The 2018 World Cup in Russia will see a collision between an increasingly interconnected global game and a progressively fractured, hostile information security environment. Following concerns voiced by England’s Football Association to FIFA, the world football governing body, about the leak of sensitive anti-doping correspondence by an alleged Russia-linked hacking group, cyber security is set to be a high priority for teams competing in the summer’s showcase tournament.
At the forefront of a volatile contemporary culture of data breaches stands the cyber espionage group ‘Fancy Bears’. Claiming to stand for “fair play and clean sport”, the group is linked to multiple high-profile data breaches in both the political (seen with both the 2016 Democratic National Committee email leak and the cyber-attack on French president Emmanuel Macron’s 2017 election campaign) and the sporting world.
As far as sport is concerned, Fancy Bears also have previous experience. Pertinently, a football-focused Fancy Bears leak from 2017 implicated multiple former Premier League footballers, such as Dutchman Dirk Kuyt and Argentina’s Carlos Tevez, as having therapeutic use exemptions (TUEs) in the run up to the 2010 World Cup.
However, as technology steadily creeps into the sport, the means by which to secure a team's data will only continue to come under threat.
TUE’s, though commonly issued to authorise the use of substances otherwise banned under anti-doping regulations for the treatment of medical conditions, are the subject of a certain degree of public suspicion over their perceived ability to help athletes gain an unfair advantage – something neither Kuyt nor Tevez would have been happy to have their names associated with. That particular data breach also announced 160 failed drug tests from footballers in 2015, with four of the failed tests registered by UK Anti-Doping (UKAD) according to compromised emails from the FA’s head of integrity Jenni Kennedy to FIFA. Though TUEs themselves are clearly not illegal, Fancy Bears hostile activity publicly raises questions over the security status of key governing bodies’ protection of sensitive data.
Moreover, multiple specialist cyber intelligence bodies have suggested that Fancy Bears’ use cyber-attack methods that are consistent with nation-state actors. This has fueled speculation that the group is associated with the Russian military intelligence agency GRU, acting in revenge for the banning of Russia from the summer Olympics in 2014 and Winter Games in 2018 for contravening doping laws.
Characterised as an advanced persistent threat, the group utilises a number of methods, including zero-day vulnerabilities, phishing email campaigns and malware-hosting websites disguised as news sources, with a particular focus on web-based email services. For example, compromises have in the past consisted of web-based email users receiving an email urgently requesting they change their passwords to avoid being hacked. These users were then redirected via a link to a spoofed website where their credentials, after being inputted, were stolen. Confidential data was then accessed, downloaded and distributed.
Though Fancy Bears data breaches have largely concerned controversial anti-doping practices of sports governing bodies, fears have been raised by FA chiefs over the security of networks that would be used to send emails by coaches and executives alike. There are even concerns that exist that the England camp could be unwittingly exposing tactical plans, team selections and training schedules to malicious groups. With the stakes high and data-driven analysis utilised by all teams attempting to gain a competitive advantage, poor cyber security infrastructure and resultant compromised tactical intelligence could make a genuine difference.
To attempt to mitigate the threats posed by Fancy Bears, the FA has advised that all players and staff avoid the use of public Wi-Fi networks, do not post on social media with location tags and only use equipment allocated to them that will have sophisticated anti-hacking software installed. The FA also claim their firewalls have been strengthened and key passwords encrypted.
Football, as the world’s most popular sport, mirrors an increasingly interconnected world with its continued adoption of data-driven analytics for tactical analysis (as proponents of ‘expected goals’ or ‘Xg’, a football metric which allows you to analyse and evaluate team and player performance, would attest to) and even video assisted referees (VAR) making an appearance at this summer’s tournament. However, as technology steadily creeps into the sport, the means by which to secure a team’s data, whether it relates to tactical or medical records, will only continue to come under threat. Before a football has even been kicked, the World Cup in Russia provides another high-stakes platform for the proxy-cyber cold war.