In February 2014, when Russia hosted the Winter Olympic Games at Sochi in the country's southwest, its athletes won an unprecedented 29 medals. Less than two years later, the World Anti-Doping Agency, the watchdog for drug use in international sport, took aim at that performance, saying it rested on a massive doping conspiracy directed by the Russian government.
Russia's reaction was quick — and also unprecedented. Soon, its intelligence agency was hacking into WADA's computer system.
Now, as the next Winter Games begin in South Korea — without the official presence of Russia, which has been banned for cheating the last time — it’s clear that the hack of the World Anti-Doping Agency came from the same playbook Russia has used in elections around the world, including the most recent US presidential election.
WADA announced in September 2016 that it had been hacked and that athletes' medical files had been taken and were being posted to the internet. That was only a few months after the Democratic National Committee acknowledged that its computers, too, had been hacked and its stolen emails posted on the web.
Now it's clear that the same culprit was responsible in both cases. A rare declassified joint report by the US’s National Security Agency, Central Intelligence Agency, and Federal Bureau of Investigation reached that conclusion last year, as had several internationally known cybersecurity companies.
The culprit? Russia's Main Intelligence Directorate, or GRU, the country’s largest foreign military intelligence agency. Cybersecurity companies call the GRU hackers by a variety of names, but they are most commonly known as APT 28 or Fancy Bear, and they've been operating since 2004.
According to an analysis by the Japanese firm Trend Micro, 2014–16 was a particularly active time for the GRU hackers, which it calls Pawn Storm. During that period, the group created email phishing campaigns targeting at least 12 countries' militaries, eight ministries of defense, six political parties, and seven media outlets around the world, including BuzzFeed News.
And the hackers are likely to continue their operations. "Pawn Storm is becoming increasingly relevant particularly because it is doing more than just espionage
activities," Trend Micro concluded. "We can see how the group has become
more adept at manipulating events and public opinion through the gathering and controlled release of information."
And not just about US politicians. Its WADA hacks were intended to tarnish the reputations of some of the best-known figures in world sports.
For US gymnast Simone Biles, Fancy Bear revealed the presence of methylphenidate in her system, a drug used to treat attention deficit hyperactivity disorder.
“Whenever you’re at the top, it’s very easy for a lot of people to bring you down,” Biles told BuzzFeed News. “I take it for a certain reason, just like if you have asthma you take an inhaler. It is what it is. I take medicine. If you have a problem, I’m sorry.”
“One of the things we’ve seen most prominently is the degree of meanness in Fancy Bear’s attacks,” Toni Gidwani, director of research at cybersecurity firm ThreatConnect, told BuzzFeed News. “The WADA breach is an example where you had sharing personal information of a bunch of athletes who were involved in the Russian doping scandal as whistleblowers or not involved at all. But we’ve seen a similar type of pattern in the way that they’ve gone after journalists and civil society activists. There’s a pretty clear intention to intimidate these people who were acting against perceived Russian interests.”
Tensions between the Russian government and WADA began in November 2015, when WADA declared that its Russian affiliate had failed at its job of adequately testing Russian athletes for performance-enhancing drugs.
The next year, Grigory Rodchenkov, who headed that affiliate, confessed to a massive state-sponsored doping scheme in the lead-up to the 2014 games and provided extensive evidence to both the New York Times and WADA itself. Rodchenkov is currently in protective custody in the US.
It’s not unusual for any sophisticated nation-state hacking group to have a wide interest in important targets around the world. But Fancy Bear is different from many because “they’re noisy,” Gidwani said. “They’re one of the more visible threat actors.”
It's also developed, in recent years, a practice of not merely gathering information, but spreading it online, often in misleading ways that align with Russian interests. In 2014, as Russia was in the process of finalizing its annexation of Crimea from Ukraine, a pro-Russia “hacktivist” group believed to be a front for Fancy Bear published Ukrainian military documents. The story made few waves in the US, but was reported by Russian state media.
That was similar to what would happen to Democrats’ files after they were pirated from DNC computers: Some were posted to a newly created site, DC Leaks; some were posted by Guccifer 2.0, a hacker persona who appeared online and encouraged the media to write about the documents; and some were handed to WikiLeaks, which posted batches of Democratic emails for weeks leading up to the election.
