The same Russian hackers who hacked the email accounts of Democratic Party officials are behind the recent hacks targeting the Olympic anti-doping agency and a Russian athlete whistleblower, cybersecurity experts told NBC News.
The experts said the hacks are all part of the same covert influence campaign by the Putin regime against the U.S. government, political organizations and other perceived enemies.
ThreatConnect, a group of cybersecurity researchers who investigated the breach, says the “Fancy Bear” hacker group, which is connected to GRU, Russia’s military intelligence agency, was behind the cyberattacks two weeks ago on the World Anti-Doping Agency (WADA) and affiliated Court of Arbitration for Sport (CAS).
In a web post, ThreatConnect said a group identifying itself as Anonymous Poland (@anpoland) defaced the CAS website on Aug. 11 and leaked data stolen from WADA and CAS servers. Two days later, it said, the WADA and email accounts belonging to runner Yuliya Stepanova had been hacked through so-called “spearphishing” efforts.
“We assess that the phishing and Stepanova’s compromise most likely are part of targeted activity by Russian actors in response to the whistleblower and the WADA’s recommendation to ban all Russian athletes from the Olympic and Paralympic games in [Brazil],” ThreatConnect said. “Successful operations against these individuals and organizations could facilitate Russian efforts to privately or publicly intimidate them or other potential whistleblowers.”
ThreatConnect and other cybersecurity groups said they believe Fancy Bear did the hack and then used Anonymous Poland as a proxy to leak the stolen information, as it did with groups like Guccifer 2.0 and DCLeaks in leaks targeting the Democratic Congressional Campaign Committee and the Democratic National Committee.
John Hultquist, manager of the cyberespionage analysis team at the security firm FireEye, told NBC News he also detected Fancy Bear hacking into WADA and CAS, and alerted the organizations.
He said the spearphishing that he saw using fake domain names matched past efforts by Fancy Bear. “It was their MO,” he said. “We just don’t have enough evidence for it to stand up in court.”
Stepanova’s accounts could have been targeted to help locate her as she and her husband hide from Russian authorities in fear for their lives, ThreatConnect said. Putin has called Stepanova a “Judas” for providing explosive information on alleged state-sponsored doping.
And cybersecurity experts attributed other dark motives to Fancy Bear, which U.S. officials have blamed for cyber-attacks on Democratic Party organizations and numerous U.S. civilian and military agencies.
Said Hultquist, Fancy Bear “protects Russian interests along a lot of different lines.”
It’s also possible the hackers were seeking information that could help Russia evade future anti-doping efforts, according to Toni Gidwani, ThreatConnect’s director of research operations.
Gidwani, a former U.S. Defense Intelligence Agency official, told NBC News that the cyberattacks fit into the larger pattern of Putin using state-sponsored hackers to steal valuable information and use it as a weapon in an aggressive geopolitical power game.
In the DNC and DCCC hacks, the information was leaked publicly, embarrassing the Democratic party on the eve of its convention last month. Some U.S. authorities say that was an effort to influence the presidential race and tip the scales toward Putin’s favored candidate, Republican Donald Trump.
And while sports may seem less consequential than politics in the U.S., Gidwani said, in Russia the two have been long intertwined as the Kremlin seeks recognition and respect on the international stage. The Sochi winter games in 2014 cost the Russian government more than $50 billion and were said to be an obsession of Putin’s. And WADA and other investigators believe Moscow has invested heavily in illegal doping schemes – and efforts to evade being caught – to bolster Russian athletes’ chances of success.
“It shows the way Russia uses cyber as an instrument of national power and in ways that we don’t expect to see here in the U.S.” Gidwani said of the WADA breach. “It serves Russia’s ends and helps it further its agenda.”
Russian officials have denied playing any role in the various hacks attributed to Fancy Bear and another hacking organization known as Cozy Bear that is believed to be sponsored by a separate Russian intelligence organization.
A senior U.S. law enforcement official involved in the investigation into the U.S. hacks had no comment, and CAS did not immediately respond to a request for comment. But WADA issued a statement Aug. 13 confirming “illegal activity” affecting Stepanova’s account.
“Unfortunately, like many organizations, WADA is not immune to attempted cyber-attacks,” it said. “Stakeholders can rest assured that the Agency takes IT security and data privacy very seriously… It should also be noted that WADA is in contact with the relevant law enforcement authorities.”
In responses to questions from NBC News, WADA officials said they did not want to speculate on who was behind the cyber breach. WADA also confirmed that hackers used so-called “spearfishing” techniques to try and steal passwords from individuals to gain access to accounts that include personal information about athletes and testing results.
WADA said the hackers never breached its internal ADAMS database management system or the accounts of other athletes besides Stepanova. But Gidwani and Hultquist said that personal information purporting to be from many other athletes started mysteriously popping up online in mid-August.
-- Aggelos Petropoulos contributed to this story