fancy Bear group's modus operandi and target choices as indicating it is closely associated with the Russian government, possibly even acting directly under its auspices.

SC spoke to researchers who believe that this is indeed the case, including Don Smith who heads up the SecureWorks Counter Threat Unit (CTU) research group that's been focused on monitoring attacks from Russian Threat Group-4127 which primarily targets governments, military and international non-governmental organisations (NGOs).

Smith said components of the threat group's operations have been reported under the names APT28, Sofacy, Sednit, Pawn Storm and Fancy Bear.  

SC also spoke to CTU researcher Tom Finney who has looked at who TG-4127 is targeting, how it links back to Russia and the former Soviet state's current policies as well as how these attacks are actually being carried out.

Based on his findings, Finney concluded that it was more likely than not that it was the Russian FSB that commissioned or ordered the attacks, telling SC: “My presumption is that these guys (Fancy Bear) are government employees and that their activities are pre-authorised.”

Smith commented to SC:  “If you go back and look at the historical targeting of Fancy Bear over the last 12 months – until March 10 this year – that was people from the [Russian] near abroad, defence attachés in western embassies, journalists critical of Russia, so if you had no other facts, other than that targeting, that targeting itself tells you who is likely to be the bad guy.  And everything else, then, if you put all this other stuff around it, it's a poor attempt by the Russian government to put artificial distance between themselves and this activity.”

Specifically looking at who might have wanted the WADA revelations, in the wake of WADA's recommendation of  a blanket ban for all Russian athletes from the Olympic Games in Rio, and the resultant ban on many of Russia's athletes at the main games and all from the Paralympics, Moscow is seen as the most likely culprit.

Finney added, “If you look at the speed at which the Russian embassy in London picked up the releases (on Wada revelations) and put their messages out, they were almost overlaid, like there was a planned media response to these (leaks).”

When asked if this were not clumsy concealment for such sophisticated hackers, Finney commented: “I don't think they really mind fingers being pointed at them because it can't be proven 100 percent. They are more interested in getting the information out there because the story itself then gets out there. They're saying, ‘we're being treated unfairly, we're being penalised,' [when they believe the doping issue is not so clear cut.]”

Smith concurred adding: “Sometimes these things are put out for domestic consumption. To show his [Russian President Vladimir Putin's] people he's a strong leader, and may want to been seen to be doing this [retaliating].” Smith also suggested that the same information could have already been known about, but that by releasing the information via a hack it is more dramatic, saying, “The act of the hack lends illegitimacy to what is legitimate data.”

Back in Russia, commentators were more circumspect, with Vladislav Vorotnikov, a well-known Russian lawyer, specialising in cyber-crime, telling SC that the latest cyber-attacks may be the result of a large campaign executed by Russian hackers.

Vorotnikov commented: “Such attacks are usually organised by highly professional experts and may cost thousands of dollars. It is likely that the hackers have insiders in WADA. It is also likely that these attacks would form part of a major big operation, undertaken by people with experience of working in the special services. As for Fancy Bears, this hacker group can be considered just as a cover of certain ‘heavy' people, who prefer to stay in the shadows.”

Anton Tretyakov, head of Cyberataka Enterprise, a leading Russian cyber-security company, commented, ”Identification of these hackers and prevention of further attacks by them would pose serious difficulties. In the case of WADA, the hackers probably used remote Trojans (RATs) and backdoors to get access to the network, which would have allowed them to complete remote login and transfer files. During these attacks the hackers would also have also used command and control commands (C2), which would help them manage the RATs in the HTTP stream".

Barry Hensly, vice president, Counter Threat Unit (CTU) and Cyber Threat Analysis Centre (CTAC) at SecureWorks described to SC how attribution might be achieved:  “We are looking for indications of behaviour – so I don't care if IPs and domains change, I don't care if the methodology which you use to get to there, which can change, but you've got to escalate privileges, you've got to be able to do operational prep of the environment and what you are looking for and when you find it you've got to be able to figure out how to extract it. So now the behaviours – and we've got thousands of these trip wires – and they're what we're looking at to make a determinant of what the threat activity is.  One focus we have is Don [Smith] and his cyber intelligence cell, and his focus is the who and the why.  We have another group focussed on the what and the how. And then we have hunters, and countermeasure guys, and the hunters go in and leverage these technologies.

“Many of these attackers will go to a user name exchange server, and they know that to pull it out, the username and passwords are encrypted, so they use a tool like Mimicatz. Now we see similar tactics, but they don't use Mimicatz, they some other tool that functions like Mimicatz, but it's not Mimicatz. And by the way that tool has a password – to run the tool you have to log in to it, to turn it on and that tool has a wrap around that is encrypted, and oh by the way, that tool has an encrypted session between it and somewhere else. And now all of a sudden you can see and draw an inference of who it is. And then you can look at other data, that this probably a certain threat actor from a certain part of the world.

“It's important, if you now know that in an attacker's arsenal there are these 12 things – and you already knew there are these 40 things, you can more sensitive to looking for these behaviours and act on that client's interests with a heightened sense of awareness of being concerned if these other activities are spotted, whereas, say before, you would never have been concerned about someone using a remote desktop protocol, as a SysAdmin to remotely manage someone, but now if that was one of your attackers techniques that they used, you'll look at everyone doing that.”

Hensly also raised another issue, which would apply if the hacking group were just a group of Russian nationalist patriots, saying, “Are there ways to keep an eye on say nationalistic ‘cyber-weapons' experts to ensure they don't go rogue and stay in check? And what is the responsibility of the country to be held accountable for the individuals operating out of its territory?”

Editor's note: Of course, we must accept that SC may simply be getting dragged into someone else's information war, but the possibility that Russia may be stating its terms for bringing the Fancy Bear hackers to heel would have widespread ramifications.