Cyber Incident Victim: International Ski Federation
Date:
Oct 2017
Location:
Netherlands
Summary
The International Ski Federation was targeted by the Pawn Storm threat actor group in a credential phishing campaign alongside other Olympic winter sports organizations, leveraging politically motivated tactics to compromise accounts. Attackers employed social engineering techniques like fake password expiration alerts and spoofed file-sharing notifications to harvest credentials, potentially enabling further data exfiltration from email systems. This activity coincided with geopolitical tensions involving Olympic sanctions and mirrored prior intrusions against sports governance entities, indicating persistent efforts to infiltrate organizations linked to international athletic events.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In the second half of 2017, the advanced persistent threat group Pawn Storm conducted a series of cyberespionage operations targeting multiple International Olympic Wintersport Federations, including the International Ski Federation (FIS). These attacks occurred against the backdrop of heightened geopolitical tensions following the lifetime bans imposed on several Russian Olympic athletes in fall 2017. Pawn Storm employed credential phishing and spear phishing tactics against these organizations, mirroring their established pattern of politically motivated campaigns observed since 2015. The group registered domain names specifically crafted to mimic legitimate services, including "fisski[.]ca" designed to resemble FIS infrastructure. Attackers sent deceptive emails pretending to be system notifications about expired passwords or new file shares on platforms like Microsoft Exchange and OneDrive, attempting to harvest login credentials through counterfeit authentication pages. This consistent methodology aligned with Pawn Storm's historical operations against organizations such as the World Anti-Doping Agency (WADA) and the Court of Arbitration for Sport (TAS-CAS) in 2016, where stolen data had been strategically leaked to influence media narratives.
The campaign against winter sports federations demonstrated Pawn Storm's operational discipline, utilizing recurring techniques like tabnabbing - a method first observed in their 2014 operations where browser tabs were silently redirected to phishing sites after users became distracted. While the specific impact on FIS remains undisclosed in available sources, credential compromise typically enabled subsequent stages of data exfiltration from email systems and internal networks, as evidenced in Pawn Storm's prior attacks against political organizations. The timing coincided with sensitive deliberations regarding Russian athlete eligibility for upcoming Olympic events. Cybersecurity researchers successfully intervened in parallel attacks against a Netherlands-based NGO during October-November 2017, issuing warnings that prevented credential theft, though no similar protective actions were documented for the winter sports targets. The operation formed part of a broader pattern of Pawn Storm activity that included election interference attempts, such as phishing campaigns against Iranian webmail users during the May 2017 presidential elections, maintaining the group's focus on high-profile political and sporting events.