The World Anti-Doping Agency has been hacked. More precisely, the WADA Anti-Doping Administration and Management System (ADAMS) database that it operates has been hacked.
Why are we, here at Digital Health, telling you this? Because the ADAMS database stores lab test results and, importantly, Therapeutic Use Exemption (TUE) authorisation records for sportsmen and women from across the globe.
It is these health records, for that’s what they are, that have been exfiltrated and are currently in the process of being leaked to the media.
Dozens of sporting names, including the likes of Mo Farah, Chris Froome, Sir Bradley Wiggins and Serena Williams, have had details of their TUE records exposed.
This has apparently been done in an attempt to discredit WADA rather than the athletes themselves, most likely in retaliation at the bans levied upon Russian athletes following an investigation into the state-supported manipulation of the doping control process.
The hacks have been claimed by a group calling itself ‘Fancy Bears’. Not much is known about them.
The group’s website doesn’t give much away, including the location of the hacker or hackers, or what else they have been up to (there are some suggestions the same group or an affiliate might lie behind the hacks on the US presidential election).
Nevertheless, investigations suggest Fancy Bears is actually a front for a state-sponsored cyber-espionage operation. This conclusion has been reached for two main reasons.
The fact that the hack has involved TUE authorisations and western athletes might be enough, in itself, to lead researchers down that road. After all, no Russian athletes have been ‘exposed’ in this way.
Not that it is that much of an exposure. Sure, Wiggins and Froome, in particular, have come in for intense scrutiny as a result of the revelations, because of the close association of pro cycling and drugs in the public mind and the anti-doping stance of both riders and their team, Sky.
But otherwise it’s more of an act of misdirection to muddy the authority of WADA itself. The TUE exemptions are both legal, and commonplace, involving athletes that legitimately use medication that would otherwise be prohibited in the sport concerned.
Indeed, 159 such TUEs were granted to UK athletes alone between January 2015 and March 2016.
Fingers point at Russia
However, there appears to be plenty of technical evidence emerging that this was the act of a Russian perpetrator. The director general of WADA has already gone on the record to state that law enforcement investigators have stated the attacks originated in Russia.
Other security outfits, such as Crowdstrike, which have investigated Fancy Bears previously, have concluded it is most likely backed by the Russian military intelligence agency GRU (Glavnoye Razvedyvatel'noye Upravleniye).
Fancy Bears is also known by the name APT28, and there is plenty of evidence to suggest it is tied directly to the Russian government.
In fact, the Russian Embassy in the UK has been gleefully tweeting in support of the attacks, and the idea that all “doping records” as it calls them should be open – at least for athletes who took part in the Olympics.
So that’s the ‘who’. And given we are talking state-sponsored acts of hacking here, you might imagine the ‘how’ would take us deep into James Bond territory when it comes to sophistication.
The truth, however, is far from it. We know that the hackers found their way into the WADA databases through nothing more complicated than a phishing attack.
A phishing attack is an email message carefully crafted in order to socially engineer the recipient into clicking a link, or open an attachment, an execute a malicious payload.
Phishing attacks often appear to come from a large or well-known company, with a broad membership base, or from a very important person, as this makes it significantly more likely that people will fall for them.
In this case, there was what is known as a spear phishing attack; one that targets a single person or department rather than a random grapeshot approach to threat distribution.
“The targeting of individuals is an increasingly common tactic used by cyber criminals to compromise an organisation’s security” Robert Page, lead penetration tester at Redscan told Digital Health.
“By targeting high privilege users such as network administrators, criminals can quickly gain access to highly sensitive data.”
A hack to watch (out for)
The ‘how’ is another reason we are covering this story; health records are a prime target for the cyber-criminal classes, particularly in the US, but increasingly in the UK, while spear phishing is a prime modus operandi when it comes to targeting health organisations.
The Ponemon Institute’s latest healthcare data security report, which notes that medical identity theft across the pond has almost doubled over the past four years to 2.3 million incidents costing some $2.1 billion, says some 88% of those surveyed had experienced a spear phishing attack.
There’s plenty of advice online about how organisations can protect themselves.
But at the end of the day: “The best thing an organization can do to protect against spear phishing is user education,” says Jonathan Sander, VP of product strategy at security specialists Lieberman Software. “A user who is simply cautious will out do all the analytics and AI that is on the market.”
The next best thing an organisation can do is mind their admin accounts and privileges.
“If the user who clicks on the phishing email doesn’t have rights to do anything important on their system or others on the network,” Sander points out, “then the bad guys who just stole their identity only have a step in the process, not instant victory.”