In 2016, they leaked private medical records of American stars like Simone Biles and Serena Williams. In 2018, they shut off online ticketing during the Olympics’ opening ceremony in South Korea. And in 2021, governments and cybersecurity experts around the world are on edge that they might be back again for the Tokyo Olympics.
It sounds strange, but it’s true: Russian hackers have disrupted each of the Olympic Games since 2016, when Russia was suspended from full participation.
And it brings the question of whether Russia will try to disrupt the 2021 Games as well. No organization has yet offered definitive public evidence that it’s trying, but experts are still on edge.
In a public alert released Monday, the FBI warned that hackers could try a number of potential attacks to disrupt the Tokyo Games.
“The FBI to date is not aware of any specific cyber threat against these Olympics, but encourages partners to remain vigilant,” it said.
The previous attacks are what government officials and cybersecurity experts have said are an apparent retaliation for the International Olympic Committee and the World Anti-Doping Agency repeatedly declaring that Russia used an elaborate doping scheme to give its athletes an edge in the 2014 Olympic Games in Sochi, the first and so far only time Russia hosted the Games after the fall of the Soviet Union.
That scheme, as well as Russian officials’ attempts to block investigators from looking into it, led to Olympic officials banning the country from fully participating in all Olympics between the 2016 Games in Rio and 2022 Winter Olympics in Beijing.
But while Russia wasn’t able to compete in 2016 and 2018, the Kremlin has made its presence known through hackers working for its military intelligence agency, the GRU.
Ciaran Martin, the former head of the United Kingdom’s public cybersecurity agency, the National Cyber Security Centre, said the attacks on the Olympics reflected Russia’s willingness to send its hackers against targets that might seem off-limits for Western governments.
“When I started, we were always talking about Russia and sort of hard infrastructure, like energy,” Martin said. “Of course, some of their most brazen and impactful interventions have come after softer infrastructure: politics, sports, undermining confidence and enjoyment in some of the things that are the fabric of the West, the nonauthoritarian world. Sport fits into that.”
Russia has repeatedly denied responsibility for the hacks. But several governments, including the U.S., U.K. and the Netherlands, as well as a number of cybersecurity experts around the world, have attributed both the 2016 and 2018 campaigns to the GRU.
The NCSC, Martin’s former agency, announced in October that the GRU had been laying groundwork to hack the Summer Olympics in Tokyo last year as well, before those were delayed over the coronavirus pandemic. The NCSC declined a request for an update on if it had seen Russia targeting the Games this month.
There’s little doubt who was responsible for the previous hacks, however. The U.S. has published extensive technical details in the form of indictments that tie them to specific GRU officers.
In 2016, the same year that the GRU hacked and released Democratic Party files to hinder presidential candidate Hillary Clinton’s campaign against Donald Trump, it also went after the World Anti-Doping Agency, the IOC-funded foundation devoted to keeping athletes from using prohibited drugs in international competition.
Almost immediately after the agency published a major report accusing Russia of doping, GRU officers went to work trying to hack a number of Olympics-related targets, successfully breaching some accounts belonging to the agency and its American affiliate, the U.S. Anti-Doping Agency, and gaining access to some athletes’ medical information.
One of the victims was Simone Biles, whose attention deficit hyperactivity disorder medication was leaked on a website set up by the hackers, leading her to write a clarification that she only used approved drugs.
“I have ADHD and I have taken medicine for it since I was a kid,” she tweeted. “Please know, I believe in clean sport, have always followed the rules, and will continue to do so as fair play is critical to sport and is very important to me.”
Another was Serena Williams, whose files indicated she had received a waiver to use an anti-inflammatory muscle medication.
The attack on the 2018 Games was different, but just as chaotic. Ahead of the Winter Games in Pyeongchang, South Korea, GRU officers cast a wide net, creating fake versions of popular Korean apps in hopes of tricking people into downloading them. They tried signed up for a mass email service to pump out phishing emails to athletes. They sent fake government warnings of earthquakes to companies that were involved in running the Games.
All of that was to help the agency spread a masterwork of malicious software that the GRU had written. Built with a number of tricks and turns to confuse researchers, it expertly replicated itself onto other computers once installed and could render victim computers inoperable.
On Feb. 9, during the Games’ Opening Ceremony, the hackers set it off. Thousands of computers used by an IT company serving the Games became suddenly unusable. Attendees couldn’t show tickets from the IOC app. The Wi-Fi at the stadium hosting the ceremony went out, and all the stadium’s internet-connected TV sets went black.
The Pyeongchang cybersecurity team only avoided a bigger catastrophe because they took emergency measures to quickly remedy the situation, moving some Olympic check-in services offline and spending the entire night hastily rebuilding their broken network.
The GRU’s malicious program, seemingly written from scratch to make it more difficult to trace, “was absolutely an attempt to screw things up,” said Craig Williams, the director of outreach at the cybersecurity company Talos, which was the first to identify the program.
“The actor behind this piece of malware went to great lengths to do it quickly and quietly,” Williams said.
Now experts have turned their attention to the Games in Tokyo, watching to see if Russia or other hackers will try to exploit them.
“I think there’s an even chance,” said John Hultquist, the director of threat intelligence at the cybersecurity company Mandiant.
“They’ve done it in the past,” he said. “Circumstances are all the same as far as Russian athletes not being allowed to compete, and we know they were prepping for it. Is it possible they’ve changed? Absolutely.”
In an emailed statement, an Olympics spokesperson said that “the IOC has helped Tokyo 2020 to take a range of measures and is making thorough preparations.” The spokesperson declined to get into specifics, saying “maintaining secure operations is the main focus, and in line with best practices for cyber security.”
It’s possible that the Tokyo Games are already disrupted enough by the coronavirus that Russia won’t be interested. Many in Japan are opposed to hosting the Games during a pandemic; spectators are banned for fear of spreading the disease. Russia may leave it alone this year, Hultquist said.
“We have to recognize Covid is a big disruptor,” he said. The GRU “could have changed the target,” he said. “Just not interested anymore.”
The Cyber Threat Alliance, a cybersecurity trade group that pools threat intelligence from its companies around the world, wrote in an assessment for the Tokyo Games that Russia’s prior actions had opened the door for state-sponsored hackers to conduct operations with little fear of consequence.
“Russian, North Korean, and Chinese state-sponsored adversaries likely pose the most significant threats to the Games,” the CTA found. “While nation-state actors have the potential to carry out a variety of different types of operations, we judge that disruptive attacks and disinformation campaigns are the most likely.”