Russia-Linked Hackers Leak Football Doping Files

23.8.2017 securityweek CyberCrime
A group of hackers believed to be operating out of Russia has leaked emails and medical records related to football (soccer) players who used illegal substances.

The group calls itself Fancy Bears and claims to be associated with the Anonymous hacktivist movement. They have set up a website, fancybears.net, where they leaked numerous files as part of a campaign dubbed “OpOlympics.”

“Today Fancy Bears’ hack team is publishing the material leaked from various sources related to football,” the hackers said. “Football players and officials unanimously affirm that this kind of sport is free of doping. Our team perceived these numerous claims as a challenge and now we will prove they are lying.”

The leaked files include emails exchanged between the Fédération Internationale de Football Association (FIFA) and representatives of anti-doping agencies discussing the test results of various football players. The files also provide information on the number of players using illegal substances -- without specifically naming any players -- and therapeutic use exemptions (TUEs), which allow athletes to take prohibited substances for medical reasons.

The files contain information on several important players allowed to use TUEs at the 2010 World Cup, including Mario Gomez, Carlos Tevez, Juan Sebastian Veron, Dirk Kuyt and Ryan Nelsen. However, the emails dumped by the hackers are dated as recent as June 2017.

Fancy Bear leak

The hackers said they leaked the files to show that more than 150 players were caught doping in 2015, and the number increased to 200 in 2016.

Both the Football Association and FIFA condemned the leak of confidential medical information.

The same hacker group previously targeted the International Association of Athletics Federations (IAAF) and the World Anti-Doping Agency (WADA). The hackers now also described the files as “WADA documents” and some of them appear to originate from the Anti-Doping Administration and Management System (ADAMS). SecurityWeek has reached out to WADA for comment.

While the Fancy Bears that took credit for these attacks claim to be hacktivists, researchers have linked the previous leaks to Fancy Bear, a notorious cyber espionage group believed to be sponsored by the Russian government. The threat actor is tracked by various security firms as APT28, Pawn Storm, Sednit, Sofacy, Tsar Team and Strontium.

The first Fancy Bear leak came shortly after investigations exposed state-sponsored doping in Russia. The latest release may have been triggered by similar events.

“Previous Fancy Bear dumps were almost always retaliatory and in response to sanctions from various international sports organizations. When the Russian athletic team was banned from participating in World Athletics Championships in London, embarrassing IAAF doping reports about major Western athletes were made public,” explained Recorded Future’s Insikt Group.

“As international pressure on Russia intensifies, with open calls to strip Russia of World Cup in 2018 and recent the FIFA investigation into suspected prohibited substance abuse of the national soccer team, today's release was almost guaranteed to surface,” it added. “The message reads very clear and loud - ‘Dare to touch us, we'll come after you. Don't expect us to remain silent and maintain status quo’.”