The IAAF has been hacked and it blames the notorious Russian hacking group APT 28, also known as FANCY BEAR, for the attack which targeted athletes'Therapeutic Use Exemption (TUE) applications stored on IAAF servers.
The attack was uncovered by Context Information Security, a cyber incidence response firm contracted by the athletics' governing body in January to investigate IAAF systems. On 21 February, Context detected the "presence of unauthorised remote access to the IAAF network ... where meta data on athlete TUEs was collected from a file server and stored in a newly created file," the IAAF said.
"It is not known if this information was subsequently stolen from the network, but it does give a strong indication of the attackers’ interest and intent, and shows they had access and means to obtain content from this file at will."
The IAAF informed the authorities (UK National Cyber Security Centre and the Agence Monégasque de Sécurité Numérique) and worked with Context to scope the breach, identify how the attacker came in, and remove the attackers’ access to the network. This was carried out and completed over the weekend.
Athletes were notified of the suspected breach on Monday (April 3)
IAAF president Lord Coe apologised in a statement, in which he said: "Our first priority is to the athletes who have provided information they believed would be secure and confidential."
Matthias Maier, security evangelist at Splunk, commented: "The announcement by the IAAF that it was recently hit by a cyber attack that compromised athlete data is yet another warning that organisations of all types should expect to be targeted. In fact, in this incident the IAAF has proved that organisations now need to go a step further and assume that they have already been breached by malicious threats and so should begin threat-hunting exercises as a matter of routine."
From Russia with Love: Cyber Espionage
APT 28 - the APT stands for Advanced Persistent Threat - has been blamed for compromising the Democratic National Committee (DNC) during last year's US presidential election and researchers at Secureworks point to close links between the hacking crew and the GRU, Russia's foreign intelligence agency.
In September 2016, the group attacked the World Anti-Doping Agency (WADA) database and leaked confidential details of athletes, including TUE-based permissions to take prohibited substances because of a medical need. Tour de France winner Sir Bradley Wiggins and long distance runner Mo Farah were among many who faced scrutiny after their medical files were made public.
The WADA raid was said to be motivated by the imposition of a ban by many sports prohibiting Russian athletes from participating in the 2016 Olympic Games, following revelations of a state-sponsored doping program. ®