Cyber Incident Victim: World Athletics
Date:
Feb 2017
Location:
Switzerland
Summary
The International Association of Athletics Federations suffered a cyber attack attributed to the Fancy Bear hacking group, compromising athletes' confidential medical records related to Therapeutic Use Exemptions. The breach targeted stored data from exemption applications, with affected athletes notified and the organization issuing apologies for the security failure. Context Information Security detected the sophisticated intrusion during a proactive investigation, noting attackers had persistent access to sensitive files. This incident mirrored prior operations by the same group against anti-doping entities, highlighting risks to athlete privacy and institutional data integrity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The International Association of Athletics Federations (IAAF) disclosed a cyber attack on April 3, 2017, involving unauthorized access to athletes' confidential medical records. The breach, attributed to the hacking group Fancy Bear (also known as APT28), occurred in February 2017 and specifically targeted Therapeutic Use Exemption (TUE) applications submitted by athletes since 2012. TUEs allow competitors to use otherwise banned substances for verified medical conditions under strict regulatory oversight. The IAAF detected the intrusion during a proactive investigation conducted by cybersecurity firm Context Information Security, which it had engaged to audit its systems. Forensic analysis revealed attackers had accessed a file server containing TUE records and transferred data to a newly created file, demonstrating both access and extraction capability. While the IAAF could not confirm whether data was exfiltrated, it assessed the activity indicated clear intent to acquire sensitive medical information. The organization promptly notified all affected athletes and issued a public apology through President Sebastian Coe, who emphasized commitments to securing confidential data and remediating harm. Context Information Security characterized the breach as a "sophisticated intrusion," acknowledging the IAAF's cooperation during the investigation. Western security experts and U.S. officials linked Fancy Bear to Russia's GRU military intelligence agency, noting the group's history of targeting sports organizations.
This incident mirrored Fancy Bear's 2016 hack of the World Anti-Doping Agency (WADA), which resulted in the publication of athletes' private medical files, including those of cyclist Bradley Wiggins. The IAAF breach occurred against the backdrop of ongoing tensions between global sports bodies and Russia, following the IAAF's 2015 suspension of Russia's athletics federation for state-sponsored doping violations that excluded most Russian athletes from the 2016 Rio Olympics. Although no leaked IAAF data had been publicly disseminated by the disclosure date, the attack underscored persistent vulnerabilities in protecting athlete medical privacy. The compromise raised concerns about potential exploitation of TUE records to undermine confidence in anti-doping systems or target individual competitors. Context Information Security's involvement highlighted the IAAF's post-incident efforts to assess damage, though technical specifics about attack vectors or network vulnerabilities remained undisclosed. The incident reinforced patterns of cyber operations against international sports organizations during periods of heightened scrutiny over Russian eligibility in global competitions.