SII Focus 8th December 2016

Fancy Bears email hack: USADA did follow up concerns

On Friday 25 November, The Sports Integrity Initiative received an email from Fancy Bears Hack Team claiming to ‘contain examples of sending WADA tests results to unauthorised persons, instability of ADAMS and subjective-based WADA decisions’, as well as evidence of Ultimate Fighting Championship (UFC) competitors taking prohibited substances. The 189 emails came in three archived files, the first of which contained communications between the US Anti-Doping Agency (USADA) and the World Anti-Doping Agency (WADA).

The majority of the emails within the first archived file appear to concern normal communication between USADA, WADA and other anti-doping agencies. They do reveal alarm amongst USADA staff at the number of therapeutic use exemptions (TUEs) that USADA was having to process before the Rio 2016 Olympics.

‘I’m getting ADHD/Prednisone TUEs for athletes that are currently at the trials for T&F and Swimming – I’m assuming I still process these even though they are already in the start of the trials?’, reads one email. ‘Does anyone know what education these athletes received specifically for the trials and why they are so last minute? This actually seems a lot worse than the 2012 games!’

An athlete survey on TUEs that USADA compiled suggests that the agency may have had concerns about US sports pressuring athletes into using prohibited substances and TUEs. From the 101 emails in Archive 1, The Sports Integrity Initiative identified three issues that required further explanation.

Issue One: Nine athletes inadequately tested ahead of Rio 2016

In a 14 July 2016 email involving UKAD, USADA and WADA, concerns that nine elite athletes had not been adequately tested in the run-up to the Rio 2016 Olympics are mentioned. The nine athletes were part of 490 athletes who had been identified as being in the US prior to the Rio 2016 Olympics. A request for USADA to carry out testing on them was sent by UK Anti-Doping (UKAD), which was the Secretariat of the International Olympic Committee (IOC)/WADA Pre-Games Taskforce. The mission of this Taskforce was to ‘identify potential testing gaps around the globe across all Olympic sports’.

USADA confirmed that eight of the nine athletes were tested by USADA prior to Rio 2016. This means that there was one elite athlete who was not tested prior to the Games. It is important to point out that the lack of pre-Games testing does not mean that this athlete – or those required to test him – have done anything wrong.

Issue Two: Cocaine use by US wrestlers in Olympic Training Camp

In an August 2 email, sent shortly before the Rio 2016 Olympics began on 5 August, USADA said it had received an anonymous tip-off regarding cocaine use by Rio-bound US wrestlers at the Olympic Training Camp (OTC) for weight loss purposes. The allegation made is that 24 wrestlers were using cocaine with the knowledge of an assistant coach.

Cocaine is prohibited in-competition under WADA’s Prohibited List, so would not necessarily result in an anti-doping rule violation (ADRV). However if the allegations were proven to be correct, the assistant coach concerned could be in violation of the US Olympic Committee’s (USOC) Safe Sport Code of Conduct, which prevents ‘wilfully tolerating misconduct’. USADA confirmed that the wrestlers concerned were followed up with targeted tests, and an investigation is continuing into the assistant coach.

Issue Three: Corticosteroid confession by doctor

A 3 May email from a doctor admits giving an elite athlete an injection of Depo-Medrol 80 mg and Toradol for pain relief. The doctor concerned said that they were not aware that corticosteroids were on WADA’s Prohibited List.

USADA said that the doctor’s information was followed up with a test, however Toradol is a non-steroidal anti-inflammatory drug that doesn’t feature on the Prohibited List. Depro-Medrol is a glucocorticoid and is only prohibited in competition. USADA said that there was no evidence of the substance in the athlete’s sample, so it was not considered an ADRV.

Security measures

At its Foundation Board meeting last month, WADA admitted that it had spent US$200,000 on attempting to protect its systems from cyber attack, following the Fancy Bears attacks on its Anti-Doping Administration and Management System (ADAMS). The organisation has also attacked the Canadian Centre for Ethics in Sport (CCES), as well as USADA and UKAD.

At the Foundation Board meeting, WADA claimed that a total of 228 TUEs from 127 athletes were accessed by Fancy Bears. However, most of them had expired and 18 had been “fabricated”, so only 32 were valid during the Rio 2016 Olympic Games. It also admitted that the group was still attempting to access its systems.

WADA has engaged FireEye, which it describes as ‘a premier security and forensic consulting firm’ to determine the scope of the intrusion. As of 5 October, the analysis was 90% complete and had ‘not found any evidence of additional compromise to ADAMS data beyond the export of the Rio 2016 account data through 12 September’. USADA is also working with a cyber security company, as well as the Federal Bureau of Investigation’s (FBI) cyber-security taskforce to help increase security.

