Cyber Incident Victim: International Bobsleigh and Skeleton Federation
Date:
Dec 2017
Location:
Russia
Summary
The International Bobsleigh and Skeleton Federation was targeted by the Pawn Storm threat actor group in a credential phishing campaign alongside other Olympic winter sports organizations. Attackers employed deceptive emails and fraudulent login pages to steal credentials, potentially enabling further data exfiltration. This activity coincided with disciplinary actions against Russian athletes, mirroring prior compromises of anti-doping and sports arbitration entities where stolen data was leveraged to influence media coverage. The group's persistent operations against political and sports targets demonstrate a pattern of exploiting high-profile events for strategic information gathering and propaganda dissemination.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In the second half of 2017, the advanced persistent threat group Pawn Storm conducted a series of cyberespionage campaigns targeting multiple International Olympic Wintersport Federations, including the International Bobsleigh and Skeleton Federation (IBSF). These attacks occurred against the backdrop of the International Olympic Committee's November 2017 decision to ban several Russian athletes for life from Olympic competition due to doping violations. The threat actors employed credential phishing tactics, creating counterfeit login pages designed to mimic legitimate services. Specifically for IBSF, they registered the domain "webmail-ibsf[.]org" to impersonate the federation's webmail system. This followed Pawn Storm's established pattern of targeting sports organizations, having previously compromised the World Anti-Doping Agency (WADA) and the Court of Arbitration for Sport (TAS-CAS) in 2016. The group sent spear phishing emails containing links to these fraudulent sites, using social engineering techniques such as fake password expiration notices and fabricated file-sharing alerts to trick recipients into disclosing their credentials. These attacks formed part of a broader campaign that also targeted other winter sports federations including the International Ski Federation, International Biathlon Union, and International Luge Federation, with additional malicious domains like "fil-luge[.]com" and "biathlovvorld[.]com" created for credential harvesting.
The compromise of organizational email credentials created pathways for subsequent data exfiltration and potential influence operations. While specific impacts on IBSF were not publicly detailed, historical precedent from Pawn Storm's 2016 WADA breach demonstrated their capability to leverage stolen data for media manipulation, having previously disseminated compromised information to news outlets. Security researchers at Trend Micro detected these phishing operations in real time, documenting the infrastructure and tactics. In parallel incidents targeting other organizations, such as a Dutch NGO attacked during the same period, researchers successfully intervened by alerting victims before phishing emails were distributed and facilitating takedowns of malicious sites within hours of their creation. The technical indicators from these campaigns revealed persistent reuse of infrastructure and techniques across multiple targets, with the group maintaining operational consistency through carefully planned attack sequences. No public disclosures confirmed whether IBSF's systems were fully breached or what specific data may have been accessed, but the credential phishing attempts represented an initial intrusion vector consistent with Pawn Storm's objective of penetrating high-profile sports organizations during periods of geopolitical tension surrounding Olympic eligibility decisions.