Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/4/2018
04:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Indicts 7 Russian Intel Officers for Hacking Anti-Doping Organizations

Netherlands expels four of the suspects trying to break into an organization investigating a chemical used in the recent attack on a former Russian spy in Britain.

The US Department of Justice has indicted seven Russian military intelligence officers for alleged hacking activities that were designed to undermine the credibility of international anti-doping organizations and officials.

Four of the indicted officers travelled to the Netherlands to try and break into systems belonging to an organization investigating a deadly nerve agent that was used to try and kill a former Russian spy in Britain recently.

The Dutch government Thursday separately announced it had expelled the four individuals — in the country on diplomatic passports—after disrupting the hacking attempt midway and finding equipment for breaking into WiFi networks in their rental car. In the statement, they described the Russian military intelligence team to which the four belonged as Fancy Bear — a well-known APT group that many have long suspected of Russian-government involvement.

One of the officers is also accused of attempting to break into the networks of Westinghouse Electric, a nuclear power company that has supplied power to Ukraine.

In charges unsealed today in the Western District of Pennsylvania, the US government accused the Russian intelligence officers of breaking into and stealing information from computers belonging to entities that had investigated a massive Russian state-sponsored doping program.  

The investigations began in 2015 and resulted in 111 Russian athletes being banned from the 2016 Summer Olympics in Brazil, and all Russian athletes being banned from the Paralympic Games also held in Brazil that year.

US officials allege that the Russian intelligence operatives stole credentials and personal medical histories, including data pertaining to the therapeutic use of otherwise prohibited substances, of some 250 athletes from 30 countries. They then released the information in a selective and often misleading manner and made it appear as if it was being leaked by Fancy Bear, a hacking outfit that has long been suspected of being associated with Russia's GRU.

The goal was to retaliate against the organizations and the individuals that had exposed Russia's doping program by systematically spreading misinformation to discredit and delegitimize their efforts, the DOJ said in a statement announcing the indictments Thursday. Among the goals was an effort to damage the reputations of athletes by making misleading claims about their use of banned or performing enhancing drugs, the DOJ said.

The indictments are the latest in a string of similar actions that the US government has taken recently against Russian agents for a variety of alleged hacking activities — including most notably those related to tampering with the 2016 presidential election. In fact, three of the individuals indicted for the hacks against the anti-doping organizations were indicted previously on charges related to their alleged role in the 2016 election tampering.

The indictments demonstrate the US government's ability to track malicious activities. But in practical terms it means very little, says Ross Rustici, senior director of intelligence services at Cybereason. "It does help build the public narrative regarding the extent of Russian activity," he says. "If they follow it up with DHS/FBI technical information it might have some small effect on defensive measures."

According to the DOJ, the seven indicted officers are all members of GRU, Russia's Main Intelligence Directorate. The activities on which they been charged allegedly began around Dec. 2014 and continued through at least May this year.

The seven are alleged to have conducted "persistent and sophisticated computer intrusions" against a slew of organizations including the U.S. Anti-Doping Agency, the World Anti-Doping Agency, the International Association of Athletics Federations, and the Court of Arbitration for Sport.

Most of the hacking activities were carried out from Russia and included the use of spear-phishing emails to try and obtain login credentials from individuals with access to systems and information of interest to the Russian campaign. In situations where the remote activities did not work or failed to product the intended result, a team of four intelligence officers would travel to locations where the targets were physically located in order to conduct close-access attacks via Wi-Fi networks.

In 2016, for instance, when an official from the US Anti-Doping Agency traveled to the Olympics in Rio de Janeiro, members of the Russian close-access team targeted his computer via Wi-Fi access points at the hotel and other locations. As a result of the attacks, the Russian intelligence team managed to gain access to the official's computer, which contained summaries athlete test results including prescription medication they were taking.

Hacking from the Rental Car

The four individuals who were expelled from the Netherlands this week were in fact conducting such a close-access attack against the Organization for the Prohibition of Chemical Weapons (OPCW) when their activities were spotted and stopped by the Dutch defense intelligence service. Dutch authorities found equipment that the four were using to try and break into the OPCW Wi-Fi network partially hidden in the trunk of a Citroen C3 rental car. The car had been parked in the lot of the Marriott Hotel in The Hague with its trunk, with hacking equipment inside facing the OPCW building directly adjacent to the lot.

Source: Dutch Ministry of Defence
Source: Dutch Ministry of Defence

The individuals named in the indictment are Aleksei Morenets, 41, Evgenii Serebriakov, 37, Ivan Yermakov, 32, Artem Malyshev, 30, Dmitriy Badin, 27 Oleg Sotnikov, 46, and Alexey Minin, 46.

All are officers with the GRU and are currently based in Russia and will therefore not be extradited to the US to face the charges. However, the US government in recent years has shown an increasing willingness to go after and arrest such individuals when they have traveled to countries with formal extradition treaties with the US.

Many international hackers - including those from Russia - who are currently waiting trial in a US jail or are serving out lengthy prison sentences, were nabbed when they traveled outside their country to destinations friendly to US interests.

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9308
PUBLISHED: 2020-02-20
archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.
CVE-2019-20479
PUBLISHED: 2020-02-20
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
CVE-2011-2498
PUBLISHED: 2020-02-20
The Linux kernel from v2.3.36 before v2.6.39 allows local unprivileged users to cause a denial of service (memory consumption) by triggering creation of PTE pages.
CVE-2012-2629
PUBLISHED: 2020-02-20
Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) c...
CVE-2014-3484
PUBLISHED: 2020-02-20
Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid ...