Yesterday, WADA, the World Anti-Doping Agency, was forced to issue an official statement following the disclosure of personal medical information of three top America Olympians, tennis stars Serena Williams and Venus Williams and gymnastics all-around winner Simone Biles. It's terrible news for the athletes, for WADA, and for the Olympics. According to the leaked information, all three America athletes were taking banned substances -- under approved Therapeutic Use Exemptions -- during the Rio Games. Here is what WADA said:
While it is an evolving situation, at present, we believe that access to ADAMS [WADA's internal administrative system] was obtained through spear phishing of email accounts; whereby, ADAMS passwords were obtained enabling access to ADAMS account information confined to the Rio 2016 Games. At present, we have no reason to believe that other ADAMS data has been compromised.
Ugh. It's going to be a long few weeks at WADA.
The consensus opinion in the fast-developing story is that the attack was master-minded by the threat actor/group known as Anonymous Fancy Bear. This is the very the same Russian cyber espionage/hacking group that is credited with last spring's hacking of the Democratic National Committee email server. It appears that the group is tightly linked to Russian government agencies, creating the possibility that this is state-sponsored work.
It seems clear that Fancy Bear is engaged in a revenge attack on the USOC and those that participated in the exposure of systematic Russian state-sponsored doping programs that eventually led to the banning of many Russian athletes from the Rio Olympics and the total ban of the Russian team from the Paralympics. In early August, an initial attack was made against Yulia Stepanova, the Russian athlete who was one of the whistle-blowers in the doping investigation. Stepanova's personal WADA account was hacked and personal files, including her address were revealed. Fearful for her safety, she and her family have since moved to an undisclosed location. Now, with the attack shifting to top American athletes, the stakes are ratcheting up even more. Whether or not the drugs were authorized, the reputation damage to these individuals, to the USOC, and to the United States is incalculable.
Unfortunately, the drama is not nearly over. Fancy Bear wrote "“This is just the tip of the iceberg. Today’s sport is truly contaminated while the world is unaware of the large number of American doping athletes.”
Once again a targeted email, most likely a socially-engineered email, originating from a copycat email domain, convinced an employee to provide or reveal a password to a sensitive internal administrative system. Once the hackers had access to the system they were able to access private records and accounts. And once again, the hackers are able to dictate their terms, leaking the information when it suits them, when it will have the maximum disruptive effect.
Clearly, the athletes that have been exposed by this action are among the most well-known individuals in the world. That's what makes it headline news. But even when the targets are not public figures, it is never good when malevolent third parties have access to secret information about your company or personal information about your executives. They can use that information to quietly extort money, or put other kinds of pressure on key personnel.
It is likely that this story is being discussed in C-suites everywhere. In fact, don't be surprised if you get a call asking about your enterprise's security preparations and safeguards against this kind of attack.
How will you answer?
These four actions are critical:
- Internal education about spear phishing and other kinds of external cyber attack should be accelerated.
- Processes for direct cash disbursements and wire transfers should be audited and strengthened.
- Procedures for gaining access to sensitive internal networks, databases, and servers should tightened.
- External threat monitoring, including monitoring for possible spear phishing platforms -- should be implemented immediately.
- A complete audit of your enterprise's and your executive's social risk exposures should be undertaken
The fallout from today's WADA leaks will take months, or even years to settle. It is a bad situation that will stay bad for a long time. CISOs, take steps today to make sure that your enterprise or institution is not on the wrong side of the next spear phishing scandal.