Fancy Bear, the Russian-sponsored hacker group, recently conducted “significant cyberattacks” on 16 national and international sports and anti-doping organizations, and at least some of the offensives were successful, Microsoft said on Monday.
The attacks began on September 16, just days ahead of news reports that the World Anti-Doping Agency, often known as WADA, had opened proceedings against Russian athletes after finding inconsistencies in lab data. Those proceedings, which involve the manipulation of thousands of anti-doping tests, could lead to the ouster of the Russian athletes.
The attacks are only the latest brazen steps the group has taken to shield against or retaliate for allegations of cheating by Russian Olympic athletes. In 2016, WADA blamed Fancy Bear for a hack that stole confidential medical data. The hackers then published the data, which included the drug regimens of Simon Biles, Serena and Venus Williams, and other athletes, in an attempt to paint them as flouters of WADA regulations. Two years later, hackers WADA identified as Fancy Bear published private emails taken from the International Olympic Committee. The action came after Russia was banned from the Winter Olympics.
That same year, Fancy Bear struck the Olympics again with a hack that disrupted ticket sales, Wi-Fi networks, and other functions at the opening of the Winter Olympics. In an attempt to fly a false flag that implicated other nations, Fancy Bear crafted the malware used in the attack with file names and other characteristics used by North Korean and Chinese hacking groups.
Microsoft’s report on Monday didn’t identify any of the 16 sports and anti-doping organizations by name. The company did, however, say that the group behind the attacks was Strontium, Microsoft’s internal name for Fancy Bear, which is also known as APT28, Pawn Storm, Sofacy, Sednit, and Tsar Team. The company had already singled out Strontium twice in the past three months, once in July, in a post detailing the most prolific nation-sponsored hacking groups and again in August in an advisory about IoT hacks used as beachheads to more deeply access sensitive networks.
“The methods used in the most recent attacks are similar to those routinely used by Strontium to target governments, militaries, think tanks, law firms, human rights organizations, financial firms and universities around the world,” Tom Burt, Microsoft’s corporate vice president of customer security & trust, wrote. “Strontium’s methods include spear-phishing, password spray, exploiting internet-connected devices and the use of both open-source and custom malware.”
According to an indictment US prosecutors filed in 2018, when those methods fail, Fancy Bear tactics also include traveling to targets’ physical locations and hacking targets’ computer networks or hotel Wi-Fi connections. Fancy Bear is also one of two Russia-sponsored hacker groups that researchers say hacked the Democratic National Committee in 2016.
While some of the most recent attacks were successful, the majority were not, Burt said. Microsoft has notified all customers who were targeted and has worked with those requesting help. The successful attacks raise the possibility of leaks in the coming weeks or months, airing private documents that cast doubt on the legitimacy of the organizations. It also wouldn’t be surprising to see the 2020 Olympics itself targeted.
By far the most effective measure for warding off Fancy Bear attacks is to protect accounts with multi-factor authentication, ideally with physical security keys. Learning how to spot advanced phishing attacks, using services that detect malicious Web links, and keeping software and firmware up to date are also effective.