author photo
By Bruce Sussman
Fri | Nov 1, 2019 | 8:45 AM PDT

Cybersecurity researchers just called out Russia for launching cyberattacks against "16 national and international sporting and anti-doping organizations across three continents."

The post from the Microsoft Threat Intelligence Center offers few details, however, SecureWorld has uncovered a trail of deceit, lies, and social engineering which Russia used against its Olympic enemies a few years ago.

It's the kind of thing Hollywood would put on the big screen or Netflix would put onto every screen with the label "based on a true story."

The page-turning details come straight from a U.S. government indictment last year of seven Russian military officers. They are accused of hacking those organizations which Moscow viewed as Olympic adversaries.

Russian agents even traveled the globe to track and then hack their targets. Here is the story. 

The cyber attack setup: Russian Olympic athletes banned for doping

In July 2016, just before the Summer Olympic Games in Rio de Janeiro, Brazil, something called the McLaren Report came out. It detailed Russia's "Institutionalised Doping Conspiracy and Cover Up," revealing how Russian athletes hide doping efforts and appear clean even if they are not. 

[RELATED: See the final McLaren Report on athlete doping]

After arbitration, 111 Olympic athletes from Russia quickly found themselves banned from competing in the summer games in Rio.

Russia was embarrassed, denied the allegations, and apparently was out for revenge.

The Russian military's intelligence division, the GRU, began hunting the world for those who had made it look bad.

Russian cyber attacks aimed at anti-doping agencies and experts

Russia's GRU launched cyberattacks against anti-doping experts and agencies involved, including the World Anti-Doping Agency, the United States Anti-Doping Agency, and the Canadian Centre for Ethics in Sport, which is the Canadian anti-doping organization.

The Russian hackers also targeted anti-doping officials at sporting federations like the IAAF and FIFA.

At first, the indictment says, the seven Russian intelligence officers applied typical tools of the cyber spy and hacking trade:

  • they used fictitious personas to hide their true identities
  • used proxy servers to hide their true location
  • researched victim details
  • sent spearphishing emails that tried to get people to click fake links or open documents that would install malware
  • where this worked, they then "compiled, used, and monitored malware command and control servers" which could help them track and steal information

When remote hacking fails, Russian hacking teams travel to their targets

The only problem with these traditional hacking methods is that they typically require the target to take action, to fall for an impostor. And as we've heard at our cybersecurity conferences across North America, would-be victims are getting smarter and many hackers are having to get more creative in their attacks.

In this case, the U.S. indictment says, Russian intelligence officers traveled the globe to track their targets, watched for them to connect to a Wi-Fi network, and then hacked them when they thought everything was secure.

Russian intelligence agents hack attendee at an anti-doping conference

What better place could there be to find your anti-doping enemies than the World Anti-Doping Association (WADA) conference?

So that's where two of the Russian intelligence officers traveled, and just like a movie, they were within a short distance of their cyber target. Perhaps they were in the hotel lobby at the same time. 

Remember all the warnings we hear that hotel Wi-Fi is insecure? Well, read on as the Russian agents track an employee of the CCES, Canada's anti-doping organization:

"In mid-September 2016, WADA hosted an anti-doping conference in Lausanne, Switzerland. On September 18, 2016, defendants Morenets and Serebriakov traveled to Lausanne with equipment used in close access Wi-Fi compromises. On or about September 19, 2016, Morenets and Serebriakov compromised the Wi-Fi network of a hotel hosting the conference and leveraged that access to compromise the laptop and credentials of a senior CCES official staying at the hotel. Other conspirators thereafter used the stolen credentials to compromise CCES's networks in Canada...."

And just like that, Russia compromised another anti-doping agency, another of its Olympic enemies.

The same style of attacks happened as Russian intelligence traveled to be near anti-doping experts in other parts of the world as well, including Rio, where Russia was so badly embarrassed by the doping scandal.

Federal officials say once that phase of the attack was successful, access details were transferred to Russia for others to exploit.

What Russian hackers stole in these anti-doping cyber attacks

So what did Russia want besides usernames, passwords, and the ability to hack into email accounts of anti-doping experts and the networks of their organizations?

The U.S. indictment says they wanted and stole information on medical records, athlete drug test results, and other data, including information regarding therapeutic use exemptions (TUEs), which allow athletes to use otherwise prohibited substances for approved reasons.

Russia launches a disinformation campaign with stolen data

Russian intelligence then took that data and launched a disinformation campaign.

Wait a minute, where have we heard about this strategy before? During the 2016 U.S. presidential election. Only in this case, it was not about who would become a U.S. president.

This now turned into an effort to exonerate Russian athletes and undermine the world's anti-doping efforts. And it is also where the connection between the hacks and Russia's Fancy Bear hacking group were plain as day:

"From 2016 through 2018, the conspirators engaged in a proactive outreach campaign, using Twitter and e-mail to communicate with approximately 186 reporters about the stolen information. After articles were published, conspirators used the Fancy Bears' Hack Team social media accounts to draw attention to the articles in an attempt to amplify the exposure and effect of their message."

Mainstream news reporters were socially engineered to publish stolen information, which in turn allowed Russian-created social media accounts to share those reports as fact. 

It all sounds like the plot of a movie, doesn't it? This one could be a documentary.

[RELATED: 20 Tricks the Russians Used in the DNC Hack]

Russian cyber attackers out of reach

Like all indictments against Russian hackers still in Russia, the charges mean nothing for the individuals involved as long as they stay in their homeland. Perhaps the accused are even having a party to celebrate the newest hacking accusations against Fancy Bear.

But the charges in this case and another recent hacking indictment against Russian intelligence are part of a shift by the United States and a warning to digital foes.

[RELATED: Cyber Attack Motivations: Russia vs. China]

Comments