Microsoft said today that a group of well-known Russian government hackers has targeted at least 16 national and international sporting and anti-doping organizations ahead of next year’s Tokyo Olympics.
The attacks have taken place in the last month after the World Anti-Doping Agency (WADA) announced a possible indiscriminate ban of all Russian athletes from all sporting events, including upcoming world championships and Olympics.
Microsoft said the attacks involved spear-phishing, password spraying, exploiting internet-connected devices, and the use of both open-source and custom malware.
Responsible for the attacks is a group of Russian state-sponsored hackers that Microsoft calls Strontium, but are more widely known as APT28 or Fancy Bear.
APT28 targeted WADA in the past
The group has a long history of targeting sporting and anti-doping organizations, with the first attacks going back to three years ago, to 2016.
Posing as an offshoot of the Anonymous hacker collective [1, 2], APT28 hacked WADA in 2016 and leaked internal emails, documents, and Therapeutic Use Exemptions (TUEs) — documents that ailing athletes file so they can take prohibited substances.
Two years later, APT28 released the OlympicDestroyer malware during the opening ceremony at the 2018 Winter Olympics in Pyeongchang, South Korea. The malware crippled some routers during the event, but did not crash the live broadcast, although it was pretty close.
Both hacks took place after the International Olympic Committee and WADA banned some Russian athletes from participating in the Ryo 2016 Summer Olympics and the Pyeongchang 2018 Winter Olympics, and many considered the hacks as some sort of revenge on the part of Russian authorities.
Some attacks were successful
With a new ban on the horizon for Russian athletes — even more severe than the first two — many believe APT28 is up to its old tricks, and Microsoft said it has the evidence.
According to Tom Burt, Corporate Vice President, Customer Security & Trust at Microsoft, “some of these attacks were successful, but the majority were not.”
Microsoft said it notified all customers targeted in these attacks and worked to secure compromised accounts or systems.
In late 2018, US authorities tracked down some of the APT28 hackers and charged FSB (Russian intelligence) officers who they believed were behind the 2016 WADA hacks. The officers were never arrested, and are still at large.
This is also not the first time that Microsoft calls out an APT28 hacking campaign. They previously:
- Spotted APT28 using IoT devices to breach into corporate networks
- Spotted the group targeting European political entities ahead of 2018 EU Parliament elections
- Spotted and seized domains that APT28 was planning to use to target campaigns involved in the 2018 US midterm elections.