Microsoft: Fancy Bear hackers hit 'at least' 16 anti-doping agencies last month

Kremlin-backed hacking group Fancy Bear (aka APT28 or Strontium) launched cyberattacks on at least 16 anti-doping authorities last month just before news that the World Anti-Doping Agency (WADA) could ban Russia from all major sporting events, according to Microsoft. 

Microsoft says the attacks it detected began on September 16, about a week before WADA’s 12-member executive committee meeting in Tokyo was to take place. The committee raised concerns over “inconsistencies” in data from the Russian Anti-Doping Agency’s (RUSADA) Moscow laboratory, which led a compliance procedure against the agency on 17 September.      

Tom Burt, Microsoft’s corporate vice president of customer security and trust, said some of  the attacks were successful, but most were not. 

“Microsoft has notified all customers targeted in these attacks and has worked with those who have sought our help to secure compromised accounts or systems,” said Burt. 

Microsoft has chosen not to identify which of its customers were targeted. News of the attacks comes as Japan gears up to host the Tokyo Summer Games in 2020.

The September attacks are just the latest tangle WADA and anti-doping agencies have had with Fancy Bear hackers. 

In September 2016, following the Rio 2016 Summer Olympics, the hacking group leaked therapeutic use exemptions certificates of three Australian athletes, as well as athletes from Denmark, Germany, Spain and the UK. Two months later the group leaked emails of senior anti-doping officials that revealed allegations of drug use by US athletes.   

WADA in July 2016 released the McLaren Report, detailing Russia’s efforts to undermine drug-testing prior in the 2014 Sochi Winter Olympics. Further investigations resulted in 111 Russian athletes being banned from the Rio Olympics.     

Those cyberattacks led to the US Department of Justice’s 2018 indictment of seven officers in the Russian Main Intelligence Directorate (GRU).

GRU Unit 74455 was accused of conspiring to leak “selected items of stolen information, in many cases in a manner that did not accurately reflect their original form” under the Fancy Bears banner.

Fancy Bear’s latest attacks relied on its usual tactics, including spear-phishing, password spraying attacks, and exploiting internet-connected devices. They also used open-source and custom malware. 

Besides anti-doping agencies, Fancy Bear use similar methods to target governments, militaries, think tanks, law firms, human rights organizations, financial firms and universities around the world, according to Microsoft.  

Microsoft ha also used US courts to shut down Fancy Bear’s websites with fake Microsoft domains that the group employed to target victims.   

The company recommends all business and personal email accounts have two-factor authentication enabled to prevent remote attackers accessing an account if the credentials have been compromised. It also recommends security awareness training so employees understand how to spot phishing email, even when they’re well-crafted.