14 DAY TRIAL // A report released by cyber-intelligence firm ThreatConnect reveals the hidden connections between the recent WADA and TAS hacks with the operations of Fancy Bear, a cyber-espionage group with strong ties to Russia's government.
The incident we are referring took place on August 11 when the World Anti-Doping Agency (WADA) admitted to suffering a data breach. Later, the Anonymous Poland hacktivism group took credit for the attack and dumped data online from a second target, the Court of Arbitration for Sport (TAS, also CAS).
Two days after these revelations, Yuliya Stepanova, the Russian runner who revealed to the world Russia's state-sponsored doping program, also reported having her email and AWADA ADAMS accounts hacked as well.
ThreatConnect: Attacks have Fancy Bear's paws all over them
According to ThreatConnect, the cyber-espionage group known as Fancy Bear is behind these attacks. Fancy Bear is also known under other names such as Sofacy, APT28, Sednit, Pawn Storm, or Strontium, and most security firms and experts believe this advanced persistent threat is tied to the Russian military intelligence service GRU.
Many believe even if evidence is scarce, that this is the same group that carried out cyber-attacks against the DNC and DCCC, two groups of the Democratic Party, during the recent US presidential election campaign.
ThreatConnet says that during the recent WADA and TAS attacks, the attackers used three domains to host phishing pages: wada-awa[.]org, wada-arna[.]org, and tas-cass[.]org.
TTPs reveal connection to Fancy Bear's past modus operandi
The security vendor says that these domains, even if they have been registered with newly created and never-before-seen email accounts, have been hosted on DNS servers previously used in other Fancy Bear operations.
Fancy Bear operators made sure to use the ITitch and Domains4bitcoins registrars, which support Bitcoin payments for domain registrations so that nobody could track down the payments.
This tactic has been seen in the past in other Fancy Bear operations, along with the usage of 1&1 mail.com webmail email addresses.
The emails, domain registrations and the actual attacks took place between August 3 and 8 when WADA announced the banning of all Russian athletes from both Olympic and Paralympic games.
In our initial report, we speculated about two causes at the heart of this event. One was that Anonymous Poland carried out the attacks because a Polish weightlifting champion was caught using steroids and sent home from the Olympics. The second was that Anonymous Poland was a sockpuppet account, which hasn't tweeted anything in the past four years and suddenly came to life just to dump the WADA and TAS files.
Anonymous Poland might be one of Fancy Bear's sockpuppet accounts
This latter theory is supported by ThreatConnect, who reveals that the general activities of Anonymous Poland have historically focused on internal politics, and this attack is different from the rest of the group's operations.
Furthermore, the security vendor noticed something suspect in the YouTube video posted online by the Anonymous Poland group, in which they show how they hacked TAS.
"The screen capture video shows the individual using a local admin account with Polish language settings," ThreatConnect explained. "However, when the individual uses Firefox, we see in their browser history that they have previously issued Google searches from Google.ru (Russia) and Google.com (US) multiple times while Google.pl (Poland) is absent."
"Google.ru within the browser history might indicate that the user that created the Youtube video is originating, or has previously originated, from a Russian IP address," ThreatConnect added.
