IAAF servers hacked, athletes' private medical records feared compromised by Russia-linked Fancy Bear

The International Association of Athletics Federations (IAAF) revealed on Monday (3 April) that its servers were compromised by the notorious Russia-linked hacking group Fancy Bear. US intelligence officials and experts previously linked the hacking group, also known as APT28 or Strontrium, to the cyberattacks targeting the Democratic National Committee and Hillary Clinton's presidential campaign in 2016.

The IAAF - the world governing body for track and field - said it believes the cyberattack compromised athletes' Therapeutic Use Exemption (TUE) applications stored on its servers. TUEs are granted to allow athletes to take certain medication included in the World Anti-Doping Agency's list of prohibited substances for specific, verified medical needs.

The Monaco-based organisation said the attack was detected by British cyber incident response firm Context Information Security during a technical investigation of its systems in February.

"The presence of unauthorised remote access to the IAAF network by the attackers was noted on 21 February where meta data on athlete TUEs was collected from a file server and stored in a newly created file," the IAAF said in a statement.

"It is not known if this information was subsequently stolen from the network, but it does give a strong indication of the attackers' interest and intent, and shows they had access and means to obtain content from this file at will."

In September last year, the Fancy Bear group hacked into the World Anti-Doping Agency's systems and leaked private medical records of top international athletes after Russia's track and field team was banned from the 2016 Rio Olympics over state-sponsored doping.

Some of the athletes affected included Tour de France winning British cyclists Sir Bradley Wiggins and Chris Froome, Olympic champion Mo Farah as well as US tennis stars Serena and Venus Wlliams and gymnast Simone Biles.

Intelligence officials and experts have linked Fancy Bear to the Russia's military agency, the GRU. However, Moscow has denied any affiliation with the hacker group.

The IAAF said it has reached out to athletes who have applied for TUEs since 2012 whose information may have been compromised in the breach. The agency has also consulted the UK National Cyber Security Centre and Agence Monégasque de Sécurité Numérique regarding the incident.

The IAAF said it carried out a "complex remediation across all systems and servers" over the weekend "in order to remove the attackers' access to the network".

"Our first priority is to the athletes who have provided the IAAF with information that they believed would be secure and confidential," IAAF President Sebastian Coe said. "They have our sincerest apologies and our total commitment to continue to do everything in our power to remedy the situation and work with the world's best organisations to create as safe an environment as we can."