Cyber Incident Victim: Federation Internationale de Football Association

Between December 2014 and May 2018, seven officers from Russia’s Main Intelligence Directorate (GRU)—Aleksei Sergeyevich Morenets, Evgenii Mikhaylovich Serebriakov, Ivan Sergeyevich Yermakov, Artem Andreyevich Malyshev, Dmitriy Sergeyevich Badin, Oleg Mikhaylovich Sotnikov, and Alexey Valerevich Minin—conducted a global cyber-espionage and disinformation campaign targeting entities of strategic interest to the Russian government. The conspirators, operating from Military Unit 26165 and GRU Unit 74455, employed spearphishing, malware deployment, Wi-Fi network exploitation, and identity theft to compromise victims. Their operations focused heavily on undermining international anti-doping organizations following the exposure of Russia’s state-sponsored athlete doping program in the 2014 Sochi Winter Olympics. After the July 2016 release of the World Anti-Doping Agency’s (WADA) McLaren Report, which detailed systemic Russian doping violations, the GRU intensified efforts to infiltrate WADA, the United States Anti-Doping Agency (USADA), the Court of Arbitration for Sport (TAS/CAS), and sporting federations. When remote hacking failed, GRU "close access teams" including Morenets and Serebriakov traveled to locations like Rio de Janeiro and Lausanne to physically compromise Wi-Fi networks used by anti-doping officials. Stolen data included medical records, therapeutic use exemptions (TUEs), lab results, and internal communications. The GRU weaponized this information through the fictitious "Fancy Bears’ Hack Team," which selectively leaked altered documents to falsely accuse athletes of doping, amplify Russia’s narrative, and retaliate against investigators.

The conspiracy breached the Fédération Internationale de Football Association (FIFA) in December 2016–January 2017, compromising networks and the computers of its top anti-doping official. Attackers exfiltrated anti-doping policies, medical reports, lab results, contracts, and TUEs. Similarly, the International Association of Athletics Federations (IAAF) was compromised during this period. GRU actors used infrastructure tied to Unit 74455 to release stolen FIFA, IAAF, WADA, and USADA data via social media and the fancybears.net website, exposing private medical information of approximately 250 athletes from 30 countries. The group engaged in coordinated influence operations, directly contacting 186 journalists to amplify leaks and distort public perception. Beyond anti-doping targets, the GRU also hacked Westinghouse Electric Company (2014–2015) and attempted intrusions against the Organisation for the Prohibition of Chemical Weapons (OPCW) in April 2018, which was disrupted by Dutch intelligence. On October 4, 2018, the U.S. Department of Justice indicted all seven GRU officers on charges including conspiracy to commit computer fraud, wire fraud, money laundering, and aggravated identity theft, with potential sentences ranging from 5 to 20 years per count. The indictment documented persistent network compromises across multiple continents, leveraging both remote cyberattacks and physical proximity operations to steal and weaponize sensitive data.