Officials in Moscow wanted to know whether the hackers who leaked athletes medical data connected to Russia after the World Anti-Doping Agency said the attacks on it originated there

Experts and officials in Moscow have raised doubts about whether the hackers who leaked athletes medical data are linked to Russia, even though the World Anti-Doping Agency has said the attacks on it originated in Russia.

A new website attributed to the Fancy Bears hacker squad like the Russian Fancy Bear group accused of hacking the Democratic National Committees email servers this summer published leaks this week showing that Wada had given the Olympic gymnast Simone Biles and the tennis players Serena and Venus Williams, as well as the British Tour de France winners Chris Froome and Bradley Wiggins, exemptions to take restricted substances.

The dots seemed easy enough to connect: after Russias track and field squad and other athletes were banned from the Olympics over findings of state-sponsored doping, Kremlin hackers began carrying out attacks on Wada and the court of arbitration for athletic( Cas ), which said it had been targeted in August. Following the coming week leaks, though, Russian officials and media have denied any involvement by compatriots and also suggested Wada followed doubled standards, giving Western athletes greater leeway to use drugs than Russian athletes.

On Wednesday the countrys sports pastor, Vitaly Mutko, denied the Wada hack could be connected to his homeland, then the countrys UK embassy tweeted on Thursday: Wada hacking: There should be nothing private about doping files of participants of Olympics, which are a very public affair. Some are more equal than others?

The state news agency RIA Novosti headlined its news piece: Wada let the Williams sisters and the gymnast Biles to take doping, and included a cartoon of a muscle-bound black female tennis player in a USA jersey carrying a golden trophy full of pills.

Wadas director general, Olivier Niggli, said Wada had been informed by law enforcement that the two attacks are originating out of Russia. The security firm Crowdstrike has now been said Fancy Bear and another group involved in the DNC hack, Cosy Bear, are likely backed by Russian intelligence agencies.

Russian experts, however, cast doubt on this conclusion. Sergei Nikitin, a digital forensic analyst at the Moscow-based security company Group-IB, said not enough information was available to trace the attacks to Russia. He said companies usually publish a report with more exact evidence on how exactly their system was compromised.

We dont have this in the case of the DNC and Wada hackers, so its not clear on what basis conclusions are being drawn that Russian hackers or special services were involved. Its done based on the results of the website design, which is absurd, he said, referring to the depiction of symbolically Russian animals, brown and white bears, on the Fancy Bears Hack Team website.

According to Alexander Baranov, head of the information security department at the highest school of economics in Moscow, the hackers were most likely amateurs who published a semi-finished product rather than genuinely compromising datum. They could have done this more harshly and abruptly, he said. If it was[ state-sponsored] hackers, they would have excavated deeper. Since its fanatics, amateurs, they got what they got and ran public with it.

But resulting cyber security firms have long been seeing patterns in Fancy Bears activities that give them confidence the hackers are linked to the Russian country. The group, which is also known as APT2 8, Strontium or Sofacy, has been active since at least 2008 but increased its activities tenfold in 2015, according to Kaspersky Labs. It said in a statement to the Guardian that Fancy Bears is a Russian-speaking group focusing on Nato countries, Ukraine, governments and military contractors, targets that have tense relations with the Kremlin. Crowdstrike has said Fancy Bears is likely tied to the GRU, Russias military intelligence agency.

Since the Wada breach was a result of a phishing attack, in which deceptive emails seduce users to uncover their passwords, the attackers did not employ malware that could be checked against that typically used by Russian groups. But the US security firm ThreatConnect said the route the phishing was carried out was consistent with Fancy Bears past activities.

In creating phishing emails, the Wada attacker registered domain names with the same domain registrar Fancy Bears used in the DNC hack, as well as another domain registrar often used by Fancy Bears, according to a ThreatConnect report. The domains were registered shortly after Russian Olympic and Paralympic athletes were banned from vying in Rio de Janeiro, and the deceptive email addresses were written with a formula used by Fancy Bears before.

Nikitin said Fancy Bear was most likely war criminals group leaking politically sensitive information to get free advertising in the media for its blackmarket services.

But Toni Gidwani, ThreatConnects director of research, said whereas cyber felons will target many people in the hopes of seeing easy ratings, Fancy Bear had a history of tailoring its attacks to specific targets and, having breached them, lingering on their servers collect information. Were pretty comfy that Fancy Bear is linked to the Russian government, taking what we know about their attacks on the whole, Gidwani said. The level of intricacy we ensure them pull off in these attacks, it would be very difficult for this organisation to be criminally motivated or an ideological hacktivist.

The new ostentatious Fancy Bears website, the leak of Wada data on the Russian Olympic boxer Misha Aloyan and the claim by a Twitter account calling itself Anonymous Poland that it was targeting Wada and Cas were not typical of a Russian state hacker group, Gidwani admitted. But she said the people doing the hacking and those leaking the information could be different and called new accounts claiming credit for the two attacks faketivists meant to throw investigators off the scent.

Gidwani said the suspected Russia-backed attacks is very likely to continue until at least the US presidential election: Its almost like Joker in Batman, to cause as much chaos as is practicable and cause people to question the integrity of these systems, whether thats the US elections and our leadership or international structures that regulate doping in sport.

Read more: