- CISA and the FBI issued a joint alert for think tanks after observing "persistent cyber intrusions" by advanced persistent threat (APT) actors in the U.S. The agencies said APTs often target think tanks responsible for international affairs or national security policy.
- Attackers can use spearphishing schemes or leverage VPNs to access a target's network. They are "low-effort, high-reward" strategies, according to the alert.
- In addition to non-technical employee training, the agencies advise security organizations segment and segregate networks and use multifactor authentication. Organization should encrypt data at rest and disable remote services not in use.
The U.S. is in the midst of finalizing the 2020 presidential election results and because of the "importance that think tanks can have in shaping U.S. policy," CISA and the FBI want organizations to stay ahead of the threat, the agencies said.
Well-known APT groups have a successful history of targeting research institutes.
In February 2019, Microsoft tracked malicious activity from the same APT group that targeted the Democratic National Committee (DNC) in 2016. At the time Microsoft disclosed the research in 2019, European nations were undergoing their own electoral processes. Microsoft found attacks linked to at least 104 think tanks in Belgium, France, Germany, Poland, Romania, and Serbia in the last quarter of 2018.
Microsoft was "confident" the activity originated from Russia-linked Strontium, also known as Fancy Bear and APT 28. Fancy Bear, along with Cozy Bear, were the groups responsible for the 2016 DNC hacks.
Cozy Bear also known as APT 29 and Dukes, accessed the DNC's networks in 2015; Fancy Bear accessed the network a few months prior to the attacks, according to analysis by CrowdStrike. Between 2008 and present, Cozy Bear has iterated its attack tactics and the malware associated with it.
By 2015, Cozy Bear group's toolset expanded to CosmicDuke, which executed PinchDuke on the same infected machine and "collected data in parallel, so mitigating one of them was not enough," according to Tomer Bar, research team leader at SafeBreach, during a SANS Institute webcast in November. CosmicDuke was not delivered by spearphishing.
Cozy Bear's largest phishing campaign came in 2015 and in 2020 CrowdStrike was unable to determine its operational tempo, or how long it takes the APT group to act. Researchers are investigating Operation Ghost, "which referenced TTPs and tools" linked to Cozy Bear. Operation Ghost includes the PolyglotDuke, RegDuke and FatDuke malware families.
"After the attack against the DNC, [Cozy Bear] put some time to rebuild the toolset, they came up with three new malware families," said Bar. APT 29 used the malware in stages of an attack between 2016 and 2019.
The stages started with APT 29 leveraging PolyglotDuke on Twitter and Reddit to collect its command and control (C&) URL, relying on imagery steganography for C&C communication, said Bar. RegDuke uses Dropbox as its C&C server, encrypting the main payload on the disk. That is the first stage of the attack. Stage two utilizes the MiniDuke backdoor, and the final stage includes FatDuke.
This year, "they didn't neglect their attacks," said Bar. "If they say that they are under the radar, they are changing [their] strategy."