Russian Hackers Get Bolder in Anti-Doping Agency Attack
Not so long ago, the world learned about Russian cyberespionage attacks only when embarrassed government officials admitted they’d discovered the hackers silently lurking in their systems. Today, the same intruders seem to announce themselves on Facebook, via Twitter, and even on their own website covered in bear-themed clip art and gifs.
On Tuesday, a group identifying itself as Russian hackers announced that it had breached the World Anti-Doping Agency and leaked the records of American athletes, including gymnast Simone Biles and tennis stars Venus and Serena Williams. (Biles, for instance, has taken an ADHD medication since early childhood and WADA had approved her use of it during competition.) The records show that the agency had approved the athletes to use of banned substances after it had banned cheating Russian athletes from the Rio Olympics and were published on the website FancyBears.net and broadcast via social media accounts under the same name.
The actions seemed designed to tie the hack to the Russian group Fancy Bear, one of two teams of hackers with links to Russian intelligence agencies that the Democratic National Committee says it found digging through its files earlier this summer. Some cyberespionage experts view it all as a sign of an evolving Russian hacker mentality that’s traded stealth for flashy public dumps of adversaries’ data.
“The Russians are taking it to the next level,” says Dave Aitel, a former NSA analyst and founder of the security firm Immunity. Aitel argues that rather than hide their involvement in the anti-doping agency hack, the group may realize it can have more influence by openly claiming credit for its attacks and sending a message to other potential adversaries. “They’ve realized being covert had no advantage….There’s no penalty for saying ‘yeah, it’s us.’”
The hackers called themselves the “Fancy Bears’ international hack team” in messages posted to their website but also say they’re members of Anonymous and use some phrases and images associated with that loosely organized hacker collective. “We are going to tell you how Olympic medals are won,” one message states. “We hacked World Anti-Doping Agency databases and we were shocked with what we saw. We do not forgive. We do not forget. Expect us.”
But in a statement on its website, WADA pins the attacks on the Fancy Bear hacking team, also known as APT28, that the security firm Crowdstrike identified as a one of two Russian state-sponsored spying groups that gained access to the Democratic National Committee’s network in June. “WADA has been informed by law enforcement authorities that these attacks are originating out of Russia,” writes the agency’s director general Olivier Niggli. “WADA condemns these ongoing cyber-attacks that are being carried out in an attempt to undermine WADA and the global anti-doping system.”
Crowdstrike declined to comment on whether it had connected the WADA hack to Fancy Bear. But if WADA is right that the hack was in fact done by the same group—rather than by a different team of hackers assuming its name—it would signal a dramatic change in tactics. According to Crowdstrike’s analysts, Fancy Bear has actively and stealthily hacked into military, energy, aerospace, media, and government targets since the mid-2000s. But never before have they so publicly flaunted the results.
The strange events following Fancy Bear’s hack of the DNC already hinted at a shift in stance. A figure calling himself Guccifer 2.0 and claiming to be a Romanian hacktivist leaked the DNC’s stolen documents in June but left behind telltale Russian fingerprints, like his use of a Russian VPN and Russian error messages in the documents’ formatting. The security community has largely come to believe that the Romanian pseudonym was a thin pretense, even after Russian President Vladimir Putin denied that his government was involved. With the WADA hack, the Russian hackers seen to have tossed out the notion of hiding their identity altogether.
Aitel says the hackers are using their more public profile to instill a chilling effect, forcing critics of Russia or the Russian government to consider the possibility they could be hacked, too. “Now a group like WADA has to take everything they say to every person into account,” he says. “They have to think, this could leak.”
The White House has considered sanctions against Russia as a response to the DNC hack, according to the Wall Street Journal. But those sanctions haven’t been imposed—even as Guccifer 2.0 leaked 700 megabytes more DNC data yesterday—perhaps due to the difficulty of proving the ties between Russian hackers and the Russian government or other diplomatic hurdles.
The result, for the Russian attackers, may be a sense of impunity. “The lack of a credible response to most cyberattacks by the West is also contributing to the already existing deterrence problem and even encourages further aggression,” wrote analysts at NATO’s Cooperative Cyber Defense Center of Excellence in August in response to the DNC hack. “A longer-term, structural response should offer a robust deterrence strategy to ensure that these kinds of influence operations through cyberspace will no longer be seen as relatively low risk operations which come with little or no repercussions.”
After yesterday’s WADA hack, Berkeley computer security researcher Nicholas Weaver put it more simply. “So let me get this straight, ‘Fancy Bear’ is DIRECTLY claiming credit for this? Testicular fortitude,” he wrote on Twitter. “We have shown we have no strategy for deterrence in this space, so the Bears are getting Fancy with us.”