#PutinAtWar: WADA Hack Shows Kremlin Full-Spectrum Approach

How the Russian government hacked and abused the World Anti-Doping Agency

@DFRLab
@DFRLab
Oct 14, 2018 · 14 min read
Archive of the “Fancy Bears’ Hack Team” Twitter account, and footage of four accused GRU hackers arriving in the Netherlands in April 2018. (Source: Twitter, via archive.is, archived on August 10, 2018; Dutch Ministry of Defense)

The recent arrest of four hackers from Russia’s military intelligence service, the GRU, provides a case study in the Russian government’s full-spectrum approach to propaganda, involving characters from a leading account in the Russian “troll farm” to President Putin himself.

The hackers targeted the World Anti-Doping Agency (WADA), among other institutions. They provided leaks which were amplified by top officials, diplomats, overt and covert government media outlets, anonymous internet trolls, and sympathetic Western voices. All these combined in an integrated messaging system, which appeared designed to spread the Kremlin’s point of view and silence or discredit its critics.

While the WADA case did not have the security impact of other incidents in which the GRU hacking team was involved — notably the downing of Malaysian Airlines flight MH17 over Ukraine and the hacking of the Democratic National Committee in the United States — it showcased the coordination and coherence of the Russian government’s communications operations.

It serves as a template for analyzing and understanding other Kremlin information operations, and for discussing potential responses.

Hackers On Tour

The four men had been filmed arriving at Amsterdam’s Schiphol Airport, where they were met by a member of staff from the Russian Embassy. When detained outside the OPCW main building, they were found to have a carload of hacking equipment, including wireless antennae.

Translated from Dutch: “Schematic representation.” Image of the hacking equipment in the suspects’ car (left) and diagram of the layout (right). (Source: Dutch Ministry of Defense)

Dutch counterintelligence recovered the men’s mobile phones and laptop. According to the Dutch statement, the laptop’s activity log showed that it had also been used to access wifi networks in Kuala Lumpur, Malaysia, and two hotels in Lausanne, Switzerland.

Table of earlier logins on the suspects’ laptop, with the Lausanne logins highlighted. (Source: Dutch Ministry of Defense)

The laptop also showed a picture of one of the suspects alongside a female Russian athlete at the 2016 Olympic Games in Rio de Janeiro.

The image on the suspects’ laptop, dated to August 14, 2016. (Source: Dutch Ministry of Defense)

According to British Ambassador to the Netherlands Peter Wilson, who spoke at a press conference alongside the Dutch Minister of Defense, the Malaysian login was part of an operation that was “trying to collect information about the MH17 investigation, and it targeted Malaysian government institutions including the Attorney General’s office and the Royal Malaysian Police.”

According to an indictment published the same day by the U.S. Department of Justice, the suspects’ presence in Rio (August 2016) and Lausanne (September 2016) targeted WADA.

Contemporaneous reporting showed that WADA held a “think tank” on “challenges to the anti-doping system” in the Palace Hotel in Lausanne on September 20 — the same day the GRU agents logged in there.

The WADA Case

Headline of the WADA statement, published on July 18, 2016. (Source: WADA)

The report detailed a coordinated, state-managed system of doping, which included official testing laboratories swapping samples from doped athletes with uncontaminated samples to fool international checks.

At the time, WADA President Sir Craig Reedie said:

Not only does the evidence implicate the Russian Ministry of Sport in running a doping system that’s [sic] sole aim was to subvert the doping control process, it also states that there was active participation and assistance of the Federal Security Service and the Center of Sports Preparation of National Teams of Russia.

The report was a serious embarrassment for the Russian government, which based its legitimacy, in part, on its restoration of Russia’s national pride and prowess after the collapse of the Soviet Union.

It should be borne in mind that the scandal was not a security or legal threat to the government. Unlike the downing of MH17 and the use of incendiary cluster munitions in Syria, it did not involve potential war crimes; unlike the annexation of Crimea and the undeclared presence of Russian tank battalions in Ukraine in 2015, it did not have potential implications in the field of international law.

Nevertheless, according to the U.S. indictment:

Days after the release of the First McLaren Report and the International Olympic Committee’s and IPC’s subsequent decisions regarding the exclusion of Russian athletes, the conspirators prepared to hack into the networks of WADA.

According to the U.S. and Dutch reports, the GRU team deployed to Rio and Lausanne to compromise wifi networks which were used by WADA staff. In August, in Rio, they hacked into email accounts used by members of WADA, the U.S Anti-Doping Agency and the International Olympic Committee. In September, in Lausanne, they hacked more WADA accounts.

