And not just about US politicians. Its WADA hacks were intended to tarnish the reputations of some of the best-known figures in world sports.

And the hackers are likely to continue their operations. "Pawn Storm is becoming increasingly relevant particularly because it is doing more than just espionage activities," Trend Micro concluded. "We can see how the group has become more adept at manipulating events and public opinion through the gathering and controlled release of information."

According to an analysis by the Japanese firm Trend Micro, 2014–16 was a particularly active time for the GRU hackers, which it calls Pawn Storm. During that period, the group created email phishing campaigns targeting at least 12 countries' militaries, eight ministries of defense, six political parties, and seven media outlets around the world, including BuzzFeed News.

The culprit? Russia's Main Intelligence Directorate, or GRU, the country’s largest foreign military intelligence agency. Cybersecurity companies call the GRU hackers by a variety of names, but they are most commonly known as APT 28 or Fancy Bear, and they've been operating since 2004.

Now it's clear that the same culprit was responsible in both cases. A rare declassified joint report by the US’s National Security Agency, Central Intelligence Agency, and Federal Bureau of Investigation reached that conclusion last year, as had several internationally known cybersecurity companies.

WADA announced in September 2016 that it had been hacked and that athletes' medical files had been taken and were being posted to the internet. That was only a few months after the Democratic National Committee acknowledged that its computers, too, had been hacked and its stolen emails posted on the web.

Now, as the next Winter Games begin in South Korea — without the official presence of Russia, which has been banned for cheating the last time — it’s clear that the hack of the World Anti-Doping Agency came from the same playbook Russia has used in elections around the world, including the most recent US presidential election.

Russia's reaction was quick — and also unprecedented. Soon, its intelligence agency was hacking into WADA's computer system.

In February 2014, when Russia hosted the Winter Olympic Games at Sochi in the country's southwest, its athletes won an unprecedented 29 medals. Less than two years later, the World Anti-Doping Agency, the watchdog for drug use in international sport, took aim at that performance, saying it rested on a massive doping conspiracy directed by the Russian government.

For US gymnast Simone Biles, Fancy Bear revealed the presence of methylphenidate in her system, a drug used to treat attention deficit hyperactivity disorder.

“Whenever you’re at the top, it’s very easy for a lot of people to bring you down,” Biles told BuzzFeed News. “I take it for a certain reason, just like if you have asthma you take an inhaler. It is what it is. I take medicine. If you have a problem, I’m sorry.”

“One of the things we’ve seen most prominently is the degree of meanness in Fancy Bear’s attacks,” Toni Gidwani, director of research at cybersecurity firm ThreatConnect, told BuzzFeed News. “The WADA breach is an example where you had sharing personal information of a bunch of athletes who were involved in the Russian doping scandal as whistleblowers or not involved at all. But we’ve seen a similar type of pattern in the way that they’ve gone after journalists and civil society activists. There’s a pretty clear intention to intimidate these people who were acting against perceived Russian interests.”

Tensions between the Russian government and WADA began in November 2015, when WADA declared that its Russian affiliate had failed at its job of adequately testing Russian athletes for performance-enhancing drugs.

The next year, Grigory Rodchenkov, who headed that affiliate, confessed to a massive state-sponsored doping scheme in the lead-up to the 2014 games and provided extensive evidence to both the New York Times and WADA itself. Rodchenkov is currently in protective custody in the US.

It’s not unusual for any sophisticated nation-state hacking group to have a wide interest in important targets around the world. But Fancy Bear is different from many because “they’re noisy,” Gidwani said. “They’re one of the more visible threat actors.”



It's also developed, in recent years, a practice of not merely gathering information, but spreading it online, often in misleading ways that align with Russian interests. In 2014, as Russia was in the process of finalizing its annexation of Crimea from Ukraine, a pro-Russia “hacktivist” group believed to be a front for Fancy Bear published Ukrainian military documents. The story made few waves in the US, but was reported by Russian state media.

That was similar to what would happen to Democrats’ files after they were pirated from DNC computers: Some were posted to a newly created site, DC Leaks; some were posted by Guccifer 2.0, a hacker persona who appeared online and encouraged the media to write about the documents; and some were handed to WikiLeaks, which posted batches of Democratic emails for weeks leading up to the election.

Similarly, after the GRU hackers hit WADA, a website called “Fancy Bears” — a clear reference to the name researchers had given them — began slowly leaking non-Russian athletes’ medical files. In addition to Biles's ADHD medicine, Fancy Bear revealed the use of anti-inflammatory steroids by basketball player Elena Delle Donne and tennis greats Venus and Serena Williams. All of those uses had been approved by WADA.

Though Fancy Bear has demonstrated sophisticated hacking capabilities, its penetration into both the Democratic National Committee and WADA came from a basic spear-phishing attack, where a target can be tricked into giving up their password. That’s what happened with a staffer at the Democratic National Committee, and it’s what led to Olympians’ files being breached, according to WADA's former chief technology officer, Robert Jackson.

“Somebody at the International Olympic Committee fell for a spear-phishing email with my name on it,” Jackson told BuzzFeed News. The email, sent to around 10 people, mimicked Jackson’s email signature, though shoddily. “Colors were wrong and certain information was wrong. It asked this guy to reset his password. He fell for it. He basically gave them his password.”

Once it had gained access to a high-ranking IOC employee’s email address, Fancy Bear was able to log into WADA’s Anti-Doping Administration & Management System database and download athletes’ files, many of them American.

Soon after the breach, Jackson said, he contacted international law enforcement agencies, which convinced him Fancy Bear was indeed behind the attack.

Just as the Democrats' leaked emails led to months of breathless media coverage, headlines around the world covered the American Olympians’ medical files, even though WADA had cleared them to use those drugs.

“Russian Hackers Expose Drug Use By America's Greatest Female Athletes,” Maxim wrote. “Simone & Serena Drug Use EXPOSED In Russian Hack!,” declared Radar Online. “WADA hack raises questions about therapeutic use exemptions, security,” said USA Today. And RT, the Kremlin-sponsored news channel, framed the story as “Top US athletes deny cheating after hackers show usage of banned substances.”

After WADA’s first wave, Travis Tygart, the head of USADA, WADA’s American signatory, reached out to those four athletes. “It’s cyberbullying at its worst, attempting to smear innocent athletes who end up being the victims,” Tygart told BuzzFeed News. “Our immediate concern and compassion went out to those athletes. It’s really another step when you attempt to smear and destroy clean athletes who hadn't done anything other than follow the rules.”

But then Fancy Bear released another batch of American athletes’ files, to considerably less fanfare, and then a third round. Tygart’s team, overwhelmed with the number of victims, had to settle for recording a password-protected video message to those athletes. USADA has given BuzzFeed News permission to show it to the public for the first time.