SII Focus 12th January 2018

Hackers register spoof domains ahead of PyeongChang 2018

Hackers have registered spoofed domains mimicking those of the World Anti-Doping Agency (WADA), the US Anti-Doping Agency (USADA) and the Olympic Council of Asia (OCA), ThreatConnect has discovered. ‘These suspicious domains have consistencies with other previously identified Fancy Bear infrastructure and raise the question of a broader campaign against the upcoming 2018 winter games’, read a statement from the internet security company.

ThreatConnect said that although it cannot ‘definitively’ tie the registered domains to Fancy Bears, the organisation which illegally hacked into International Olympic Committee (IOC) emails this week, it has ‘notified the spoofed organisations’. This perhaps explains why the USADA website was temporarily down earlier this week.

‘In the course of our ongoing efforts to monitor domains registered through registrars that Fancy Bear has shown a tendency to use, we recently identified the domain webmail-usada[.]org [link], which spoofs the USADA’s legitimate domain’, continued the ThreatConnect statement. ‘This domain was registered on December 21 2017 and uses the Domains4Bitcoins name server that Fancy Bear has previously used. Additionally, as of January 10, 2018, this domain is hosted on a dedicated server at the IP 185.189.112[.]242. While the domain was registered using privacy protection, start of authority (SOA) records for the webmail-usada[.]org domain indicate the domain was registered using the email address jeryfisk@tuta[.]io. Using Iris from our friends at DomainTools, we can identify that this email address was also recently used in the SOA records to register another USADA-spoofing domain usada[.]eu.

‘This domain is not currently hosted. No other domains registered using that email address have been identified. However, given the consistency in spoofing USADA, it suggests that the actor behind these domains may be engaged in a concerted effort against the USADA or using their name to target others outside of the organization.’

A third domain,, has also been identified by the internet security company, which although currently ‘parked’ (not in operation), is designed to spoof the WADA’s internet site and Anti-Doping Administration and Management System (ADAMS). ThreatConnect said that although this domain doesn’t use a ‘small or boutique name server’ which Fancy Bears has a tendency to use, it was registered on 14 December using the email address wadison@tuta[.]io.

‘This email address has only registered one other domain, networksolutions[.]pw, which uses the previously mentioned Domains4Bitcoins name server, and as of January 10, 2018, is hosted on dedicated server at the IP 23.227.207[.]182’, continued the statement. ‘The WADA-spoofing domain is currently parked; however, given the consistencies between wadison@tuta[.]io’s networksolutions[.]pw domain and previously identified Fancy Bear infrastructure, it merits additional scrutiny’.

ThreatConnect also found that was registered on 25 December 2017, which attempts to spoof the OCA’s internet site. The company said that the site is hosted using a THCServers domain name server, which it has previously identified as being a favourite of Fancy Bears. ‘It should be noted that this spoofed domain is co-located on the IP 193.29.187[.]143 with about six other domains’, ThreatConnect highlighted. ‘Fancy Bear’s domains often use dedicated servers, but given the subject and timing of this registration, defenders should also be on the lookout’.


In January last year, a second US intelligence report (PDF below) claimed that Russia’s Main Intelligence Directorate (GRU) is behind cyber attacks on anti-doping organisations (ADOs) and the 2016 Presidential election. On 29 December 2016, the Whitehouse sanctioned the GRU for cyber operations intended to ‘influence the election, erode faith in U.S. democratic institutions, sow doubt about the integrity of our electoral process, and undermine confidence in the institutions of the U.S. government’. A US Federal law enforcement report produced to back up that sanction named GRU (also known as RIS) as being behind Fancy Bear, a hacking group which has been targeting organisations since 2008.

Under a slightly different moniker, Fancy Bears, cyber attacks on ADOs have resulted in various releases of athlete therapeutic use exemption (TUE) data since September 2016. The January 2017 report suggests that the GRU is also behind Fancy Bears. It suggests that the disclosures published as a result of the 2016 Presidential campaign cyber attacks may have been in response to a view, held by the Kremlin, that allegations of systemic Russian doping were a US-directed attempt to discredit Russia. ‘Putin publicly pointed to the Panama Papers disclosure and the Olympic doping scandal as US-directed efforts to defame Russia, suggesting he sought to use disclosures to discredit the image of the United States and cast it as hypocritical’, it reads.

As reported by The Sports Integrity Initiative earlier this week, similar language was used in Fancy Bears hack into IOC emails earlier this week, blaming ‘Anglo-Saxons’ for a crusade to sideline the IOC through control of WADA as part of an agenda to get Russia excluded from the Rio 2016 Olympics. It is easy to see how the Kremlin might take the view that the US deliberately targeted Russia to keep it out of the Olympics.

Meldonium, a drug used largely in Russia and eastern Europe, was placed on to the 2016 Prohibited List following dubious research commissioned by the major US sports leagues. After the IOC decided not to impose a blanket ban on Russian athletes following the systemic doping uncovered by the four WADA Independent Commission (IC) and Independent Person (IP) Reports, USADA and the Canadian Centre for Ethics in Sport (CCES) sought ADO support for Project Olympian, which explored the feasibility of an appeal against the IOC’s decision not to impose a blanket ban at the Court of Arbitration for Sport (CAS).

This pressure from prominent ADOs perhaps explains why WADA suggested that the IOC ban Russia from the Rio 2016 Olympics 18 days before the Games were due to start. However it is far from being the discovery of an Anglo-Saxon plan to take control of WADA, as Fancy Bears claims.


The significance of ThreatConnect’s discoveries is that it appears to show that a targeted campaign was being planned to disrupt the sports movement ahead of the PyeongChang 2018 Winter Olympics. The US security reports show that Russian hackers operated a similar targeted campaign ahead of the US Presidential elections.

It is a common misconception that hackers are motivated either by exposure of security concerns that compromise public privacy or financial gain. Many hack into systems just for fun, or to prove that they can. Although it appears that Russia has the motivation for such an attack, and that Russia has been responsible for similar attacks in the past, Fancy Bears could still fall into that category.

You may also like...

Pin It on Pinterest

Share This