{ "id": "58242912-bf46-4161-bda8-fe6fb87a6cf3", "created_at": "2026-04-06T00:09:28.439311Z", "updated_at": "2026-04-10T03:37:50.779865Z", "deleted_at": null, "sha1_hash": "ea4ee328adc9db6598d96d4c390cd1907b0fb49c", "title": "Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38344, "plain_text": "Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say\r\nBy Hyacinth Mascarenhas\r\nPublished: 2016-08-23 ยท Archived: 2026-04-05 21:50:44 UTC\r\nThe same hackers who infiltrated the World Anti-Doping Agency (WADA) website after its damning report on the\r\nRussian government's major cover-up of doping during the 2014 Sochi Games is likely the team behind the breach\r\nof the Democratic National Committee in July, cybersecurity experts said. WADA's nearly 100-page report\r\nresulted in a ban on Russian athletes from this summer's Rio Olympics.\r\nResearchers at Arlington-based cybersecurity firm ThreatConnect believe that the cybercriminals behind the\r\nbreach were part of the decade-old Russian hacking group \"Fancy Bear.\" Last week, WADA and the Court of\r\nArbitration for Sport (CAS) said they were targeted by hackers with so-called phishing emails sent to users of the\r\ndatabase claiming to be official WADA communications requesting their login credentials.\r\nAfter reviewing the two domains provided in the WADA alert, the researchers found that \"the sites were recently\r\nregistered and their registration and hosting information are consistent with Russian Fancy Bear tactics,\r\ntechniques and procedures (TTPs)\". They also identified another domain registered by the same threat actors that\r\nspoofs the official CAS domain.\r\nThreatConnect director of research operations Toni Gidwani told The Guardian that the cybersecurity team\r\nbelieves the attack was also a form of retaliation against Yuliya Stepanova, the Russian runner and doping\r\nwhistleblower who helped uncover the state-sponsored doping scandal. The middle-distance runner, whose\r\nWADA and email accounts were hacked on 13 August, was called \"Judas\" by Vladimir Putin. Stepanova was then\r\nforced to go into hiding in the United States with her husband Vitaly, a former Russian anti-doping official.\r\n\"They attacked her email, they got her records out of WADA,\" Gidwani said. \"There's very much a retaliatory\r\naspect to it and a way of intimidating anybody who might be thinking about speaking out.\"\r\nThe firm also noted that both the phishing and Stepanova's compromise are likely a part of \"targeted activity by\r\nRussian actors in response to the whistleblower and the WADA's recommendation to ban all Russian athletes from\r\nthe Olympic and Paralympic games\" in Rio.\r\n\"Successful operations against these individuals and organisations could facilitate Russian efforts to privately or\r\npublically intimidate them or other potential whistleblowers,\" ThreatConnect researchers wrote in a blog post. \"At\r\nthis time, we are skeptical of @anpoland's origins but cannot determine the extent to which, if any, they are a\r\nRussian platform similar to Guccifer 2.0 or DCLeaks.\"\r\nThreatConnect added that the recent hack highlights the strong, long-running connection between sports and\r\nRussian political figures, saying they expect to see more Russian cyberattacks targeting Professor Richard\r\nMcLaren and Dr Grigory Rodchenkov who were key sources in the doping scandal investigation.\r\nhttp://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508\r\nPage 1 of 2\n\n\"Russian activity targeting these organisations is an important example of how Russia responds to wide-reaching\r\ncurrent events that have negative implications for Moscow,\" the firm noted. \"Organisations involved in such\r\nevents can reasonably expect to experience targeted Russian cyber operations that ultimately facilitate retaliatory\r\ninfluence or propaganda efforts against them. Knowledge of this TTP, and others associated with Russian APT\r\nactivity, can help those organisations augment their security posture and defend against such retaliation.\"\r\nMultiple cybersecurity firms including CrowdStrike and ThreatConnect have provided evidence linking the\r\nRussian government to the DNC infiltration reportedly carried out by hacker groups Cosy Bear and Fancy Bear.\r\nFollowing a brief Twitter suspension, 'lone wolf' hacker Guccifer 2.0, who also claimed responsibility for the\r\nDNC hack, recently released more files, memos and dossiers from the Democratic Congressional Campaign\r\nCommittee (DCCC).\r\nThe Kremlin, on the other hand, has vehemently denied playing any role in the hacks.\r\nSource: http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508\r\nhttp://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508" ], "report_names": [ "russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434168, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ea4ee328adc9db6598d96d4c390cd1907b0fb49c.pdf", "text": "https://archive.orkl.eu/ea4ee328adc9db6598d96d4c390cd1907b0fb49c.txt", "img": "https://archive.orkl.eu/ea4ee328adc9db6598d96d4c390cd1907b0fb49c.jpg" } }