Cyber Incident Victim: Canadian Centre for Ethics in Sport

In December 2014, Russian GRU officers from Military Units 26165 and 74455 initiated a hacking campaign targeting international anti-doping organizations, including the Canadian Centre for Ethics in Sport (CCES), as part of a retaliatory operation against entities that exposed Russia’s state-sponsored athlete doping program. The conspirators, including Aleksei Morenets, Evgenii Serebriakov, Ivan Yermakov, Artem Malyshev, Dmitriy Badin, Oleg Sotnikov, and Alexey Minin, employed spearphishing, spoofed domains, and malware to compromise victim networks. When remote hacking failed, GRU close-access teams traveled globally to conduct on-site Wi-Fi compromises at locations frequented by targets. Following the July 2016 McLaren Report revelations and subsequent bans on Russian athletes from the 2016 Rio Olympics and Paralympics, the GRU intensified efforts against anti-doping agencies. In August 2016, GRU officers compromised credentials of an International Olympic Committee (IOC) official via Rio hotel Wi-Fi, accessing the World Anti-Doping Agency’s (WADA) ADAMS database for athlete medical records and therapeutic use exemptions (TUEs). Concurrently, they captured a US Anti-Doping Agency (USADA) official’s email credentials via Rio Wi-Fi, obtaining athlete test results and medication data.

On September 18, 2016, Morenets and Serebriakov traveled to Lausanne, Switzerland, where WADA hosted an anti-doping conference. The next day, they compromised a hotel Wi-Fi network used by conference attendees, hacking the laptop of a senior CCES official. Stolen credentials enabled GRU actors to infiltrate CCES networks in Canada, extracting hashed passwords using a tool metadata-linked to Badin. From September 2016 onward, GRU Unit 74455 masquerading as "Fancy Bears’ Hack Team" released stolen TUEs, medical records, and emails from CCES, USADA, WADA, FIFA, IAAF, and 35 other organizations via social media and the fancybears.net website. The leaks, which included modified documents and private data of 250 athletes from 30 countries, were amplified through direct outreach to 186 journalists. The campaign aimed to delegitimize anti-doping investigations by falsely alleging athlete doping. In April 2018, Dutch intelligence disrupted a related GRU operation targeting the Organisation for the Prohibition of Chemical Weapons (OPCW), seizing equipment that confirmed prior use in the CCES hotel Wi-Fi breach. On October 4, 2018, a U.S. grand jury indicted the seven GRU officers for conspiracy to commit computer fraud, wire fraud, money laundering, and aggravated identity theft, with sentences ranging up to 20 years per charge. The indictment detailed the CCES compromise as part of a broader pattern of state-sponsored hacking spanning 2014–2018, impacting entities across 30 countries and multiple sectors.