FBI And Homeland Security Warn Of APT Attacks On US Think Tanks

The FBI and DHS-CISA warned of state-sponsored hacking groups targeting U.S. think tank organizations in a joint advisory published on Tuesday evening.

Advanced persistent threat (APT) actors are regularly directing their attacks on such organizations and individuals associated with them who can have an important role in shaping U.S. policy and international affairs according to the two federal agencies.

Heightened state of awareness recommended by federal agencies

State-backed hackers have used a multitude of infiltration vectors in their attacks including spearphishing focused on both corporate and personal accounts via email and third-party messaging services, as well as the exploitation of vulnerable web-facing devices and remote connections.

“Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network,” the joint advisory reads.

Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?

“When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.”

DHS-CISA and the FBI also advised organizations and individuals in international affairs and national security sectors to “adopt a heightened state of awareness.”

They also provided a set of extensive mitigation measures to be immediately implemented by think tank organizations’ leaders, staff, and IT staff to strengthen their security posture and defend against ongoing attacks by nation-state hacking groups.

Think tanks under constant targeting

The FBI also issued a ‘TLP:WHITE‘ private industry notification in April 2020 regarding the continued targeting of US think tanks by state-backed APT groups since at least 2014, with the end goal of gaining access to and exfiltrating sensitive information.

“Nation-state APT actors have sought access to US think tank organizations–which employ former US Government (USG) personnel who continue to engage with current USG officials on political, domestic, foreign, and economic policies –as a means to collect sensitive USG information, bypassing the need to target USG networks directly,” the FBI warned.

“The reasoning behind this targeting approach is two-fold: USG networks tend to be more secure and more difficult to access, and mitigation efforts within USG networks have historically been effective.”

Over the last several years, hacking groups have been able to infiltrate and successfully acquire information on a wide range of sensitive topics including but not limited to:

• US Elections-Related Topics
• US Politics and Foreign Policy
• US Interests/Conflicts with Competing World Powers
• US Decision Making and National Security Issue
• US Cyber Deterrence
• US and NATO Interests
• US Defense Plans

Even after successfully removing APTs from the compromised network of a think tank organization, they have been able to “shortly” re-infiltrate them and resume harvesting and exfiltrating sensitive information until their malicious activity was once again detected and blocked the FBI said. [PDF]

Also Read: Limiting Location Data Exposure: 8 Best Practices

Microsoft also warned during late-September of nation-state actors behind ongoing attacks against “think tanks focused on public policy, international affairs or security.”

The Russian-backed APT29 threat group (also tracked as Cozy Bear and The Dukes) and its attacks on think-tank organizations were the subjects of another joint alert [1, 2, 3, 4] issued by national cybersecurity agencies from the United States, the United Kingdom, and Canada issued in July 2020.

Previous attacks targeting US think tanks in 2017 (APT29) and 2018 (Indian APT group Dropping Elephant) were reported by Defense One and security researchers at Volexity.