Given the focus of the attacks on ‘western’ national anti-doping agencies (NADOs), it is easy to assume that they originate from Russia. WADA initially described the attacks as emanating from Russia, however later dropped this assertion. USADA has no such qualms.

“I think most people who have followed this situation realise that the overarching intent of these cyber-crimes is to distract from the realities of Russia’s state-supported doping system”, said USADA spokesperson Ryan Madden. “But what’s interesting is that all they’ve really accomplished – at least here domestically – is to shine a light on the high standards to which athletes in the United States are held. At the end of the day, these attacks need to stop. And we hope that the international community will come together, support any affected athletes and do whatever it takes to put an end to this criminal behaviour.”

Conclusion

Cyber attacks on athlete information are becoming more common. During last year’s Tour de France, Chris Froome’s team claimed his files had been stolen by hackers intent on exposing him – wrongly, they counter – as a drug cheat. “Ethically and morally, if you are going to accuse someone of doping then don’t cheat [steal],” said Froome’s coach, Sir Dave Brailsford, after the hack was discovered.

Froome was forced to take extraordinary measures in order to defend himself against the allegations. Froome has also been targeted by Fancy Bears. “As my friends in the military tell me, the only way to keep data safe online is not to put it there at all,” said one data expert who works on the Tour de France.

There are thousands of attempts to unlawfully access teams’ data made each Tour, he claims. While defences against such attacks are robust and resilient, all it takes is one breach to cause trouble. And not all hackers are as public about their successes as Froome’s aggressors – because in the majority of cases, it is rival teams doing the hacking.

However, such attacks are not always so sophisticated. Earlier this year, a scouting director from baseball’s St Louis Cardinals was jailed for 46 months for hacking into a database run by his old team, the Houston Astros, where he viewed confidential reports, evaluations and discussions.

There was nothing tricky in what he did. He simply knew a password of a former workmate, and from there, was able to worm his way into the network. WADA has confirmed that this is likely to be how Fancy Bears accessed its ADAMS database.

Given the limited budget that sport is able to allocate to IT, some experts in cybersecurity believe cracking into team databases may be a cakewalk for those with even basic hacking skills. And with sport becoming increasingly invasive with their collection of athletes’ personal details, that could end in further major embarrassments.

Others in the field say the best way to get secrets out of a player is the ‘blonde avatar’ trick. You simply set up a fake social media account using an image of an attractive young woman, befriend some players, build up their trust and then draw team secrets out of them. One young Australian footballer fell victim to such a scam this year, although in this case, he sent something even more revealing: nude photos of himself.

It may only be a matter of time before betting syndicates get involved in such chicanery too. One such group was recently accused of bugging the All-Blacks hotel room, in the hope of getting inside information. Drones also offer further potential for this sort of activity.

How long will it be before such a syndicate takes a leaf out of Andrés Sepúlveda’s book? The South American political hacker has bombarded social media with fake accounts spreading fake sentiment about one politician or another in order to swing election results. The same could easily be (and may already have been) achieved on the betting market, shifting sentiment on a predicted sporting result in order to move the odds in ones favour. Or to attempt to expose an anti-doping system as biased and failing.

Follow this story

Read other articles from this story stream...

News 14th September 2016 - 7 days ago

Athletes defend reputations following ADAMS data breach

Athletes have been forced to defend their reputation, after a Russian hacking group illegally published their personal information, claimed that it constituted evidence of doping. As reported by The Sports Integrity Initiative yesterday, the data published comprised adverse analytical findings (AAF) and Therapeutic Use Exemptions (TUE) relating to US athletes, which does not constitute evidence …
Features 15th September 2016 - 6 days ago

Analysis: Further ADAMS leaks targets 25 athletes in 8 countries

The Fancy Bears internet site has exposed adverse analytical findings (AAFs) and Therapeutic Use Exemptions (TUEs) relating to 25 athletes from eight countries, after confidential information from the Anti-Doping Administration and Management System (ADAMS) was published this morning. While the World Anti-Doping Agency (WADA) condemned the leaks as a ‘criminal attack’ that ‘recklessly exposed personal …
News 17th September 2016 - 4 days ago

Additional data leak via Russian cyber hacker Fancy Bear

The World Anti-Doping Agency (WADA) confirms that, once again today, the cyber hacker Group 'Fancy Bear' released a batch of confidential athlete data on their website, which they illegally obtained from a Rio 2016 Olympic Games account of WADA’s Anti-Doping Administration and Management System (ADAMS). This time, they targeted eleven athletes that include three from Australia, one from …
News 19th September 2016 - 2 days ago

