Cyber Incident Victim: European Ice Hockey Federation
Date:
Jan 2017
Location:
Russia
Summary
The European Ice Hockey Federation was targeted by the Pawn Storm threat actor group in a series of credential phishing and spear phishing campaigns, alongside other international winter sports organizations. The attacks exploited social engineering techniques like tabnabbing to steal login credentials, potentially enabling further data theft from compromised email systems. This activity coincided with geopolitical tensions involving Russian athletes' Olympic bans, mirroring the group's prior intrusions into global sports bodies. The attackers employed consistent operational patterns, including reused infrastructure and phishing lures mimicking legitimate services like Microsoft Exchange and OneDrive, aiming to facilitate unauthorized access and influence operations through stolen data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In the second half of 2017, the advanced persistent threat group Pawn Storm conducted a series of cyberespionage operations targeting multiple International Olympic Wintersport Federations, including the European Ice Hockey Federation, alongside the International Ski Federation, International Biathlon Union, International Bobsleigh and Skeleton Federation, and International Luge Federation. These attacks occurred during a period coinciding with the lifetime bans imposed on several Russian Olympic athletes in late 2017, following previous successful compromises of sports organizations including the World Anti-Doping Agency (WADA) and the Court of Arbitration for Sport (TAS-CAS) in 2016. The group employed credential phishing and spear phishing tactics consistent with their long-established modus operandi, using socially engineered emails designed to mimic official communications from Microsoft Exchange and OneDrive systems. Attack infrastructure included domain names specifically crafted to resemble legitimate services, such as webmail-ibsf[.]org and fisski[.]ca, which hosted phishing pages designed to harvest login credentials.
The campaign against winter sports federations formed part of broader political operations conducted throughout 2017, including attacks on Iranian webmail users during presidential elections and persistent targeting of political organizations in multiple nations. Credential theft served as the initial intrusion vector for subsequent data exfiltration, with stolen email access enabling further intelligence gathering. While technical details of the European Ice Hockey Federation compromise remain unspecified in available reporting, successful interventions were documented in related attacks, including two thwarted phishing attempts against a Dutch NGO where defenders issued warnings within hours of phishing site deployment. The operational pattern demonstrated extensive preparation, with attackers reusing established techniques like tabnabbing and maintaining consistent infrastructure management practices across multiple campaigns. No specific data breaches or disruptive outcomes were confirmed for the winter sports organizations in disclosed records, though historical precedent with WADA and TAS-CAS compromises suggested potential risks of data manipulation or strategic leaks to influence public narratives regarding Olympic sanctions.