Why (I believe) WADA was not hacked by the Russians
Disclaimer: This is my personal opinion. I am not an expert in attribution. But as it turns out, not many people in the world are good at attribution. I know this post lacks real evidence and is mostly based on speculation.
Let’s start with the main facts we know about the WADA hack, in chronological order:
- Some point in time (August - September 2016), the WADA database has been hacked and exfiltrated
Domain Name: FANCYBEAR.NET ... Updated Date: 18-sep-2016 Creation Date: 01-sep-2016
The Threatconnect analysisThe only technical analysis on why Russia was behind the hack, can be read here: https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/ After reading this, I was able to collect the following main points:
- It is Russia because Russian APT groups are capable of phishing
- It is Russia because the phishing site "wada-awa[.]org was registered and uses a name server from ITitch[.]com, a domain registrar that FANCY BEAR actors recently used"
- It is Russia because "Wada-arna[.]org and tas-cass[.]org were registered through and use name servers from Domains4bitcoins[.]com, a registrar that has also been associated with FANCY BEAR activity."
- It is Russia, because "The registration of these domains on August 3rd and 8th, 2016 are consistent with the timeline in which the WADA recommended banning all Russian athletes from the Olympic and Paralympic games."
- It is Russia, because "The use of 1&1 mail.com webmail addresses to register domains matches a TTP we previously identified for FANCY BEAR actors."
- Malware sharing same code attributed to Fancy Bear (where the code is not publicly available or circulating on hackforums)
- Private servers sharing the IP address with previous attacks attributed to Fancy Bear (where the server is not a hacked server or a proxy used by multiple parties)
- E-mail addresses used to register the domain attributed to Fancy Bear
- Many other things
The fancybear websiteIt is quite unfortunate that the analysis was not updated after the documents have been leaked. But let's just have a look at the fancybear . net website, shall we?
The GuardianThe only other source I was able to find is from The Guardian, where not just one side (it was Russia) was represented in the article. It is quite unfortunate that both experts are from Russia - so people from USA will call them being not objective on the matter. But the fact that they are Russian experts does not mean they are not true ... https://www.theguardian.com/sport/2016/sep/15/fancy-bears-hackers--russia-wada-tues-leaks Sergei Nikitin: “We don’t have this in the case of the DNC and Wada hacks, so it’s not clear on what basis conclusions are being drawn that Russian hackers or special services were involved. It’s done on the basis of the website design, which is absurd,” he said, referring to the depiction of symbolically Russian animals, brown and white bears, on the “Fancy Bears’ Hack Team” website. I don't agree with the DNC part, but this is not the topic of conversation here. Alexander Baranov: "the hackers were most likely amateurs who published a “semi-finished product” rather than truly compromising information. “They could have done this more harshly and suddenly,” he said. “If it was [state-sponsored] hackers, they would have dug deeper. Since it’s enthusiasts, amateurs, they got what they got and went public with it.”"
The @anpoland side-trackFirst please check the tas-cas.org hack https://www.youtube.com/watch?v=day5Aq0bHsA , I will be here when you finished it. This is a website for "Court of Arbitration for Sport’s", and referring to the Threatconnect post, "CAS is the highest international tribunal that was established to settle disputes related to sport through arbitration. Starting in 2016, an anti-doping division of CAS began judging doping cases at the Olympic Games, replacing the IOC disciplinary commission." Now you can see why this attack is also discussed here.
- My bet is that this machine was set-up for these @anpoland videos only. Whether google.ru is a false flag or it is real, hard to decide. It is interesting to see that there is no google search done via google.ru, it is used only once.
- The creator of the video can't double click. Is it because he has a malfunctioning mouse? Is it because he uses a virtualization console, which is near-perfect OPSEC to hide your real identity? My personal experience is that using virtualization consoles remotely (e.g. RDP) has very similar effects to what we can see on the video.
- The timeline of the Twitter account is quite strange, registered in 2010
- I agree with the Threatconnect analysis that this @anpoland account is probably a faketivist, and not an activist. But who is behind it, remains a mystery.
- Either the "activist" is using a whonix-like setup for remaining anonymous, or a TOR router (something like this), or does not care about privacy at all. Looking at the response times (SQLmap, web browser), I doubt this "activist" is behind anything related to TOR. Which makes no sense for an activist, who publishes his hack on Youtube. People are stupid for sure, but this does not add up. It makes sense that this was a server (paid by bitcoins or stolen credit cards or whatever) rather than a home computer.
The mysterious Korean characters in the HTML source
The Russians are denying it
AttributionLet me sum up what we know: It makes sense that the WADA hack was done by Russia, because:
- Russia being almost banned from the Olympics due to doping scandal, it made sense to discredit WADA and US Olympians
- There are multiple(weak) pieces of evidence which point to Russia
- By instantly attributing the hack to the Russians, the story was more about to discredit Russia than discrediting WADA or US Olympians.
- In reality, there was no gain for Russia for disclosing the documents. Nothing happened, nothing changed, no discredit for WADA. Not a single case turned out to be illegal or unethical.
Altering the leaked documents makes no sense if it was Russia(see update at the end). Altering the leaked documents makes a lot of sense if it was not Russia. Because from now on, people can always state "these leaks cannot be trusted, so it is not true what is written there". It is quite cozy for any US organization, who has been hacked or will be hacked. If you are interested in the "Russians forging leaked documents" debate, I highly recommend to start with this The Intercept article
- If the Korean characters were false flags planted by the Russians, why would they remove it? If it had been Russian characters, I would understand removing it.
- All evidence against Russia is weak, can be easily forged by even any script kittie.
Questions and answers
- Was Russia capable of doing this WADA hack? Yes.
- Was Russia hacking WADA? Maybe yes, maybe not.
- Was this leak done by a Russian state-sponsored hacker group? I highly doubt that.
- Is it possible to buy an attribution-dice where all six-side is Russia? No, it is sold-out.