Data leak concerning 26 athletes from 10 countries and 12 sports

The World Anti-Doping Agency (WADA) confirms that, again today, the cyber hacker Group 'Fancy Bear' released a batch of confidential athlete data on their website, which they illegally obtained from a Rio 2016 Olympic Games account of WADA’s Anti-Doping Administration and Management System (ADAMS). This time, the group released data concerning 26 athletes from 10 countries, including: …
Features 19th September 2016 - 2 days ago

Fancy Bears hack now involves 66 athletes from 16 countries

A fourth release of confidential athlete data from the World Anti-Doping Agency’s (WADA) Anti-Doping Administration and Management System (ADAMS) involves 26 athletes from ten countries and 12 sports. The new release is different from earlier releases in that it doesn’t contain any adverse analytical findings (AAFs), just therapeutic use exemptions (TUEs), which are intended to …
Features 17th September 2016 - 4 days ago

Fancy Bears hack now involves 40 athletes from 10 countries

A new leak of confidential medical data taken from the World Anti-Doping Agency’s (WADA) Anti-Doping Administration and Management System (ADAMS) has exposed Therapeutic Use Exemptions (TUEs) and Adverse Analytical Findings (AAFs) relating to 11 athletes from five countries. The data leaked by the Fancy Bears internet site now encompasses the round total of 40 athletes …
Press releases 23rd September 2016 - 29 days ago

Data leak concerning 41 athletes from 13 countries and 17 sports

The World Anti-Doping Agency (WADA) confirms that, again today, the cyber hacker Group “Fancy Bear” released a batch of confidential athlete data on their website, which they illegally obtained from a Rio 2016 Olympic Games account of WADA’s Anti-Doping Administration and Management System (ADAMS). This time, the group released data concerning 41 athletes from 13 countries, including: 4 …
Features 23rd September 2016 - 29 days ago

Fancy Bears hack: 107 athletes; 23 countries; 25 sports

A further publication of data illegally obtained from the World Anti-Doping Agency’s (WADA) Anti-Doping Administration and Management System (ADAMS) has taken the total number of athletes affected to 107 from 23 countries, competing in 25 sports. The latest publication on the Fancy Bears internet site involves Therapeutic Use Exemptions (TUEs) relating to 41 athletes from …
News 7th November 2016 - 14 days ago

Fancy Bears targeting NADOs

The cyber criminals known as Fancy Bears, who hacked into the World Anti-Doping Agency’s (WADA) Anti-Doping Administration and Management System (ADAMS) to expose athletes’ private data such as their use of therapeutic use exemptions (TUEs), are now targeting national anti-doping organisations (NADOS). The Canadian Centre for Ethics in Sport (CCES) confirmed that it was forced …
Features 8th December 2016 - 13 days ago

Fancy Bears email hack: USADA did follow up concerns

On Friday 25 November, The Sports Integrity Initiative received an email from Fancy Bears Hack Team claiming to ‘contain examples of sending WADA tests results to unauthorised persons, instability of ADAMS and subjective-based WADA decisions’, as well as evidence of Ultimate Fighting Championship (UFC) competitors taking prohibited substances. The 189 emails came in three archived …
SII Focus 6th July 2017 - 15 days ago

Athletics stars tagged as ‘likely doping’ in IAAF hack

International Association of Athletics Federations (IAAF) emails illegally accessed by Fancy Bears have indicated that some of track & field’s biggest stars were flagged as ‘likely doping’ under the Athlete Biological Passport (ABP) programme. The cache of documentation also includes details of anti-doping cases and criminal proceedings against other athletes; complaints regarding the anti-doping process …
Press releases 7th November 2016 - 14 days ago

CCES Responding to Cyber Attack

If you’ve tried in recent days to send email to someone at the Canadian Centre for Ethics in Sport, you’ll know that our email system is down, along with our Internet access. We shut these systems down after the Canadian Cyber Incident Response Centre detected a cyber attack. The experts tell us that this is likely …
News 6th July 2017 - 15 days ago

IAAF statement - release of information following cyber attack

The IAAF offers its sincerest apologies to the athletes who believed their personal and medical information was secure with us. We will continue to work with cyber incident response (CIR) firm Context Information Security, who identified the Fancy Bear cyber-attack which we announced in April to create a safe environment. Context believes that the information published yesterday …

You may also like...

Pin It on Pinterest

Share This