Russian spies blamed for WADA hack, leaked documents confirm drug exemptions

On Tuesday, a group calling itself Fancy Bear, and claiming association with Anonymous, said they’ve hacked the World Anti-Doping Agency, and offered drug screening results as proof. Only, the leaked documents don’t contain incriminating facts. If anything, they show athletes following the rules as expected.

The thing about Anonymous is that anyone can claim to be associated with the brand. These days, Anonymous is nothing like it was during its prime (e.g. 2008-2012), but that doesn’t stop people from resonating with their ideals and launching operations associated with the Anonymous name and symbolism.

On Tuesday, during the announcement of OpOlympics, a group claiming association with Anonymous and calling themselves Fancy Bears’ international hack team, claimed credit for hacking World Anti-Doping Agency (WADA).

They accuse the U.S. Olympic team of winning tainted victories, and offer proof of these claims by leaking the drug screening results for Simone Biles, Elena Delle Donne, as well as Serena and Venus Williams.

The documents show that Simone Biles tested positive for methylphenidate (Ritalin) in 2016, and Focalin / Focalin XR between 2012-2014, which is used to treat attention-deficit/hyperactivity disorder or ADHD. The tests for Elena Delle Donne show that the basketball star takes Adderall, which is another drug to treat ADHD. The documents also show that Venus Williams was taking medication that looks to be connected to the treatment of Sjogren’s Syndrome.

Nothing in the leaked documents points to illegal activity, but they do show that the athletes in question are working within the rules and regularly undergo testing to prove it. It’s also worth mentioning that the test results carry a clear notice that the drugs detected are approved for use, so the insinuations that anti-doping rules were violated are false.

In a statement on the incident, WADA blamed APT28, also known as the Russian espionage group Sofacy. The group has also been called Fancy Bear, and was first profiled by Trend Micro and in a report published by FireEye in 2014. Fancy Bear has also been blamed for the recent hacking incidents at the DNC, and the subsequent leaks of election materials.

It isn’t clear where WADA has gotten their information from, other than using Google to lookup the name of the group that claimed responsibility for the incident. In a statement, WADA says that law enforcement has told them the recent attacks have originated in Russia.

WADA blames this latest incident on a Phishing attack against an employee. The attack was a success, and the credentials compromised were used to access ADAMS, the Anti-Doping Administration and Management System.

“While it is an evolving situation, at present, we believe that access to ADAMS was obtained through spear phishing of email accounts; whereby, ADAMS passwords were obtained enabling access to ADAMS account information confined to the Rio 2016 Games. At present, we have no reason to believe that other ADAMS data has been compromised,” the WADA statement said.

Olivier Niggli, Director General of WADA, said that they were reaching out to stakeholders about the incident and impacted athletes. In addition, he condemned the attacks and called them a way to undermine the WADA and global anti-doping system.

“WADA has been informed by law enforcement authorities that these attacks are originating out of Russia. Let it be known that these criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia further to the outcomes of the Agency’s independent McLaren Investigation Report,” he said.

Blaming APT 28 for the incident seems like a stretch. If the goal of the attack was to clone ADAMS (IP theft), or if WADA had intelligence that’s of value to the Russian government, maybe this incident would fall within their wheelhouse. But leaking medical records represents a new venture for the group if the claims are true.

Most groups use Phishing as the first layer of attack, so that alone doesn’t conclusively prove anything, but there was no mention of malware by WADA, which is something APT 28 does rely on based on past examples.

So the basic elements of the story are nothing spectacular.

WADA was hit by a Phishing attack, the attack was a success and compromised credentials were used to access ADAMS, where someone searched popular names, dumped reports, and published them.

The catch is, the reports were said to be damning to the athletes and the IOC, but that isn’t the case at all. There’s nothing illegal in these reports, in fact they show exactly what one would expect – athletes following the rules.