Cyber Threat Alert: APT Groups Targeting Think Tanks
Relentless cyber threat organizations focus on infiltrating American research institutions, as reported by CISA
Microsoft has recently reported tracking malicious activity from a group linked to the same Advanced Persistent Threat (APT) group that targeted the Democratic National Committee (DNC) in 2016. The group, known as Strontium, Fancy Bear, and APT 28, is believed to have origins in Russia.
One of the malware families associated with Strontium is RegDuke, which uses Dropbox as its command and control (C&C) server, encrypting the main payload on the disk. Another malware family, CosmicDuke, was added to Strontium's toolset by 2015 and is known for executing PinchDuke on the same infected machine and collecting data in parallel.
Analysis by CrowdStrike indicates that Fancy Bear accessed the DNC's network a few months prior to the attacks in 2015, while Cozy Bear, another APT group also linked to Strontium, accessed the networks in 2015.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint alert for think tanks, warning of persistent cyber intrusions by APT actors. The importance of think tanks in shaping U.S. policy makes them attractive targets for these groups.
Researchers are currently investigating Operation Ghost, which references tactics, techniques, and tools linked to Cozy Bear. This operation includes the PolyglotDuke, RegDuke, and FatDuke malware families.
In 2018, Microsoft found attacks linked to at least 104 think tanks in Belgium, France, Germany, Poland, Romania, and Serbia in the last quarter of the year. It's worth noting that well-known APT groups have a successful history of targeting research institutes.
The agencies advise security organizations to segment and segregate networks, use multifactor authentication, encrypt data at rest, and disable remote services not in use. These measures can help protect against the sophisticated tactics used by APT groups.
As the U.S. finalizes the 2020 presidential election results, it's crucial for think tanks and other organizations to remain vigilant against cyber threats. APT 29, also known as Cozy Bear, has not neglected its attacks in 2020, according to cybersecurity analyst Tomer Bar. The operational tempo of the group in 2020 is currently under investigation.
Attackers can use spearphishing schemes or leverage Virtual Private Networks (VPNs) to access a target's network. It's essential for organizations to be aware of these tactics and take appropriate measures to secure their networks.
The advanced persistent threat group APT29 currently targets U.S. government agencies, intergovernmental organizations, NGOs, and think tanks primarily for espionage and surveillance purposes as part of nation-state cyber operations. The group used the malware in stages of an attack between 2016 and 2019, starting with PolyglotDuke on Twitter and Reddit to collect its C&C URL, relying on imagery steganography for C&C communication.
In conclusion, the ongoing threat from APT groups requires organizations, particularly think tanks, to stay ahead of the threat. By implementing best practices and staying informed about the latest tactics used by these groups, organizations can protect themselves and their valuable information.
