The World Anti-Doping Agency (WADA) has condemned Russian hackers for leaking confidential medical files of star US Olympic athletes.
Athletes affected include tennis players Venus and Serena Williams and teenage gymnast Simone Biles.
A group calling itself “Fancy Bears” claimed responsibility for the hack of a Wada database.
After the leak, Ms Biles said she had long been taking medicine for Attention Deficit Hyperactivity Disorder.
The hacker group had accused her of taking an “illicit psycho-stimulant”, but she said she had “always followed the rules”.
The Rio Olympics quadruple gold medallist had obtained the necessary permission to take prescription medicine on the WADA banned drugs list, USA Gymnastics said in a statement.
Wada said in a statement that the cyber attacks were an attempt to undermine the global anti-doping system.
Russian government spokesman Dmitry Peskov said it was “out of the question” that the Kremlin or secret services were involved in the hacking, Russian news agencies reported.
The hackers accessed records detailing “Therapeutic Use Exemptions” (TUEs), which allow the use of banned substances due to athletes’ verified medical needs.
“By virtue of the TUE, Biles has not broken any drug-testing regulations, including at the Olympic Games in Rio,” USA Gymnastics said.
Fancy Bears said TUEs amount to “licences for doping”.
The leaked documents allege that Serena Williams was granted permission to use drugs commonly used to treat muscle injuries, such as anti-inflammatories, while Biles is said to use Ritalin – a treatment for her ADHD.
Former – Australian Sports Anti-Doping Authority head Richard Ings said: “Nothing I see here gives me cause for alarm,” adding it looked “totally normal”.
“The issue here is privacy breach.”
Russia’s track and field team were banned from the Rio Olympics over an alleged state-backed doping programme. All of its athletes are barred from the ongoing Paralympics.
“Let it be known that these criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia,” WADA Director-General, Olivier Niggli, said.
This is the latest twist in what was already the biggest doping scandal in the history of sport, and further evidence of the bitter divisions it has sparked.
The hack appears to be an act of revenge – retaliation for Wada’s damning report into Russian state-sponsored cheating.
Although the Russian government has denied any involvement, it has always maintained that the country has been made a scapegoat for a much wider problem, and this will only add fuel to that fire.
Although the athletes concerned have broken no rules, the revelations – along with the threat of more leaks of other competitors’ medical records – will inevitably exacerbate the controversy surrounding TUEs at a time when sport’s leaders are desperately trying to restore trust.
Many athletes will now be nervously wondering if their private medical details records are the next to be made public.
And with the future of WADA currently in the balance, the fact its security was so badly compromised will raise more questions over the entire anti-doping system, especially after the account of Russian whistleblower Yuliya Stepanova was hacked last month, leading to fears for her safety.
US Anti-Doping Agency chief Travis Tygart called the hack “cowardly and despicable”.
“In each of the situations, the athlete has done everything right in adhering to the global rules for obtaining permission to use a needed medication,” he said.
The US Olympic Committee has had “zero adverse findings from the Rio Olympic Games that weren’t 100% within the medical guidelines set forth by anti-doping authorities,” spokesman Patrick Sandusky said.
Earlier this month, Mr Niggli said WADA was experiencing almost daily cyber attacks originating from Russia.
Fancy Bears, which is also known as Tsar Team (APT28), has pledged to release confidential records from other national Olympic teams.
It’s an old adage in cybersecurity that the weakest point of any supposedly secure system is the people that use it.
WADA says it believes this hack was made possible thanks to a successful spearphishing attack. Phishing is a term given to the technique of tricking a user into giving up crucial information – often by clicking a link that takes them to a malicious website disguised as a familiar one, such as the log-in page for a bank or social network.
Spearphishing takes this one significant step further. While a phishing attack is often aimed at many people in the hope some will fall for it, spearphishing is highly targeted. Hackers perhaps identified a small number of people, or even just one person, and wrote a phishing attack specifically designed to trick them.
Other than pushing a message of vigilance among staff, spearphishing is incredibly difficult to defend against. Attackers often scour the internet, looking for added information on the target that might make an email more believable. Sometimes even knowing a person’s favourite football team is enough to tip the balance in making a spearphishing email seem genuine.