The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about ongoing cyberattacks on think tanks by foreign Advanced Persistent Threat (APT) groups.
The purpose of the attacks is to gain persistent access to victim networks for espionage purposes. This is achieved through phishing attacks to gain access to user credentials and by exploiting vulnerabilities in VPNs to deliver malware. The APT groups are mostly focused on think tanks involved in international affairs and national security policy.
Think tanks can have a major influence on U.S. policies, so it is no surprise that they are being targeted by nation-state-backed APT groups. These groups are gaining access to networks, exfiltrating data, and have been observed keylogging, collecting audio, credential dumping, downloading files, stealing emails and more, according to the CISA/FBI joint alert.
The APT groups attempt to steal state-of-the-art technology and information that will give their countries a strategic advantage and accelerate their own projects. However, think-tanks have been warned that the theft of intellectual property is only one of the aims of the attacks. Other malicious actions observed include delivering ransomware and wiper malware, hijacking computing resources to mine cryptocurrency, and conducting distributed denial of service attacks.
The phishing attacks observed are sophisticated and use clever social engineering techniques to fool individuals into installing malware or disclosing login credentials, oftentimes impersonating trusted third parties.
The COVID-19 pandemic has increased the number of people working from home and the increased reliance on remote connectivity has created weaknesses that are being exploited. Security flaws in VPNs and other remote connections are being exploited, and the increased number of remote connections and use of personal devices means it is now far easier for the APT groups to blend in and evade detection by security teams.
In addition to phishing attacks and VPN exploits, APT groups have been observed conducting brute force attacks to guess weak passwords, using stolen or illegally purchased user credentials, and conducting supply-chain compromise attacks.
APT groups in Russian, North Korea, and Iran are believed to be targeting think-tanks. CISA/FBI recommends think tanks “immediately adopt a heightened state of awareness” and take steps to strengthen their security posture. A long list of mitigations has been provided to help them achieve this.