Cyber Brief on Russian APTs at the Olympics

The Olympic Games are being held in Tokyo, Japan, during the summer of 2020. In light of widespread concerns about a potential cyber threat from Russia, the Cyber Vault is posting a variety of primary-source documents and other materials that offer additional context to the issues.

Russia is currently in danger of being suspended from the Olympics for the second consecutive time due to allegations the country forged medical documents and paperwork relating to fake athlete clinics. Given the operations by Russian-affiliated advanced persistent threats (APTs) during the PyeongChang 2018 Winter Olympic Games, there are credible expectations for cyberattacks in Tokyo. Coordinated cyber campaigns on past Games and affiliated organizations have been traced back to Russian intrusion sets, including APT actors Sofacy and Turla Group (also known as Fancy Bear and Venomous Bear, respectively).

This is of course in addition to the allegations by U.S. and other intelligence agencies that Russian state-sponsored hacking groups have interfered in foreign elections, run spear phishing and watering hole attacks, spread complex malware, and conducted distributed denial of service (DDoS) attacks.

Furthermore, the minister of state for the Tokyo Olympic and Paralympic Games, Yoshitaka Sakurada (also the former deputy chief of the government’s cyber-security strategy office), confessed last year at a cabinet meeting he has never used a computer before. While this admission has caused concern over the state of cyber defenses for the 2020 Games, the Host City Contract for the XXXII Olympiad and its related amendments demonstrate that Japan has in fact been preparing for the event for years. Sakurada has since been removed from his position and, as of April 2019, has been replaced by previous Olympics minister Shun’ichi Suzuki.

A brief timeline relating to the documents and materials in this posting follows:

Beginning at the London (2012) and Sochi (2014) Games, Russian athletes were found to be involved in state-organized doping (performance-enhancing drugs) activity. Investigators discovered evidence that athletes had frequently swapped clean urine samples to pass WADA qualifying tests. The subsequent investigative report, the McLaren Report, was released only days before the Olympic Games in Rio in 2016, and led to several medals being reclaimed from athletes. Additionally, the report identifies ministers, advisors, and directors who were suspended and eventually discharged from office due to its findings.
As a result of their athletes’ doping violations, Russia was suspended from participating at the 2018 Winter Olympic Games in South Korea by the IOC. No officials from the Russian government were permitted to attend, though a select few athletes were allowed to compete under the neutral designation “Olympic Athlete From Russia.”
Analysts have attributed cyberattacks against the 2018 Winter Olympics to Russian actors, despite attacker attempts to masquerade as North Korean hackers. It is thought the attacks were in response to Russia’s suspension, though a false-flag operation would be a questionable choice if the goal was to send a political message.
In late 2018, the United States indicted seven Russian GRU military intelligence officers for attempting, while in the Netherlands, to hack into WADA as well as other agencies and federations. A federal indictment has charged them with conspiring to commit computer fraud, wire fraud, money laundering, and aggravated identity theft. The indictment and related documents contain details on the GRU operations and the officers conducting them.

This posting includes documents pertaining to the Tokyo 2020 Olympics, the International Olympic Committee’s (IOC) anti-doping rules, the World Anti-Doping Agency’s (WADA) investigation into Sochi allegations, and the DOJ’s indictment of GRU officers.