The International Association of Athletics Federations (IAAF) has been hacked by the shadowy ‘Fancy Bears’ group, officials said Monday, warning that athletes’ data may be compromised.
The Monaco-based organization believes that hackers accessed athletes’ Therapeutic Use Exemption (TUE) applications stored on its servers. Athletes make TUE applications when they need to use medications on the World Anti-Doping Agency (WADA) prohibited list.
“Our first priority is to the athletes who have provided the IAAF with information that they believed would be secure and confidential,” said IAAF President Sebastian Coe, in a statement. “They have our sincerest apologies and our total commitment to continue to do everything in our power to remedy the situation and work with the world’s best organisations to create as safe an environment as we can.”
The attack was detected during an investigation by cybersecurity firm Context Information Security, which noted that unauthorized remote access to the IAAF network took place on Feb. 21. Metadata on athlete TUEs was collected from a file server and stored in a newly created file. “It is not known if this information was subsequently stolen from the network, but it does give a strong indication of the attackers’ interest and intent, and shows they had access and means to obtain content from this file at will,” said the IAAF, in its statement.
The IAAF has been working with the U.K. National Security Centre (NCSC), the Agence Monégasque de Sécurité Numérique (Monaco AMSN) and Context to resolve the issue and remove the hackers’ access to its systems. The work was completed over the weekend, it said.
WADA has previously said Fancy Bears originate from Russia, citing information from law enforcement agencies.
Russian officials have denied any links with Fancy Bears, but have praised the group’s previous publications, which they say undermined Western countries’ criticism of widespread use of banned substances by Russians. The IAAF banned Russia’s team from competing internationally in 2015 after investigations by WADA found evidence of state-sponsored doping.
Fancy Bears began posting medical records of Olympians online last year, with U.S. and British athletes making up a large proportion of those targeted. Only selected records were released, and no Russians with TUEs were named, even though records show dozens of TUEs had been granted there in recent years.
Last year two U.S. cybersecurity companies cited the hacking group, which is also known as APT 28, as a likely perpetrator of the high-profile DNC hack.
As of Monday, Fancy Bears’ website contained no mention of IAAF information.
The Associated Press contributed to this report.