Cyber Incident Victim: International Biathlon Union
Date:
Jan 2017
Location:
Russia
Summary
The International Biathlon Union was targeted by the Pawn Storm threat actor group in a credential phishing campaign using deceptive emails and fake login pages. This espionage group, known for politically motivated attacks, employed tactics like tabnabbing to steal credentials, potentially compromising sensitive communications and data. The targeting of winter sports federations coincided with geopolitical tensions related to Olympic bans, suggesting an intent to gather intelligence or influence narratives. While direct operational disruption wasn't reported, the incident exposed the organization to risks of data exfiltration and unauthorized access to internal systems, consistent with the group's prior compromises of sports-related entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In the second half of 2017, the advanced persistent threat group Pawn Storm conducted cyberespionage operations targeting multiple International Olympic Wintersport Federations, including the International Biathlon Union (IBU). The attacks occurred against the backdrop of lifetime bans imposed on several Russian Olympic athletes in fall 2017, following earlier successful compromises of sports organizations like the World Anti-Doping Agency (WADA) and the Court of Arbitration for Sport (TAS-CAS) in 2016. Pawn Storm employed credential phishing techniques through domains specifically crafted to mimic legitimate services, including "mail-ibu[.]eu" designed to target IBU infrastructure. The group sent deceptive emails pretending to be system notifications about expired passwords or new file shares on platforms like Microsoft Exchange and OneDrive. These social engineering attempts aimed to harvest credentials that could enable further intrusions into email systems and sensitive data repositories.
The campaign against winter sports federations demonstrated Pawn Storm's established pattern of politically motivated cyber operations, mirroring their simultaneous attacks on political organizations in Iran during its May 2017 presidential elections and ongoing targeting of entities in France, Germany, Montenegro, Turkey, Ukraine, and the United States. While technical specifics of IBU's system compromises weren't detailed, credential phishing typically facilitates unauthorized email access, data exfiltration, and potential influence operations through stolen information. Cybersecurity firm Trend Micro monitored these activities and intervened in comparable attacks against a Netherlands-based NGO during October-November 2017, successfully preventing damage through rapid phishing site detection and preemptive warnings before malicious emails deployed. The IBU targeting aligned with Pawn Storm's historical interest in sports organizations during periods of heightened geopolitical tension around international athletic competitions.