Cyber Security

Olympic Hackers Likely Behind DNC Breach

Experts have found similarities between tactics used in the recent WADA hack and those used by one of the DNC hackers

Cyber Security
Illustration: Diana Quach
Sep 14, 2016 at 11:52 AM ET

The hackers who breached the Olympics’ World Anti-Doping Agency may be one of the two Russian government groups that recently hacked the Democratic National Committee, experts say.

The hack, which WADA confirmed Tuesday as genuine, shows the drug test results of several top-tier American Olympians, including gymnast Simone Biles and tennis stars Venus and Serena Williams. Those results indicated the athletes used permissible drugs, like cortisone for Serena Williams and ADHD medication for Biles.

Clearly, any patriotic Russian could have issue with WADA, which, relying on whistleblowing from Russian runner and Olympic hopeful Yuliya Stepanova — “Judas,” according to President Vladimir Putin — banned scores of Russians from competing in the 2016 Summer Games. But there is strong evidence that the hackers are the same group that hacked the DNC this summer.

Given how hard it is to reliably identify an advanced nation-state hacker, cybersecurity analysts look for attacker patterns, and when they believe they’ve identified a regular actor, designate it an Advanced Persistent Threat. Cybersecurity company Mandiant, for example, in 2013 famously named APT 1 as originating from a particular People’s Liberation Army building outside of Shanghai. The U.S. Department of Justice later charged five Chinese military hackers believed to work in that building, despite the unlikelihood China would extradite them.

In June, hired by the Democratic Party to investigate its servers, cybersecurity company CrowdStrike announced that it had identified two independent groups that had gained accessed unauthorized access: APT 28 and 29 — two long-studied groups — which the company respectively nicknamed Fancy Bear and Cozy Bear. The next day, an online character named Guccifer 2.0 began a slow leak of DNC documents. Guccifer 2.0 claimed to be a rogue hacktivist, but his story was inconsistent. Despite claiming to be Romanian, a number of factors pointed toward him being a native Russian speaker, with access to Russian VPN services, and experts found his description of how he hacked the DNC unlikely.

WADA soon knew it was a target. On August 15, the organization reported it was being targeted by a spearphishing campaign, in which an attacker, pretending to be someone familiar or trustworthy, attempts to dupe someone into clicking a malicious link or sharing personal or login information. The emails came from two misleading domains, wada-awa.org and wada-arna.org.

ThreatConnect, a cybersecurity company that previously analyzed metadata of Guccifer 2.0 emails to Vocativ, found that activity surrounding those two domains, as well as a third domain registered by the same email address as wada-arna.org, echoed tactics previously used by APT 28.

“We took the indicators that they shared and we built it out,” Rich Barger, Director of Threat Intelligence at cybersecurity firm ThreatConnect, told Vocativ. “We fell short of saying 100% this is them, but it certainly had interesting ties with some of the ways that the infrastructure was established and set up.” 

The head of intelligence at a second prominent cybersecurity company told Vocativ they also suspected the WADA hackers are APT 28, but were still conducting analysis before publicly stating their findings.

WADA itself, in its release, said that it “confirms” APT 28 as the culprit, though it didn’t explain how, and didn’t respond to Vocativ’s request for more information.

As if to mock American analysts — or perhaps as a statement of just how bold they’ve gotten — the WADA hackers have chosen to call themselves, on their website, “Fancy Bear’s hack team.” This makes things confusing to anyone previously familiar with Fancy Bear as CrowdStrike’s nickname for APT 28. They also refer to themselves as Anonymous. But given that Anonymous is more of a self-designation than a formal hacktivist group, that doesn’t prove much.

“They’re certainly having fun with it,” Barger said. “They say they’re hackers and part of Anonymous. That gives them cover.”

As it has done with the DNC hack, which is widely accepted as perpetrated by Russian government forces by members of the U.S. intelligence community, Russia has denied any involvement in the WADA hack.

“There can be no talk about any official or government involvement, any involvement of Russian agencies in those actions. It’s absolutely out of the question,” Dmitry Peskov, a spokesperson for Russian President Vladimir Putin told the Associated Press. “Such unfounded accusations don’t befit any organization, if they aren’t backed by substance.”