Whenever there's a big event like the Olympic Games, there's a concern that fraudsters will target spectators and attempt to compromise their digital security. That's why we at The State of Security published some tips on how attendees of the 2016 Summer Olympics in Rio de Janeiro, Brazil could avoid getting hacked and defend themselves against computer criminals' traps. Most of us are inclined to focus on protecting the information security of unsuspecting visitors. We don't think about attackers setting their sights on the Games themselves, but it does happen. Just this year, a group of actors launched a sustained distributed denial-of-service (DDoS) attack against organizations affiliated with the Olympics that lasted for several months. Fortunately, those organizations were prepared. By leveraging anti-DDoS mitigation technologies, they were able to carry out the Games without a hitch. Not every defender encountered success, however. A month after the closing ceremony, news emerged of attackers hacking into the databases of the World Anti-Doping Agency (WADA), an organization which stores records on all of the Olympic athletes. Here's how the hack has unfolded so far.
September 13, 2016
WADA issues a statement in which it confirms that a Russian hacktivist group known as APT28 gained unauthorized access to its Anti-Doping Administration and Management System (ADAMS) and published the medical information of several U.S. athletes online. Data leaked on fancybear.net demonstrates that gymnast Simone Biles, tennis players Serena and Venus Williams, and other U.S. athletes received permission to participate in the Rio 2016 Olympics despite testing positive for banned substances. In its statement, the Agency says it suspects APT28 sought revenge for its ban of Russia's entire track and field team from the 2016 Summer Olympics: "WADA condemns these ongoing cyber-attacks that are being carried out in an attempt to undermine WADA and the global anti-doping system. WADA has been informed by law enforcement authorities that these attacks are originating out of Russia. Let it be known that these criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia further to the outcomes of the Agency’s independent McLaren Investigation Report." For its part, Russia asserts it had nothing to do with the hack. Dmitry Peskov, spokesperson for Russian President Vladimir Putin, released a statement to that effect on Tuesday. As quoted by RT:
"It can be stated with all certainty that there is no involvement of the official Moscow, [Russian] government or special services in such actions. This is completely ruled out. These unfounded allegations … do not honor any organization, if they are not backed by something substantial. I do not know whether those who came out with such statements possess any substantial arguments."
September 14, 2016
APT28 releases a second batch of medical information for 25 athletes in total: 10 from the United States, five from Germany, five from Great Britain, one from the Czech Republic, one from Denmark, one from Poland, one from Romania, and one from Russia. Minister Vitaly Mutko says that by releasing Russian boxer Misha Aloyan's medical information, the hackers prove they consider Russia athletes fair game. As shared by RT:
"We’re not protected ourselves, as you can see. I know that Niggli [Director General of WADA] reached our government, and we will [protect ourselves] as our [security] agencies to work on it."
Mutko goes on to announce he will ask Russian federal law enforcement authorities to help WADA in identifying the actors behind the attacks.
September 17, 2016
Another round of leaked data reveals three Australians – rowers Kim Brennan and Alex Belonogoff, and track cyclist Jack Bobridge – received permission to participate in the Olympics despite taking substances that are banned by the International Olympics Committee. Each of the athletes obtained a Therapeutic Use Exemption (TUE), meaning they could use the substances to treat certain medical conditions. Brennan takes medication for rheumatoid arthritis and along with Belonogoff carries an EpiPen to treat anaphylaxis. The hacktivist group also exposed the information of British gold medal-winning cyclist Laura Trott, Spanish swimming gold medalist Mireia Belmonte, and six other athletes from around the world.
September 19, 2016
The hacker group releases its fourth batch of WADA drug results for 26 well known athletes from Great Britain, Denmark, Germany, Australia, Spain, and elsewhere. Included in the data dump is Mo Farah, a track and field athlete from Great Britain who defended his 5,000 meter and 10,000 meter Olympic titles in Rio de Janeiro, and Rafael Nadal, a Spanish tennis player who has won nine French open titles. Meanwhile, Russian President Vladimir Putin denounces the hackers but says their data dumps have revealed important information. As reported by The Associated Press:
"[W]e don't approve of the hackers' action, it has helped reveal that people, who took part in the Olympics and looked absolutely healthy, had taken banned medicines giving them an edge in competition."
He also accuses WADA of banning some athletes from the 2016 Paralympic Games, an action which he condemns as "dishonest, hypocritical and cowardly."
Conclusion… For Now
We will continue to update this post with further developments. If you think we’ve missed something, please let us know in the comments!