Russian hackers have compromised the servers of the world governing body for athletics and have likely made off with athletes’ medical data.
The attack against the International Association of Athletics Federations (IAAF) has been attributed to the APR 28 hacking group – also known as Fancy Bear – and took place in February this year.
The same cyberespionage group claimed responsibility for leaking Olympic athletes’ confidential medical files following an attack against the World Anti-Doping Agency last year and has been linked to interference with the US election in 2016.
Unauthorised remote access to the IAAF network was detected when metadata on athletes’ Theapeutic Use Exemption (TUE) – detailing if they’re allowed to use prescribed medical treatment – was collected from the server and stored in a newly created file.
In an email to ZDNet, the IAAF said the TUE data of the more than 80 athletes who’ve applied for TUEs since 2012 appears to have been compromised.
The IAAF added that the intent of the hackers was to “access the TUE data”, which “seems to have been removed from the server” by unauthorised outsiders. All affected athletes have been contacted about the breach and provided with a dedicated email address for any questions.
“Our first priority is to the athletes who have provided the IAAF with information that they believed would be secure and confidential,” said IAAF President Sebastian Coe.
“They have our sincerest apologies and our total commitment to continue to do everything in our power to remedy the situation and work with the world’s best organisations to create as safe an environment as we can.”
This cyberattack was discovered by cybersecurity personnel from Context Information Security who had been undertaking a ‘technical investigation’ across IAAF systems since the beginning of January.
“Throughout the investigation, the IAAF have understood the importance and impact of the attack and have provided us comprehensive assistance. This has been critical in allowing us to both quickly identify the nature of the intrusion and to provide a full and diligent resolution,” said a Context Information Security spokeperson.
In the time since the attack was discovered, the IAAF has consulted the UK’s National Cyber Security Centre (NCSC) and the Agence Monégasque de Sécurité Numérique in Monaco in order to “carry out a complex remediation across all systems and servers in order to remove the attackers’ access to the network”.
In an email statement to ZDNet, the NCSC confirmed it has been working with the IAAF and praised the organisations’ response to the attack.
“We are aware of the cyber incident which the IAAF have made public. The NCSC have been providing assistance at the request of the IAAF. We commend the IAAF’s proactive decision to hire ContextIS, an NCSC approved company to help deal with this cyber attack,” said an NSCC spokesperson.
At the time of writing the hackers have yet to claim responsibility for this latest attack.