WADA hack – Fancy Bears are out spear-phishing for fame
I like sport. So naturally, I enjoyed the recent Olympic games very much, especially looking at the amazing marvel that is called Simone Biles – she is unbelievable.
Now we hear that this superstar gymnast has been using forbidden substances, with approval from WADA (World Anti-Doping Agency) for medical reasons.
Sure, no law has been broken (and she’s still awesome). However, I’m sure WADA (and some other leading athletes world-wide – the list gets longer by the day) didn’t want to have this informationleaking out to public knowledge.
And so we’ve come to learn about the above information as a result of a hack done by a group referred to as “Fancy Bears”(aka Tzar Team or APT28). Based on WADA’s message, the group “illegally gained access to WADA’s Anti-Doping Administration and Management System (ADAMS) database via an International Olympic Committee (IOC)-created account for the Rio 2016 Games.”. Based on initial forensics by a source closely related to the case, the access to ADAMS was obtained through spear-phishing of email accounts to obtain credentials to ADAMS, and once passwords to the system have been obtained, “the group accessed athlete data, including confidential medical data”.
Seriously? Accounts maintenance 101…
So, what can we learn here? Well, a few things:
1. Hackers will hack. This is not new, it has happened in the past and will continue to happen in the future. Each group has its own motivations and goals, but everyone is a potential target, especially those that can make headlines as these groups usually like the publicity.
2. Organizations have to make sure they manage permissions and access to sensitive data on a regular basis. To do that, they must have an easy and accessible way to centrally control access to data, because we all know – if it’s too much work, or too time consuming, chances are that it will not happen. As in this case – the accounts used for this hack were accounts created for the 2016 Rio Olympics, once it’s over, you have to either kill the accounts or block their access to such sensitive data.
3. Even with proper permissions and access controls, a hacker can take advantage of privileged accounts. To properly protect such sensitive data, any organization with medical, personal, financial or any other personal information needs to start monitoring who is accessing which data and when.
Using the right tools, WADA could have easily prevented this fiasco in several stages prior to the hackers’ publications:
1. Education – educated employees are less susceptible to phishing and spear-phishing emails. Testing employees regularly is a great way to make sure that they are constantly aware of the risk.
2. Permissions and Access Control – the accounts used for this hack should have been terminated immediately once expired.
3. Masking of sensitive data – I’m sure only a handful of people had access to the medical records of athletes within WADA and the 3rd parties it worked with. Most of them didn’t really need it for the day-to-day job, so the best practice in this case would be to mask this info unless specifically required for a specific task. That would ensure that even if someone gains unauthorized access, such as in the case in subject, the sensitive data would have been accessible without extra permissions.
One last thing – in their press release, WADA say: “At present, we have no reason to believe that other ADAMS data has been compromised”. Had they used the right tools, such as SecuPi, and audited any access to sensitive data, they would have not only been able to prevent this matter altogether, but also know exactly what was accessed and what not, so we wouldn’t be sitting around to see who are the next athletes whose sensitive medical or personal information is about to leak.