Open source investigation techniques cannot corroborate the exact details of the hacking intrusions. What they can illustrate is how the emails were leaked and amplified by the full spectrum of Russian government assets, in an apparent attempt to discredit WADA. This technique, using hacking techniques to obtain compromising material for political purposes, is known as “cyber-enabled influence operations.”

Hackers Who Leak

The seized site. (Source: fancybear.net)

The initial leaks included therapeutic use exemptions (TUEs) for American tennis star Serena Williams, gymnast Simone Biles and basketball player Elena Delle Donne. Subsequent leaks included data on tennis star Rafael Nadal and an alleged 150 soccer players.

Screenshot of a partial snapshot of the fancybear.net home page, dated September 13, 2016, and archived the following day. The archive did not show the full page. (Source: archive.is via fancybear.net)

The hacking group publicized their leaks through a Twitter account, @FancyBears, created on September 6, 2016, and a Facebook page, FancyBearsHackTeam1.

Tweets by @FancyBears, saved on the Wayback archive machine, September 12, 2016. Note the reference to the Williams sisters as “doping addicts.” (Source: web.archive.org via Twitter / @FancyBears)

The day the leaks began, WADA published a statement attributing the hack to “a Russian cyber espionage group operator by the name of Tsar Team (APT28), also known as Fancy Bear.”

The revelations exposed athletes’ private medical records, but were not, in fact, scandalous. As the BBC reported a week after the first dump — and the same day the hacking team was breaching WADA mails in Lausanne — “there is no suggestion any of the athletes named are involved in any wrongdoing.”

Screenshot of BBC video detailing the hacks, September 20, 2016. (Source: BBC)

TUEs are an overt and legal part of sport, distinct from covert doping, which is designed to hide the use of banned substances. This point was widely made by Western media, including the New York Times, Guardian, USA Today, and Vox. In the view of such outlets, the leaks did not expose wrongdoing, although they did raise the question of whether the TUE system was open to abuse.

Australia’s ABC broadcaster summed up the international response, writing, “given that the use of these medications by Biles and the Williams sisters was legal and above board, why has Fancy Bear publicized the hack?”

Many Voices, One Chorus

The response is significant for the messaging discipline shown by different parts of the Russian government’s communications apparatus. From top officials to workers in the “troll farm” in St. Petersburg, each unit promoted the same argument: that the West was corrupt and hypocritical, and the victim, Russia, had not done anything which other countries did not do.

For example, on September 13, 2016, the very day the leaks came out, Russian-language website News-Front.info published a lengthy article headlined “Sensation: WADA allowed American sportsmen to use doping for years.” The article claimed that “WADA kept silent on the facts,” and called the athletes “sporting sinners.”

News-Front article of September 13, 2016. The highlighted passage reads, translated from Russian, “WADA kept silent about the facts themselves, not giving way to scandals.” (Source: news-front.info)

Neither claim was justified. WADA had protected athletes’ confidential medical records, which was its job; the athletes had received official permission to take the medicines in question.

News-Front claims to be independent, but according to a whistleblower interviewed by German newspaper Die Zeit in February 2017, it is in fact funded, and sometimes directly controlled, by “the Russian secret service.” It is unclear which branch of the Russian secret services this refers to; on this occasion, its effect was to amplify leaks provided by the GRU.

Russian government sites were also quick off the mark. On September 14, 2016, Kremlin outlet Sputnik, whose official tasks include “securing the national interests of the Russian Federation in the information sphere,” published an interview on the leaks originally given to RT by a former head of Russia’s doping agency.

The article was headlined, “WADA Hack: Leaked Documents Expose US Athletes’ Hypocrisy.” The word “hypocrisy” did not feature anywhere in the interview itself, suggesting that it was a Sputnik editorial addition.

Screenshot of the Sputnik article and headline. Note the results of the search for the word “hypocrisy,” top right, showing that the only mention was in the headline. (Source: Sputnik)

The same day, RT ran an interview with Italian sports journalist Marcello Foa which it headlined, “What’s up with WADA? ‘Anti-doping agency practicing double standards against Russian Olympians’.” RT’s editorial stance, including its defense of Russia against the charge of hacking, emerged from its introductory paragraphs and questions:

Western media and government reaction was to divert attention from the news that some US athletes took banned substances by alleging Russian hackers were able to acquire the details, Italian sports journalist Marcello Foa told RT.

The World Anti-Doping Agency (WADA) has confirmed its databases had been compromised, saying the attack was carried out by a hacking group known as Fancy Bear.

