The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency on Tuesday alerted U.S. think tanks of “persistent continued cyber intrusions” from advanced persistent threat groups.
Although the advisory did not name specific victims or incidents, it warned that the attacks are often—but not exclusively—aimed at individuals and organizations involved in national security policy and international affairs. These groups are an attractive target to state-sponsored hackers because they regularly engage with U.S. government personnel and help set political, domestic, foreign, and economic policies, according to an FBI Private Industry Notification distributed earlier this year. Additionally, think tanks often employ former government officials and researchers who may be tapped to join the new presidential administration, and government networks “tend to be more secure and more difficult to access” than a think tank’s, the notification said.
Several individuals who work at think tanks, including Neera Tanden, the president of the Center for American Progress who was recently announced to be Joe Biden’s pick to lead the Office of Management and Budget, have already been tapped to join the new administration.
“It is getting harder to break into federal government agencies directly and conduct influence operations using the front door,” said Dmitry Smilyanets, expert threat intelligence analyst at Recorded Future. “Just imagine APT actors obtaining valid credentials of individuals who used to be high-ranking government employees. Those people still have credibility in certain circles and that kind of access will allow the state-sponsored hackers to get closer to their target.”
Attacks against think tanks are not new: Last February, Microsoft said hackers who appeared to be linked to the Russian group APT28, or Fancy Bear, conducted cyberattacks on employees of the Aspen Institutes in Europe, the German Council on Foreign Relations, and the German Marshall Fund. Russian hackers that year also targeted the Center for Strategic and International Studies, according to a CNN report, and the Institute for Statecraft, Insider reported.
But the alert issued Tuesday is perhaps the most acute warning that the government has issued to think tanks. “CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed,” the alert read.
“Think tanks were always a target. But since the election is over, they got more attention, and CISA has more bandwidth to deal with it,” said Smilyanets.
CISA and the FBI said that attacks don’t seem to follow a specific playbook. Hackers have used spearphishing emails directed at corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities to gain a foothold into the organizations, according to the bulletin.