The World Anti-Doping Agency (WADA) on Tuesday said a Russian espionage group was behind a cybersecurity breach that resulted in the private health records of U.S. Olympic athletes being leaked online this week.
WADA confirmed its Anti-Doping Administration and Management System (ADAMS) was hacked in a statement less than 24 hours after internal files concerning American sports starts Simone Biles, Serena Williams and Venus Williams surfaced on the web.
Law enforcement has traced the breach to Russia, and WADA said its confirmed that the culprits belong to the same group widely believed to have waged the recent cyberattack against the Democratic National Committee, according to the statement.
“WADA deeply regrets this situation and is very conscious of the threat that it represents to athletes whose confidential information has been divulged through this criminal act,” the agency’s director general, Olivier Niggli, said Tuesday.
The leaked health records — shared online by a group calling itself “Fancy Bears’ Hack Team” — suggest the American athletes were allowed to compete in the Rio Olympic Games last month in spite of testing positive for banned substances because they were given special permission. WADA previously called for a blanket ban against all Russian athletes ahead of the Olympics after an independent report undertaken by professor Richard McLaren uncovered evidence of a wide-scale doping operation sanctioned by Moscow, but around two-thirds of its athletes were eventually cleared to compete.
Travis Tygart, the CEO of U.S. Anti-Doping Agency, condemned the breach as “cyber-bullying” in a statement of his own Tuesday and disputed the significant of the leaked records.
“It’s unthinkable that in the Olympic movement, hackers would illegally obtain confidential medical information in an attempt to smear athletes to make it look as if they have done something wrong. The athletes haven’t. In fact, in each of the situations, the athlete has done everything right in adhering to the global rules for obtaining permission to use a needed medication,” he said.
U.S. cybersecurity firms have said a state-sponsored Russian hacking group known by names such as Tsar Team, APT28 and Fancy Bear was responsible for hacking the DNC earlier this year on the eve of the Democratic Party’s convention in Philadelphia.
Mr. Niggli accused Russian hackers earlier this month of waging cyberattacks against WADA’s systems “every day for three weeks,” and said the culprits were “acquaintances of Western governments.”
According to Tuesday’s statement, the individuals behind the latest breach were likely able to obtain privileged health records by using a technique known as spear-phishing in order to gain access to the email accounts of individuals associated with WADA or its ADAMS database. Once a target’s email account was compromised, the hacker likely parsed their inbox for credentials and then used that information to pull health records from the system.
“WADA condemns these ongoing cyber-attacks that are being carried out in an attempt to undermine WADA and the global anti-doping system,” Mr. Niggli said Tuesday. “Let it be known that these criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia further to the outcomes of the Agency’s independent McLaren Investigation Report.”