On 13 September, a hacking group with suspected ties to the Russian government leaked what purported to be evidence that at least four US athletic superstars — Simone Biles, Elena Delle Donne and the Williams sisters — had tested positive for drugs.
A series of confidential files reportedly hacked from the computer systems of the World Anti-Doping Agency (Wada) were published online by a group calling themselves the 'Fancy Bears Hack Team' and quickly circulated on social media platforms like Facebook and Twitter.
The US athletes and authorities who govern their medical testing have since spoken out about the release of sensitive data, with Wada pointing the finger of blame directly at Russia. But what exactly is in the files, how were they initially obtained, who was responsible and what happens now?
What is in the leaked files?
While the leaked documents do indeed contain medical records of athletes like Biles and the Williams sisters, upon inspection, the wild claims of the hackers start to fall apart. They do indeed show positive drug tests, however the documents released are all therapeutic-use exemptions (TUEs).
These are routinely provided to athletes suffering from genuine conditions and are carefully regulated by officials. The files date back many years and there are 13 on Simone Biles, 4 on Elena Delle Donne and 16 on the Williams sisters.
Gymnastic superstar, Biles, who won four gold medals at Rio 2016, reportedly tested positive for drugs including methylphenidate and amphetamine. Delle Donne, a basketball star, was allegedly taking hydrocortisone and amphetamine. Serena Williams was taking oxycodone, hydromorphone and prednisone, according to the files. While her sister, Venus Williams, was prescribed drugs like triamcinolone and formoterol.
Are these drugs bad?
Yes, they are drugs, but they are tightly regulated drugs that were previously known to authorities. Travis Tygart, chief executive of the United States Anti-Doping Agency (Usada) has said it is "unthinkable" that hackers would attempt to "smear" athletes. "In each of the situations, the athlete has done everything right in adhering to the global rules for obtaining permission to use a needed medication," he said in a statement. "It is time for the entire international community to stand up and condemn this cyberattack on clean sport and athlete's rights."
The USA Gymnastics Association, referring to Biles, agreed the athlete "submitted and was approved" for a therapeutic-use exemption (TUE). In a statement on social media, Steve Penny, president of the body, said: "Simone has filed the proper paperwork per Usada and Wada requirements, and there is no violation. Simone and everyone at USA Gymnastics believe in the importance of a level playing field for all athletes."
In a statement posted to her personal Twitter account, Biles said: "I have ADHD and I have taken medicine for it since I was a kid. Please know, I believe in clean sport, have always followed the rules, and will continue to do so as fair play is critical to sport and is very important to me." Another affected athlete Elena Delle Donne added: "I'd like to thank the hackers for making the world aware that I legally take a prescription for a condition I've been diagnosed with, which Wada granted me an exemption for. Thanks guys."
Who are the Fancy Bears?
On its website where the medical files are currently hosted, the hacking group claims to be affiliated with the notorious Anonymous collective — however Wada has claimed that law enforcement uncovered evidence the group has links with Russian Intelligence. According to the doping watchdog, the group is APT28 — also known as Fancy Bear — and is the same nation-state group believed to be responsible for the ongoing cyberattacks against the US political system. The athletes' medical files were obtained by a hack on Wada's 'Adams' — or the Administration and Management System — by sophisticated spear-phishing tactics, officials said.
What are the hackers' motivations?
In a statement released on a website, the hackers claim the aim of the data dump was to tell the world about the "dirty methods" allegedly used by the US Olympic team. "We hacked World Anti-Doping Agency databases and we were shocked with what we saw," the group stated, adding that "after detailed studying of the hacked Wada databases we figured out that dozens of American athletes had tested positive [for drugs]. The hacking team claimed that its disclosures were "just the tip of the iceberg", and that more leaks were now on the horizon. "This is other evidence that Wada and [the] IOC's Medical and Scientific Department are corrupt and deceitful," it claimed.
Fine, but what is the context to all this?
The leak comes after Wada employed a professor called Richard McLaren to investigate shocking claims of widespread Russian state-sponsored doping, initially revealed by athlete Yuliya Stepanova, who with her family fled Russia after blowing the whistle on the scandal. The probe into the claims produced a damning report which implicated the FSB, the Russian Ministry of Sport (MofS) and the Russian Anti-Doping Agency in collusion. Most recently, as previously reported, both Wada and Stepanova's personal Adams accounts were targeted by hackers. "The only reason somebody would hack [the] account is to find out your exact location," Stepanova said at the time. Regarding her family, she added: "If something happens to us then you should know that it is not an accident."
What did Russia say?
In the face of mounting evidence to the contrary, Russia has denied all knowledge of the suspected nation-state hacking, much like recent cyberattacks at the Democratic National Committee (DNC). "We can say without a hesitation any involvement in such actions on the part of official Moscow, the Russian government or any Russian secret services is strictly out of the question. It's simply ruled out," declared Kremlin press secretary Dmitry Peskov.
He continued: "Unsubstantiated claims of this kind don't adorn any organisation unless they have a solid groundwork. I don't know if the people who issued these statements have any arguments at their disposal." To Russia's credit, Wada has not yet released any technical evidence to back up the assertion that state-sponsored hackers were responsible.
What happens now?
While Wada and cybersecurity firms continue to analyse the leak of data, the hackers say more leaks are planned. "We will start with the US team which has disgraced its name by tainted victories," the hackers boasted. "We will also disclose exclusive information about other national Olympic teams later. Wait for sensational proof of famous athletes taking doping substances any time soon." IBTimes UK contacted Fancy Bears for comment, but had received no response at the time of publication.
Meanwhile, Wada said it is now "reaching out" to stakeholders and those smeared by the leaks. "Wada deeply regrets this situation and is very conscious of the threat that it represents to athletes whose confidential information has been divulged through this criminal act," stated its director general Olivier Niggli.