Similarly, after the GRU hackers hit WADA, a website called “Fancy Bears” — a clear reference to the name researchers had given them — began slowly leaking non-Russian athletes’ medical files. In addition to Biles's ADHD medicine, Fancy Bear revealed the use of anti-inflammatory steroids by basketball player Elena Delle Donne and tennis greats Venus and Serena Williams. All of those uses had been approved by WADA.
Though Fancy Bear has demonstrated sophisticated hacking capabilities, its penetration into both the Democratic National Committee and WADA came from a basic spear-phishing attack, where a target can be tricked into giving up their password. That’s what happened with a staffer at the Democratic National Committee, and it’s what led to Olympians’ files being breached, according to WADA's former chief technology officer, Robert Jackson.
“Somebody at the International Olympic Committee fell for a spear-phishing email with my name on it,” Jackson told BuzzFeed News. The email, sent to around 10 people, mimicked Jackson’s email signature, though shoddily. “Colors were wrong and certain information was wrong. It asked this guy to reset his password. He fell for it. He basically gave them his password.”
Once it had gained access to a high-ranking IOC employee’s email address, Fancy Bear was able to log into WADA’s Anti-Doping Administration & Management System database and download athletes’ files, many of them American.
Soon after the breach, Jackson said, he contacted international law enforcement agencies, which convinced him Fancy Bear was indeed behind the attack.
Just as the Democrats' leaked emails led to months of breathless media coverage, headlines around the world covered the American Olympians’ medical files, even though WADA had cleared them to use those drugs.
“Russian Hackers Expose Drug Use By America's Greatest Female Athletes,” Maxim wrote. “Simone & Serena Drug Use EXPOSED In Russian Hack!,” declared Radar Online. “WADA hack raises questions about therapeutic use exemptions, security,” said USA Today. And RT, the Kremlin-sponsored news channel, framed the story as “Top US athletes deny cheating after hackers show usage of banned substances.”
After WADA’s first wave, Travis Tygart, the head of USADA, WADA’s American signatory, reached out to those four athletes. “It’s cyberbullying at its worst, attempting to smear innocent athletes who end up being the victims,” Tygart told BuzzFeed News. “Our immediate concern and compassion went out to those athletes. It’s really another step when you attempt to smear and destroy clean athletes who hadn't done anything other than follow the rules.”
But then Fancy Bear released another batch of American athletes’ files, to considerably less fanfare, and then a third round. Tygart’s team, overwhelmed with the number of victims, had to settle for recording a password-protected video message to those athletes. USADA has given BuzzFeed News permission to show it to the public for the first time.
Though the IOC did in fact ban Russia from formally competing in the 2018 Winter Games, citing the country’s “unprecedented attack on the integrity of the Olympics,” athletes who were found to have not participated in the doping scandal will be allowed to compete. Their uniforms, instead of representing their country’s flag, will have neutral colors and call them “Olympic athletes from Russia.” None of the IOC’s multiple statements on Russian cheating mention hacking.
Remarkably, Fancy Bear returned with a handful of other leaked Olympic emails this January, mostly related to the decision to ban Russia for doping, published on the same site the group has used since 2016. When asked if Russia would face any additional punishment for repeatedly hacking Olympic entities, the IOC declined to comment, saying that “Cybersecurity is a top priority at the Olympic Games since a long time but we will not discuss details in public.”
The Kremlin did not respond to a request for comment. However, the country’s Ministry of Foreign Affairs put out a statement Wednesday that accused BuzzFeed News of participating in an “information war against Russia,” claimed Russia is “ready to help investigate cyberattacks against any affected country,” and claimed that nations that oppose its actions in cyberspace “are building up their own military cyber capabilities, conducting illegal spying and violating human rights.”
Elena Delle Donne's name was misspelled and Russia's 2014 medal count was misrepresented in an earlier version of this post.
Kevin Collier is a cybersecurity correspondent for BuzzFeed News and is based in New York.
Contact Kevin Collier at email@example.com.
Got a confidential tip? Submit it here.