Think-Tanks Under Attack by Foreign APTs, CISA Warns

The feds have seen ongoing cyberattacks on think-tanks (bent on espionage, malware delivery and more), using phishing and VPN exploits as primary attack vectors.

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a warning on what they say are persistent, continued cyberattacks by advanced persistent threat (APT) actors targeting U.S. think-tanks.

The attackers are looking to steal sensitive information, acquire user credentials and gain persistent access to victim networks, according to the feds.

The cyber-intrusions are especially directed at those that focus on international affairs or national security policy, the alert that went out this week said – perhaps unsurprisingly, given the geopolitical nature of APTs, which tend to be backed by nation-states.

“Given the importance that think-tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness,” according to the alert.

In terms of impact, APTs are first and foremost bent on espionage, and are looking to exfiltrate data. Observed spy activities include credential dumping, keylogging, collecting audio, stealing emails, downloading files and more, CISA and the FBI said.

“Cybercriminals are working to gain access to organizations with the brightest and best people to collect certain information, data about ‘state-of-the-art’ technology or strategic projects to better their own efforts,” said James McQuiggan, security awareness advocate at KnowBe4, via email.

“We continue to see cybercriminals targeting organizations that develop or manage high-value intellectual property, so it makes sense that think-tanks are a prime target,” added Stephen Banda, senior manager of security solutions at Lookout, via email.

However, that access could also be used for more nefarious purposes.

“If an individual were to unknowingly share their user credentials with a cybercriminal, the hacker could not only access the victim’s network but they could also send emails from the person’s account, making it look like the messages they were sending were 100 percent legitimate and, potentially, influencing U.S. policies,” Ed Bishop, CTO and co-founder of Tessian, said via email.

Apart from information theft, the alert warned that some attacks are delivering ransomware, hijacking resources for cryptomining, mounting distributed denial-of-service (DDoS) attacks or even wiping disks in destructive attacks.

Attack Vectors

CISA and the FBI made the assessment that APT actors have thus far relied on multiple avenues for initial access in the attacks, including clever social-engineering techniques and impersonating trusted third parties to trick victims into sharing information or account credentials through spearphishing.

“People are more reliant on email to stay connected with colleagues, customers and suppliers, and our recent survey found that half of employees are less likely to follow safe data practices when working from home,” Bishop said.

However, CISA and the FBI also pointed out that APTs are making more sophisticated attempts to infiltrate networks, such as exploiting vulnerabilities in remote networks and other internet-connected devices.

“Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic,” the feds said.

As a result, some attackers are leveraging bugs in virtual private networks (VPNs) and other remote-work tools to gain initial access or persistence on a victim’s network. Researchers said that the remote-working expansion of the use of personal devices and networks is making this process easier.

“Unfortunately, despite some of the conveniences and efficiencies that remote work can provide, it has greatly expanded the attack surface for all businesses, including think-tanks,” Banda said. “For instance, the expert team of 10 researchers who would typically convene in one central office is now collaborating from 10 individual remote offices. Each ‘personal office’ has its own security requirements and variety of connected mobile and fixed endpoints.”

And finally, the alert said that some of the attacks begin with supply-chain compromise, brute-forcing passwords or using stolen, valid credentials.

Think-Tank Attacks

Known attacks on think-tanks have been ongoing. For instance, Microsoft warned in February 2019 that the Russian APT Fancy Bear was attacking democratic think-tanks in Europe.

More recently, Accenture revealed that Turla, another Russian APT, was attacking think-tanks and others by exploiting enterprise-friendly platforms — most notably Microsoft Exchange, Outlook Web Access (OWA) and Outlook on the Web – in order to steal business credentials and other sensitive data.

And in late October, CISA warned that the North Korean APT group known as Kimsuky is actively attacking think-tanks, commercial-sector businesses and others, often by posing as South Korean reporters. Its mission is global intelligence gathering, CISA noted, which usually starts with spearphishing emails, watering-hole attacks, torrent shares and malicious browser extensions, in order to gain an initial foothold in target networks.

Protection and Mitigation

CISA and the FBI recommended that think-tank organizations apply a range of critical (but basic) best practices to protect themselves, including implementing social-engineering and phishing training.

“All organizations, including think tanks, are targets to nation-states and cybercriminals, and by phishing the human, they view it as the more accessible way into the systems and infrastructure,” said McQuiggan. “Organizations need to maintain a strong security-awareness training program and update it frequently to keep employees updated on the latest attack patterns and phishing emails. Employees can make the proper decisions to identify potential phishing emails and report them. This action makes for a more solid security culture and allows the organization to work towards being a more substantial asset for the security department.”

The alert also advocated network segmentation, good password hygiene and multi-factor authentication, timely patching, the use of antivirus software and strong data encryption.

Banda also stressed that think-tanks should be aware that mobile devices can be a particularly weak link.

“Considering 85 percent of mobile phishing attacks occur outside of email, the days of only paying attention to email-based phishing attacks is well past,” he said. “Phishing attacks are targeting mobile users across text messaging, social messaging platforms and mobile apps.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security experts, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.




Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.