The World Anti Doping Agency has played down a report by the McAfee security company which describes breaches of computer security, saying that it has no reason to believe that any sensitive data was accessed by hackers during the period in question. It states that the ADAMS system, which plots the whereabouts of athletes, remains secure, and that an investigation is ongoing.
According to the McAfee report, the Canadian-based agency was first compromised in August 2009, and continued to be exposed for over a year after that. The report, entitled Operation Shady RAT (Remote Access Tool), traced intrusions across a range of entities, and determined that at least 72 key ‘companies, governments and non-profit organizations’ had been affected.
“McAfee has gained access to one specific Command & Control server used by the intruders,” stated Dmitri Alperovitch, McAfee’s vice president of threat research, in speaking of the wider attacks.
“The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware,” he stated.
“That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.”
He said that the log collection began in mid-2006, but that intrusions may have been taking place before that time. The report says that WADA itself was not affected until August 2009.
WADA: ‘no evidence’ intrusions took place
Responding to the report, the World Anti Doping Agency has confirmed that an investigation is being carried out. However it disputes the suggestion that its systems were breached.
“Following the release of the McAfee white paper on Operation Shady Rat, WADA can confirm that it has been in communication with McAfee and is investigating thoroughly the reported cyber intrusions,” said its director general David Howman.
“WADA has a highly-sophisticated security system in place which is managed by ISS (IBM), and with the information available to it ISS has to-date found no evidence of this corruption.
“In February 2008 WADA experienced a security breach of its email system and consequently filed a complaint with the Quebec State Police and co-operated with an FBI investigation. Nothing was compromised and following the intrusion WADA’s security experts upgraded the Agency’s firewalls.
“WADA’s Anti-Doping Administration & Management System (ADAMS), which is on a completely different server to WADA’s emails, has never been compromised and remains a highly-secure system for the retention of athlete data.
“At this stage, WADA has no evidence from its security experts of the intrusions as listed by McAfee and the Agency has yet to be convinced that they took place. “
The Shady RAT report lists a wide range of affected parties, including the United Nations, government agencies from the US, Canada, South Korea and Taiwan, companies from a range of countries, the International Olympic Committee, national Olympic Committees and others.
With respect to the breaches of the sporting bodies, the McAfee report points towards a likely suspect. “The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks.”
Elsewhere in the report, he makes it clear that the attacks most likely came from a single source. “Although Shady RAT’s scope and duration may shock those who have not been as intimately involved in the investigations into these targeted espionage operations as we have been, I would like to caution you that what I have described here has been one specific operation conducted by a single actor/group.”
Jim Lewis, a cyber expert with the Center for Strategic and International Studies, told Reuters that China is the prime suspect. "Everything points to China. It could be the Russians, but there is more that points to China than Russia."
China has been accused in the past of ‘cyber ops,’ and Lewis added that the present of the IOC and the Taiwanese government on the list of victims is a further indication that the government there may be involved. However Alperovitch declined to identify whether or not the attacks came from China or elsewhere. "We're not really in the business of attribution," he said.