SAN FRANCISCO — The hacked medical files of Olympic athletes Simone Biles, Elena Delle Donne, Serena Williams, and Venus Williams were made public Tuesday by a Russian group that cybersecurity experts say was previously responsible for breaches into the Democratic National Committee and White House.
The World Anti-Doping Agency (WADA) confirmed in a statement posted on Tuesday that its database, which included medical files of athletes competing in the Olympics, was hacked by the Russian group that cybersecurity companies have named “Fancy Bear.”
“WADA deeply regrets this situation and is very conscious of the threat that it represents to athletes whose confidential information has been divulged through this criminal act,” Olivier Niggli, WADA's executive director, said in the statement. “WADA condemns these ongoing cyber-attacks that are being carried out in an attempt to undermine WADA and the global anti-doping system.”
Niggli added that law enforcement had determined that the “attacks are originating out of Russia,” without clarifying which agency the body had worked with.
“Let it be known that these criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia further to the outcomes of the Agency’s independent McLaren Investigation Report,” Niggli said.
"We have nothing to add to our statement at this time," WADA Maggie Durand wrote in an email to BuzzFeed News following questions about which cybersecurity company had discovered the breach in their system and which law enforcement agency the body is working with.
Russia forcefully denied any involvement in the hack. “It can be stated with all certainty that there is no involvement of the official Moscow, [Russian] government or special services in such actions. This is completely ruled out,” Dmitry Peskov, spokesperson for Russian President Vladimir Putin, told journalists.
The cybersecurity firm ThreatConnect was cited in a previous report that found that the same group of Russian hackers had gained access to the WADA database and gotten into the account of Russian whistleblower, Yuliya Stepanova, an 800-meter runner whose revelations of widespread doping in Russian track and field led to that team being banned from competing in Rio.
ThreatConnect had found that the group — which they call Fancy Bear, but which is also known as Tsar Team and APT 28 by other cybersecurity firms — had hacked into WADA through spear phishing emails. Those emails, which often appear to come from trusted sources and have legitimate information, contain malicious malware which, once opened, gives the attackers access to the system. Cybersecurity experts say that spear phishing is the simplest, most surefire method for hackers to access a computer system.
In a post on the group from August, ThreatConnect said Fancy Bear had called itself Anonymous Poland (@anpoland) when it leaked data stolen from WADA servers on Stepanova. The hackers used the name Anonymous Poland much in the same way that they used the name “Guccifer 2.0” when leaking information during the DNC hack, in both cases blaming known hackers to try and deflect attention from themselves.
"We assess that the phishing and Stepanova's compromise most likely are part of targeted activity by Russian actors in response to the whistleblower and the WADA's recommendation to ban all Russian athletes from the Olympic and Paralympic games in [Brazil]," ThreatConnect said. "Successful operations against these individuals and organizations could facilitate Russian efforts to privately or publicly intimidate them or other whistleblowers.”
ThreatConnect did not respond to a request for comment Tuesday or answer questions on how far the breach of the WADA servers went.
Biles, who won four gold medals at the Olympic Games in Rio de Janeiro responded to the medical files release in a statement on her Twitter account.
As part of the released records Tuesday, the hacking group said it plans to release more medical files of US athletes. The group wrote that following their review of the medical files, they had found evidence of US athlete doping: “This is other evidence that WADA and IOC's Medical and Scientific Department are corrupt and deceitful.”
U.S. Anti-Doping Agency CEO Travis Tygart has already responded in a statement, saying, "It’s unthinkable that in the Olympic movement, hackers would illegally obtain confidential medical information in an attempt to smear athletes to make it look as if they have done something wrong. The athletes haven’t. In fact, in each of the situations, the athlete has done everything right in adhering to the global rules for obtaining permission to use a needed medication. The respective International Federations, through the proper process, granted the permission and it was recognized by the IOC and USADA. The cyber-bullying of innocent athletes being engaged in by these hackers is cowardly and despicable."
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.