And judging by Wednesday’s headlines, the organization’s alleged ties to Russia excited the mainstream media far more than the doping scandal itself. The Russian government has dismissed any possibility that it had anything to do with the incident.

RT: Why has the media chosen to focus on the hack attack rather than on the revelations themselves?

(…)

RT: Do you think the athletes involved in this scandal will be treated any differently by the media and other competitors?”

None of RT’s published questions stated that the drugs had been provided legally, under the TUE rule; indeed, the final question began, “If these medications were indeed prescribed to them,” as if there were doubts about it. Overall, the article appears to have been an attempt to defend the hackers and publicize the leaks, by implicating the Western media in the “scandal.”

Russian diplomatic accounts took the same line. On September 15, the Russian Embassy in London tweeted about the leaks, pointing out that far more Western than Russian athletes had been implicated. The tweet focused, literally, on the word, “hypocrisy.”

Archived on October 9, 2018. (Source: Twitter / @RussianEmbassy)

The same day, the Russian Embassy in South Africa tweeted a link to the RT article mentioned above, highlighting the claim of “double standards.”

Archived on October 9, 2018. (Source: Twitter / @EmbassyofRussia)

This messaging reached to the very top of Russian politics. On September 19, 2016, President Vladimir Putin gave an address to Russian Paralympic athletes who had been banned from competition because of the doping scandal. Putin’s comments on the leaks are worth repeating in full:

As you know, we do not welcome hackers and their actions, but it was thanks to them that we learned that people who took part in the Olympic Games and were outwardly perfectly healthy were actually taking prohibited substances that gave them and give them clear advantages in sports competition.

Why were our Paralympic athletes the only ones banned from taking part in the Paralympics on the sole basis of some incomprehensible suspicion of taking who knows what substances? This was clearly a dishonest, hypocritical and cowardly decision.

Putin explicitly thanked the hacking team, a comment which may well have caused champagne to pop in GRU headquarters. He also called the decision to ban Russian athletes “hypocritical,” and claimed that the ban was based on “some incomprehensible suspicion,” rather than a whistleblower’s testimony and 95 pages of report. This messaging was fully aligned with the state’s broadcasters, declared and undeclared.

At the other end of the communications scale, the “troll farm” in St. Petersburg also attacked WADA and its investigation, albeit rather later. On September 30, troll account @nataturn, one of the many troll-farm accounts later suspended by Twitter, posted a number of attacks on the agency which have been recovered by NBC News.

List of troll farm accounts provided to the U.S. Congress by Twitter, showing @nataturn. (Source: House Democrats)

Each tweet was addressed to a public figure, including sports writer Erin Strout, BBC Scotland sports journalist Tom English, WADA head of communications Catherine MacLean, sports physician Margo Mountjoy, journalist Eoghan Sweeney, commentator Nick McCarvel, and CBC journalist and producer Stephanie Jenzer.

@erinstrout WADA got hacked! Check it out, maybe you will want to write about it https://t.co/sBGo3VvRGs

@BBCTomEnglish Hello! Here’s what I found on Twitter. Can you please comment on this? https://t.co/sBGo3VvRGs

@CatherineM_WADA Can you comment on this? Do you think it’s fake? Because it doesn’t look like one

@margomountjoy What’s the deal with doping use? I though WADA was fighting it. Can you explain this? https://t.co/sBGo3VvRGs

@buileshuibhne Hello! I think I got something for you. WADA is hiding something. Is this a case for investigation? https://t.co/sBGo3VvRGs

@NickMcCarvel Hello! WADA shadow activities exposed! Here’s what I just read https://t.co/sBGo3VvRGs

@StephJenzer Hello! I think everybody should know it. WADA leaks told us a lot more than we wanted https://t.co/sBGo3VvRGs

In all, the account tweeted to at least 30 journalists and commentators, asking them to read the post and comment on it. One tweet was addressed to @Jenn_Abrams, Jenna Abrams, arguably the troll farm’s most famous creation, who boasted 70,000 Twitter followers in “her” prime.

@Jenn_Abrams @wada_ama That’s unbelievable! It’s nice to realize your favorite athletes are frauds and @wada_ama covers their asses!

Most of the posts came with a Twitter-shortened URL, https://t.co/sBGo3VvRGs. The link led to a broken Medium page called “Bullshitist.” Entering it into a search bar revealed the original URL, https://bullshit.ist/doping-vs-money-who-wins-df5f8f0d93a3#.67j0be6fp. This suggested that the original headline was “Doping vs Money: Who Wins?”

