Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Hacker Group Releases Stolen Health Records

Fancy Bear Dumps Alleged Drug Records of World Cup, Other Players
Hacker Group Releases Stolen Health Records

With claims of wanting to dispel "the myth about doping-free football," the Russian-linked hacker group Fancy Bear has released health records related to alleged drug use of dozens of soccer players worldwide, including about 25 athletes who had reportedly been allowed to use banned medicines during the 2010 World Cup.

See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity

In an Aug. 22 statement posted on its website, Fancy Bear says its "hack team is publishing the material leaked from various sources related to football. Football players and officials unanimously affirm that this kind of sport is free of doping. Our team perceived these numerous claims as a challenge and now we will prove they are lying."

The leaked records include World Anti-Doping Agency documents that Fancy Bear alleges reveal "that more than 150 players were caught doping in 2015. The next year this number increased up to 200 athletes."

International Business Times reports that among the leaked records are names of 25 2010 World Cup players who were cleared to use banned medicines during the South Africa tournament.

In a statement provided to Information Security Media Group, WADA - an international standards agency for anti-doping policies in sports - condemned the breach, but claimed its organization wasn't the source of the documents dumped by Fancy Bear.

"WADA is aware that cyber espionage group 'Fancy Bear' once again released information; in particular, confidential athlete data regarding Therapeutic Use Exemptions, or TUEs, on its website," WADA says.

WADA says it immediately examined the information released by the hacker group and "was quickly able to determine that it is not housed in WADA's Anti-Doping Administration and Management System," or ADAMS, WADA adds, "stakeholders can rest assured that ADAMS remains secure."

WADA also explained that under its therapeutic drug use exemption process, an athlete can obtain approval to use a prescribed prohibited substance or method for the treatment of a legitimate medical condition. "The TUE program is a rigorous and necessary part of elite sport, which has overwhelming acceptance from athletes, physicians and all anti-doping stakeholders worldwide," WADA says.

"This criminal activity undertaken by the cyber espionage group, which seeks to undermine the TUE program and the work of WADA and its partners in the protection of clean sport, is a clear violation of athletes' rights," WADA adds.

Like WADA, the Federation Internationale de Football Association, or FIFA, which organizes the World Cup, in a statement provided to ISMG, also sharply criticized the release of the hacked health records.

"FIFA condemns in the strongest terms the publication by the Fancy Bear group of information obtained illegally, particularly personal and medical data from athletes," the organization says. "The release of such information constitutes a clear violation of the athlete's privacy and puts at risk the ongoing fight against doping. All potential violations of the anti-doping regulations are handled by FIFA in accordance with WADA regulations."

Political Statement?

Like other hacking incidents that are suspected to be tied to Fancy Bear - including the 2016 cyberattack on the Democratic National Convention - the motivation of the World Cup health records leak appear to be of a political nature, some experts say.

"This attack was in direct response to challenges to the Russian football organization and its titles, and appears consistent with previous Fancy Bear activities which seem to be nationalistic is their focus," says Mac McMillan, president of security consulting firm CynergisTek. "This seems very consistent with other nation state type activity."

Ross Rustici, senior director of intelligence services at Cybereason says Fancy Bear is trying to send a political message.

"Regardless of whether the latest data dump contains actual files the message from this group is clear," he says. "Russia may be blamed for doping scandals in international sports on a regular basis - the most recent of which involves the 2014 World Cup team - but look at all the other countries that have issues too. No one side is worse than the other," he says. "What is lost in the rush to discuss the scandal of doping players and the stories about how Russia is back to its old tricks regarding information operations is that private citizens are being used as chess pieces in what essentially amounts to a public relations game."

Also, this isn't the first time Fancy Bear has been implicated in hacks involving health information, Rustici adds.

"They were behind the intrusion into the medical records before the Rio Olympics that ended up releasing a lot of information on American athletes among others," he says. "It is not new but it appears to be a growing, standard response to doping allegations against Russian sports."

This latest incident allegedly involving Fancy Bear looks to be similar, he adds. "It appears that the most likely motivation is to change the narrative around doping scandals. This appears to be the weaponization of private data for state propaganda goals."

Taking Action

Still, with medical data increasingly being a focus for cyberattacks by nation states, domestic hackers, and other cybercriminals, health related entities need to step up their security measures, Rustici says.

"The best defense is an in-depth strategy that combines multiple layers of technology and authentication," he says. "A lot of healthcare compromises come from hackers going after powerful and under protected protocols such as Remote Desktop Protocol, a proprietary protocol developed by Microsoft," he notes.

"Ensuring that remote connections are well monitored and require two factor authentication goes a long way towards making the job of the hackers a lot harder, leaving them looking for softer, less-secured targets."

McMillan also suggest entities take critical actions to better defend against these types of attacks, including deploying active monitoring on the network and systems that hold health data. "Look into the more advanced privacy monitoring tools that perform behavioral analysis and see things in real time. Continue to educate your staffs that these records do represent a higher profile of risk and they need to be careful and diligent."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.