Just days after McAfee researchers warned about hackers targeting and compromising several organisations associated with the Winter Olympics, researchers at ThreatConnect have uncovered how hackers are spoofing domains of WADA, USADA and OCASIA to target visitors.
The domain-spoofing campaign by Russian hacker group Fancy Bears is likely in retaliation to the ban imposed on Russia from participating in the Winter Olympics hosted by South Korea.
The researchers revealed that hackers belonging to the Fancy Bears group have created new domains designed to spoof legitimate domains owned by the likes of the World Anti-Doping Agency (WADA), the US Anti-Doping Agency (USADA), and the Olympic Council of Asia (OCASIA).
This isn’t the first time that the Russian hacker group has targeted systems belonging to global sporting bodies. Back in 2016, following WADA’s decision to ban Russian athletes from the Rio Olympics due to a large-scale state-backed doping programme, Fancy Bears hacked into World Anti-Doping Agency’s servers and released documents that contained details of hundreds of athletes who failed dope tests in 2015 and 2016.
ThreatConnect researchers have been able to identify newly registered domains like webmail-usada[.]org, usada[.]eu and wada-adams[.]org which spoof legitimate domains run by these organisations. According to the researchers, the domain webmail-usada.org was registered using Domains4Bitcoins name server which has been used by Fancy Bears for conducting spoofing campaigns in the past.
At the same time, the e-mail address used to register the domain wada-adams[.]org, which spoofs the WADA’s legitimate domain and Anti-Doping Administration and Management System (ADAMS), has also been used to register another domain named networksolutions[.]pw which uses the previously mentioned Domains4Bitcoins name server, thereby betraying Fancy Bears’ involvement in the campaign.
‘While these domains are not definitively attributable to Fancy Bear, given these domains’ consistencies and Fancy Bears’ HT posts, they merit additional scrutiny,’ the researchers said.
‘Furthermore, this incident highlights the importance of identifying activity that is consistent with adversaries’ known infrastructure registration and hosting tactics. In doing so, organisations can incorporate a proactive approach to threat intelligence that may identify indicators like these that are associated with their adversaries before they are used against them,’ they added.
Even though the domains have not been used maliciously so far and are not active, it is possible that they could be used by hackers any time in the future to spoof legitimate domains and to target visitors to such websites.
Earlier this week, researchers at McAfee unearthed a stealthy phishing campaign by hackers to target and compromise several organisations associated with the Winter Olympics which will be hosted by South Korea in February. The campaign involved hackers sending phishing e-mails directly to firstname.lastname@example.org and including a number of other South Korean organisations in the bcc field, thereby maximising the reach of their campaign.
The hackers made the e-mails appear as if they were sent by the National Counter-Terrorism Center (NCTC) in South Korea which is responsible for conducting physical security checks, thereby ensuring that virtually all recipients would download the attachments. The attachments contained PowerShell scripts when then downloaded additional malware into affected systems.
‘Global gatherings such as the Olympics that see world leaders, businesses and governmental organisations converge on one location are a naturally attractive target for digital criminal activity.
Even when the stakes are high in situations like this, the international community must ensure that the necessary measures are in place and sufficiently fortified to prevent any data from falling into the wrong hands,’ says Peter Carlisle, VP for EMEA at Thales eSecurity.