Fancy Bears' who-takes-what in sports hack list ‘manipulated’ before leak
Anti-doping body WADA says it ain't so
Hackers may have doctored athletes’ data prior to leaking it, according to the World Anti-Doping Agency (WADA).
The "Fancy Bear" hacking group has been releasing details of athletes' Therapeutic Use Exemptions (TUE*) after breaking into the systems of the fair play enforcement agency, as previously reported.
WADA, which acknowledged the breach last month soon after leaked data surfaced on Fancy Bear’s website, said on Wednesday that “not all data released by Fancy Bear (in its PDF documents) accurately reflects ADAMS data” - implying some of the leaked information had been deliberately altered prior to its release.
Russia is the prime suspect in the Fancy Bear attacks, thanks in large part to a ban by many sports preventing many Russian athletes from participating in the Rio Olympics. WADA itself has previously blamed a Russian hacking group for the breach, which it further condemned in its latest update.
“The criminal activity undertaken by the cyber espionage group, which seeks to undermine the TUE program and the work of WADA and its partners in the protection of clean sport, is a cheap shot at innocent athletes whose personal data has been exposed,” WADA’s statement fumes.
Fancy Bear compromised an account in WADA’s Anti-Doping Administration and Management System (ADAMS) created especially for the Rio 2016 Olympic Games. This hack facilitated access to the medical history of athletes that participated in the games.
WADA’s technical and forensic team’s current assessment is that hackers illegally accessed the Rio 2016 ADAMS Account multiple times between 25 August 2016 and 12 September 2016, using credentials obtained through a spear phishing campaign.
The broader ADAMS system was not compromised in the attack, according to WADA. In response to the admitted breach, WADA has tightened its security controls, introduced increased logging as well as hiring FireEye Mandiant to handle incident response.
Security watchers have warned of the possibility of hacking attacks that involved data manipulation for several years, and the only real surprise on that front is that the attack affected a sporting rather than a banking organisation.
Jason Hart, CTO of data protection at Gemalto, commented: “As the news that data from the WADA hack may have been manipulated shows, business leaders need to realise they are no longer just at risk from data simply being stolen. As well as exposing gaps in a company’s security, the next frontier for cyber-crime will be data manipulation. Data is the new oil and the thing most valuable to hackers.
“Businesses can make vital decisions based on incorrect or exaggerated information, or data that has been stolen can be altered to change public sentiment regarding a business or individual, which hackers can exploit for personal or financial gain,” Hart said, adding that the fact that a breach can take months to detect further exacerbates the problem.
*The TUE process allows athlete to obtain approval to use a prescribed prohibited substance or method for the treatment of a legitimate medical condition, such as asthma.