Microsoft has issued a short notice, warning about a new wave of highly targeted cyberattacks by a group of Russian state-sponsored hackers attempting to hack over a dozen anti-doping authorities and sporting organizations around the world.
The attacks are originating from the 'Strontium' Russian hacking group, widely known as Fancy Bear or APT28, and are believed to be linked to the upcoming 2020 Summer Olympics in Tokyo.
The Fancy Bear hacking group, also known as APT28, Sofacy, X-agent, Sednit, Sandworm, and Pawn Storm, is believed to be linked to Russian military intelligence agency GRU and has been in operation since at least 2007.
Over these past three decades, the group has been credited to many high profile hacking incidents, like hacking the US presidential elections to influence the results, targeting a country with NotPetya ransomware, causing blackouts in the Ukrainian capital Kiev, and Pentagon breach.
The latest cyberattacks began on September 16, apparently after the World Anti-Doping Agency (WADA) found irregularities in a database from Russia's national anti-doping laboratory, warning that Russian athletes could face a ban from competing at Tokyo 2020 Summer Olympics.
Microsoft's Threat Intelligence Center said that some of these "significant cyberattacks" were successful, but the majority were not, and that the company notified affected organisations and worked with some of them to "secure compromised accounts or systems."
Hackers Targeted 16 Sporting and Anti-Doping Organizations
Microsoft confirmed the Fancy Bear hacking group targeted at least 16 national and international sporting and anti-doping organizations across three continents, but it did not disclose their identity.
The hacking techniques used by Fancy Bear in the latest campaign involves "spear-phishing, password spray, exploiting internet-connected devices, and the use of both open-source and custom malware."
Though these techniques are very well-known and not new, they were evidently proven very effective in previous cyber attacks by Fancy Bear against "governments, militaries, think tanks, law firms, human rights organizations, financial firms and universities around the world."
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
For example, when the victim opens the malicious document attached to an email, the exploit automatically executes some PowerShell scripts in the background and installs malware over the victim's computer, giving attackers full remote control over it.
Fancy Bear Also Targeted Previous Olympic Events
This is not the first time when Fancy Bear hackers have targeted anti-doping organisations.
Fancy Bear leaked confidential athlete data from the World Anti-Doping Agency (WADA) in retaliation against the agency in 2016 when it took similar action against Russian athletes during the Rio 2016 Games Summer Olympics.
The hacking group has also been accused of conducting similar state-sponsored attacks during the Pyeongchang 2018 Winter Olympics held in South Korea when used the "Olympic Destroyer" wiper malware to disrupt the Winter Games' official network.
Though the malware did not disrupt the live feed during the opening ceremony, it was successful in disrupting the official website for the Winter Games for 12 hours, collapsing Wi-Fi in the Pyeongchang Olympic stadium, and failing televisions and internet at the main press center, leaving attendees unable to print their tickets for events or get venue information.
To protect yourself and your organization from becoming a victim of Fancy Bear and similar cyberattack campaigns, Microsoft has recommended to deploy two-factor authentication (2FA) on all your business and personal email accounts and also enable security alerts about links and files from suspicious websites.
Besides this, organizations are also advised to educate their employees to spot phishing attacks, so that they won't be tricked into providing their organization's personal data to attackers.