Cyber Incident Victim: International Luge Federation
Date:
May 2017
Location:
Russia
Summary
The International Luge Federation was targeted by the Pawn Storm espionage group in a series of credential phishing and spear phishing campaigns, alongside other Olympic winter sports organizations. These attacks, consistent with the group's long-standing tactics, aimed to steal login credentials through deceptive emails and counterfeit websites mimicking legitimate services. The targeting coincided with significant geopolitical events, including disciplinary actions against Russian athletes, mirroring prior compromises of sports arbitration and anti-doping entities where stolen data was leveraged for media influence. The group employed persistent social engineering techniques and reused infrastructure patterns across multiple politically motivated campaigns.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In the second half of 2017, the advanced persistent threat group Pawn Storm conducted credential phishing and spear phishing campaigns targeting multiple International Olympic Wintersport Federations, including the International Luge Federation. These attacks occurred against the backdrop of lifetime bans imposed on several Russian Olympic athletes in fall 2017, following prior successful compromises of sports organizations like the World Anti-Doping Agency (WADA) and the Court of Arbitration for Sport (TAS-CAS) in 2016. The group employed consistent social engineering tactics, including emails disguised as password expiration notifications from Microsoft Exchange servers and fake OneDrive file sharing alerts. Technical infrastructure analysis revealed dedicated phishing domains such as "fil-luge[.]com" designed to mimic legitimate federation services. The campaign leveraged tabnabbing techniques previously observed in Pawn Storm operations, where browser tabs were silently redirected to phishing pages after initial distraction.
The attacks formed part of Pawn Storm's broader pattern of politically motivated operations, which simultaneously targeted political organizations in Iran during its May 2017 presidential elections through phishing sites like "chmail.ir[.]udelivered[.]tk". While the article confirms credential phishing attempts against the winter sports federations, it does not specify successful breaches of the International Luge Federation's systems. Cybersecurity researchers at Trend Micro successfully intervened in parallel attacks against a Netherlands-based NGO, issuing warnings within 24 hours of phishing email deployment and neutralizing malicious infrastructure within two hours of activation. The federations' targeting aligns with Pawn Storm's historical interest in influencing sports-related institutions during periods of heightened geopolitical tension, though direct operational impacts on luge competitions or athletes remain unconfirmed in available reporting. Technical indicators from these campaigns were documented and shared for defensive purposes, including multiple fraudulent domains mimicking official winter sports organization web services.