Result of entering the shortened link into the search bar. (Source: @DFRLab)

A Google search for that headline returned just one hit: an archived Medium article dated September 29, 2016, one day before @nataturn’s posts.

Results of the search. (Source: Google)

The archive link led to an article under the byline of — Jenna Abrams.

The article tweeted by @nataturn and attributed to Jenna Abrams. Note the byline, the attack on WADA in the second paragraph (“corrupted bastards”), and the claim of “rules violation” (highlighted). Archived on October 18, 2017. (Source: archive.is, from bullshit.ist)

The piece was written in Abrams’ signature style, calling WADA “corrupted bastards,” and addressing the accusation of Russian hacking with withering sarcasm:

Yeah, Russian hackers would use such an obvious symbol as bear. Their site also looks more like something developed by the Western anarchist hacker group, Anonymous.

The article claimed, falsely, that the leaks exposed “more than one questionable case of rules violation.” It went beyond official Russian government lines, arguing that the U.S. had bribed WADA to allow it to cheat.

At the same time, we can see top US athletes (Serena Williams and Simone Biles, for example) being permitted to participate in the Olympics despite the banned drugs. What was the donation by the US to WADA? Yes, the biggest of them all, over $2 million (and there is only official information).

The article also accused Reedie and his family of personal corruption.

Suddenly, on August 4th WADA changed its’ mind and let Kenya participate. Why? Follow the money! Days before the Olympics significant amounts of money were transferred to the accounts of Sir Craig Reedie’s family.

This was a substantial effort by the troll farm, albeit a late one: a 500-word article under its best-performing byline, backed up by amplification from at least one other troll account which targeted at least 30 public figures and commentators.

The messaging continued for a considerable while. In November 2016, RT ran another piece accusing WADA of hypocrisy; yet another, by the same author, came the following month.

RT articles in November and December, 2016. (Source: RT)

According to an internet archive, @FancyBears itself was still tweeting in May 2018, and being amplified by other Kremlin voices such as Sputnik. On this occasion, the target was Sweden’s anti-doping agency, which confirmed that it had been hacked.

Left: Tweet by @FancyBears, archived on August 10, 2018. Right: Sputnik article on the leak. (Source: archive.is, from Twitter / @FancyBears/ Sputnik)

Again, RT was also involved, running its own story on the hacks.

(Source: RT)

On this occasion, the accusations of “hypocrisy” were absent, but the pattern of Russian state outlets amplifying leaked emails originally hacked by Russian hackers remained.

Conclusions

Hacked and leaked by the GRU, the WADA files and the narrative of “hypocrisy” were amplified by the President of Russia, diplomatic missions, the state’s official broadcasters, covert outlets such as News-Front.info, and the “troll farm” in St. Petersburg. Favorable comments by apparently independent experts were given broad coverage, while the evidence of Russian doping and Russian hacking was roundly mocked.

This is the same pattern which the United States saw throughout 2016, as Russian hackers targeted Democratic Party servers, leaked the emails through their own websites and Wikileaks, saw them amplified by outlets such as RT and Sputnik, and fed them to the mainstream media, with a significant impact on the election.

This is a complex model, in which disparate parts of the communications machine work together. Confronting that machine requires separate action appropriate to each part of the machine.

The detention and exposure of the GRU hackers was an important countermeasure, shining a light on the agents’ activity, and leaving little space for credible denials. However, such a response would clearly not be appropriate when dealing with the politicians and diplomats amplifying the leaks: states facing such activity would need to look for a political or diplomatic response.

Different responses again would be needed to confront the overt and covert outlets amplifying the leaks. In the case of covert outlets such as News-Front.info, an evidence-based attribution of their funding by Russian intelligence would be a first step. In the case of RT and Sputnik, debate should begin with the question of whether they qualify as bona fide journalism outlets, when their own editor-in-chief speaks of them as the “information weapon.”

Dealing with the challenges of online troll farms requires a different set of responses again, from the social platforms, the open-source community, and user groups. The priority is to identify and expose troll farm accounts, and increase public understanding of the standards of evidence required to do so.

The hacking and leaking operations did not start, or end, with WADA. The Fancy Bears Twitter page was still active in May this year. The latest rash of revelations of the GRU’s activity has placed the Russian government on the defensive, even more than it was when WADA released the McLaren report.

It is important to understand the system of hacking, leaking and amplifying, because it is likely to come again.


Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).

Follow along for more in-depth analysis from our #DigitalSherlocks.

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab.

@DFRLab

Written by

@DFRLab

@AtlanticCouncil's Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

DFRLab

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade