WADA said in a statement that the hacking group was able to access passwords to its Rio Olympic database via spear-phishing, the practice by which computers are infected after a user opens an email that is thought to be from a trusted source.
“WADA deeply regrets this situation and is very conscious of the threat that it represents to athletes whose confidential information has been divulged through this criminal act,” Director General Olivier Niggli said in the statement. “We are reaching out to stakeholders … regarding the specific athletes impacted.”
The data release comes as the FBI is conducting a broad investigation into Russian government hacking and influence operations in the United States, including a possible effort to undermine confidence in the U.S. elections. The latest incident appears to be part of a larger campaign of strategic releases of hacked material by the Russian government to embarrass victims or raise doubts about their integrity, analysts said.
It comes after nearly every member of that country’s track and field team was banned from this year’s Olympics after numerous investigations uncovered a widespread, government-run doping scheme that dated back years.
“They’re trying to sow doubt over the integrity of the individual athletes and the various Olympic bodies and watchdog groups,” said Rich Barger, chief information officer at ThreatConnect, a cybersecurity company. “It’s just ultimately sour grapes. What we’re seeing here is a digital temper tantrum.”
The information released mostly involves Therapeutic Use Exemptions, situations in which WADA allows athletes to take certain banned substances if they’re used to treat legitimate medical issues.
In a statement to Newsweek, the International Olympic Committee said none of the athletes mentioned in the hack had done anything wrong.
“The IOC strongly condemns such methods which clearly aim at tarnishing the reputation of clean athletes,” the organization said. “The IOC can confirm, however, that the athletes mentioned did not violate any anti-doping rules during the Olympic Games Rio 2016.”
The hacking group, which is known as Fancy Bear or APT28, works for the military intelligence service GRU. It was one of two Russian spy groups that hacked the Democratic National Committee and may be linked to the release of embarrassing DNC emails by WikiLeaks in July. It has also been active in propaganda operations, researchers say. And last year it hacked the French TV5Monde station, knocking the network off the air for 18 hours in April 2015.
In its statement, WADA said one of the victims whose password was stolen was Yuliya Stepanova, a whistleblower who exposed widespread doping in Russia athletics.
“We will start with the U.S. team which has disgraced its name by tainted victories,” the group said on a website that exposed the hacked WADA documents. “We will also disclose exclusive information about other national Olympic teams later. Wait for sensational proof of famous athletes taking doping substances any time soon.”