Cyber Security Update: WADA’s Incident Response
As has been reported in the media, since 13 September the cyber espionage group “Fancy Bear” has been releasing batches of confidential athlete data regarding Therapeutic Use Exemptions (TUEs) on its website. The TUE process is a means by which an athlete can obtain approval to use a prescribed prohibited substance or method for the treatment of a legitimate medical condition. The TUE program is a rigorous and necessary part of elite sport, which has overwhelming acceptance from athletes, physicians and all anti-doping stakeholders worldwide. The criminal activity undertaken by the cyber espionage group, which seeks to undermine the TUE program and the work of WADA and its partners in the protection of clean sport, is a cheap shot at innocent athletes whose personal data has been exposed.
Fancy Bear illegally obtained the data from an account in WADA’s Anti-Doping Administration and Management System (ADAMS) created especially for the Rio 2016 Olympic Games (Rio 2016 ADAMS Account); and, therefore, has access to the TUE history of athletes that participated in the Games.
The broader ADAMS was not compromised in the attack.
Upon learning of the incident, WADA promptly formed a multi-disciplinary incident response team, comprised of internal and external resources, including representatives of its IT, legal, and communications teams. The Agency also started to liaise with leading law enforcement agencies in Canada and elsewhere on all aspects of this investigation, including decisions on taking down information from the Fancy Bear website and other social media sites.
In the interest of keeping stakeholders apprised of its handling of the matter, WADA has prepared the following Summary, which includes an overview of the incident and outlines actions that the Agency has taken to date to contain the breach.
It should be noted that WADA’s investigation is ongoing; and so, while the Agency wishes to keep stakeholders informed, it is mindful of the risks of disclosing information that might compromise the integrity of its investigation.
- In June 2016, WADA created the Rio 2016 ADAMS Account to hold Olympic athlete information required to fulfill the doping control program at the 2016 Olympic Games. Following its creation, the International Olympic Committee (IOC) had full administrative authority over this Account. As administrator of the Account, the IOC created Account credentials for those responsible for running the anti-doping program during the Games, including establishing two accounts for WADA representatives, who were part of WADA’s Independent Observer (“IO”) program for the 2016 Olympic Games.
- Before and during the 2016 Games, third party hackers targeted a number of WADA and IOC email accounts for an email spear phishing attack; which, potentially led to the compromise of certain ADAMS passwords. Note: A phishing email aims to trick the recipient into divulging information, such as their username and password, to gain access to an application of interest.
- WADA’s technical and forensic team’s current assessment is that an intruder illegally accessed the Rio 2016 ADAMS Account multiple times between 25 August 2016 and 12 September 2016, using credentials unlawfully obtained from one of these targeted users.
- On 13 September, the intruder, calling itself “Fancy Bear,” released the first batch of data, comprising TUE information, on its website. The intruder has since released data related to current and expired TUEs on five other occasions – always in relation to athletes who competed at the 2016 Olympic Games. The released data all corresponds to the data thefts that occurred between 25 August and 12 September as described above.
- Upon learning of the intrusion into the ADAMS system on 13 September, WADA began taking additional actions that same day to secure the system and contain the known impact of the attack, including:
- deactivation of all Rio 2016 ADAMS accounts;
- disabling the self-service “forgot password” reset feature;
- increasing logging capabilities related to security events;
- increased monitoring of logs and network activity; and
- deactivation of dormant accounts.
- WADA also promptly engaged FireEye Inc., d/b/a Mandiant, a premier security and forensic consulting firm, to conduct a thorough and comprehensive investigation of WADA’s assets, networks, and systems, including ADAMS, to determine the scope of the intrusion and access to data stored on such systems, and to contain any ongoing threat. As of 5 October, Mandiant’s analysis is over 90% complete, and it has not found any evidence of additional compromise to ADAMS data beyond the export of the Rio 2016 ADAMS Account data through 12 September, as described above.
- In addition to broad stakeholder and media communications immediately after each leak, WADA has contacted, and will continue to contact as necessary, all athletes impacted and their Anti-Doping Organizations (ADOs) – both International Federations (IFs) and National Anti-Doping Organizations (NADOs) – so that they can provide them with the necessary support.
- Additionally, WADA has advised all ADAMS users to vigilantly monitor their electronic communications and remain alert for attempted phishing schemes. In this regard, WADA was informed last week that some users have received suspicious emails, purportedly from WADA’s Deputy Director General, Rob Koehler, advising them that WADA’s President wanted to speak with them regarding the cyber-attacks. To be clear, no such email was ever sent by the Deputy Director General. Please remain vigilant to such scams.
- It should also be noted that in the course of its investigation, WADA has determined that not all data released by Fancy Bear (in its PDF documents) accurately reflects ADAMS data. However, we are continuing to examine the extent of this as a priority and we would encourage any affected parties to contact WADA should they become aware of any inaccuracies in the data that has been released.
- In terms of longer term actions that WADA is taking to further enhance ADAMS security, in addition to implementing additional authentication controls, the Agency is enhancing its security logging and monitoring program; and, will complete a full assessment to enhance vulnerability and security controls. The Agency will also provide more guidance to users regarding how they can prevent the inadvertent communication of passwords to third parties who use spearfishing techniques.
WADA thanks athletes and ADOs for their understanding and support. Should they have any questions or concerns; or, have encountered suspicious activity in relation to ADAMS such as phishing emails, they are encouraged to contact the Agency’s helpdesk at firstname.lastname@example.org or on +1 514 904 8800.
WADA is taking this situation, concerning athlete privacy, very seriously and will continue to provide relevant updates as circumstances evolve.