Fancy Bear resumes Olympic hacks ahead of Tokyo games

Moscow-linked threat actor APT28, also known as Fancy Bear or Strontium, is targeting anti-doping agencies and sporting organisations with fresh cyber attacks as the 2020 Tokyo Olympics draw nearer, according to Microsoft’s Threat Intelligence Centre.

The group has previously released medical records and emails stolen from sporting organisations and anti-doping officials, including the World Anti-Doping Agency (Wada).

This included Team GB Olympic records, as well as medical information relating to four-time Tour de France winner Chris Froome’s use of the banned steroid medication prednisolone under a therapeutic use exemption (TUE) waiver.

These leaks resulted in the indictment in the US of seven intelligence officials working for Russia’s GRU military intelligence agency. They were accused of “persistent and sophisticated computer intrusions affecting US persons, corporate entities, international organisations, and their respective employees located around the world, based on their strategic interest to the Russian government”.

The Russian athletics federation has been suspended from international competition since 2015 as the result of systematic doping enabled by the Russian Anti-Doping Agency (Rusada) and allegedly directed from the highest levels of government.

Hopes that Russian athletes will be allowed to compete in Tokyo remain in the balance as investigations ordered by Wada continue.

The latest attacks began on 16 September 2019 shortly after this news story broke, and Microsoft said that at least 16 national and international sporting and anti-doping bodies on three continents were targeted by Fancy Bear.

Most of these attacks were not successful, it added, and it has notified all those targeted and is now working with some of them to secure compromised accounts or systems.

The attacks use similar methods routinely used by Fancy Bear to go after its victims, including spear-phishing, password spray, exploiting internet-connected devices, and using open source and custom strains of malware.

“We believe it’s important to share significant threat activity like that we’re announcing today. We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet,” said Microsoft’s Tom Burt, corporate vice-president of consumer security and trust.

“We also hope publishing this information helps raise awareness among organisations and individuals about steps they can take to protect themselves.”

Microsoft’s threat intel team offered several strategies through which users can protect themselves from the kind of attacks favoured by Fancy Bear, many of which boil down to basic cyber security hygiene.

This includes enabling two-factor authentication on all business and personal accounts, enabling security alerts about links and files from potentially suspicious websites, and general user education about how to spot phishing attempts.

“Continued targeting of Olympics organisations by APT28 emphasises they have not been dissuaded by efforts to sanction and indict them. We expect the actor to aggressively target Olympic organisations in an effort to harass, intimidate, and even discredit these institutions,” said FireEye’s intelligence analysis director John Hultquist.

“As in Pyeongchang, these efforts may culminate in an attempt to disrupt the games themselves,” added Hultquist, referring to an incident in which the Opening Ceremony of the 2018 Olympic Winter Games in Pyeongchang, South Korea, was targeted by an attack that disrupted internet access, grounded drones that were taking part in a light display at the event, and took the Pyeonchang website offline.

“We should also consider this aggressive posturing is an indication that Russia has not abandoned this tool, and may be willing to use it once again in the upcoming US elections,” added Hultquist.

“Russia has historically used subterfuge, doping, espionage and clandestine options for everything from cheating in sports to rigging elections. It should come as no surprise that they are seeking an unfair advantage in a domain of competition like the Olympics,” said Sam Curry, Cybereason chief security officer.

“Expect more of this with hacking combined with espionage, bribery, blackmail, kidnapping and more. Once someone has broken the rules of engagement to pursue a victory at any cost, the on-ramp to a superhighway of more nefarious activity is open.”