Why think tanks are such juicy targets for cyberspies

A new report from Microsoft puts a spotlight on the cyberfront of the Russian invasion of Ukraine — including cyberespionage against think tanks outside Ukraine which can be valuable targets for intelligence gathering or launchpads for additional campaigns. 

In the report released Wednesday, Microsoft said it “has detected Russian network intrusion efforts on 128 targets in 42 countries outside Ukraine.” Roughly half of the attacks targeted government agencies, but 12 percent were non-government organizations (NGOs), primarily think tanks with foreign policy expertise or groups assisting in the humanitarian efforts to assist Ukrainian refugees, according to the company. 

“Since the start of the war, the Russian targeting we’ve identified has been successful 29 percent of the time,” the report said. A quarter of those intrusions led to confirmed data exfiltration, but Microsoft warned that figure “likely understates the degree of Russian success.”

Think tanks and nonprofit organizations have long been targeted in cyberespionage efforts in part because their staff often includes former or future government officials which can be valuable direct sources of intelligence, especially in times of conflict. 

For example, in 2014 a wave of cyberspying attributed to China included hacks that targeted Middle East experts at U.S. think tanks. 

By 2017, Crowdstrike reported Chinese cyberespionage continued, but had grown more sophisticated in their targeting of think tanks — including exfiltration of information that could make it easier to conduct spear phishing attacks that leverage the identities of affiliates to attack those in their professional networks. 

Spear phishing is when attackers use a compromised account from an already compromised trusted sender to. And the experts at think tanks are often already in regular contact with policymakers — making them ideal proxies for this type of attack. 

But even if attackers haven’t broken into a think tank, they may still try to leverage the role of think tanks in targeting tactics. 

Cybersecurity firm Volexity reported in 2018 an India-based threat actor known as Patch APT was targeting U.S. think tanks with spear phishing attacks that relied on compromised documents tailored to relevant geopolitical issues.

“In three observed spear phishing campaigns, the threat actors leveraged domains and themes mimicking those of well-known think tank organizations in the United States,” Volexity reported. Essentially, attempting to hijack the reputations of the Center for Strategic and International Studies (CSIS), the Council on Foreign Relations (CFR), and the Mercator Institute for China Studies (MERICS) in efforts to lure victims.

In December 2020, the U.S. Cybersecurity and Infrastructure Security Agency issued an alert about sophisticated adversaries targeting domestic think tanks — leveraging complexity around remote work and the blending of personal and work networks during the pandemic. 

“Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks,” the agency warned.

CISA noted the “importance that think tanks can have in shaping U.S. policy” and urged “individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness” and deploy the agency’s policy recommendations. 

After revelations about the software supply chain compromise of SolarWinds later that month — thought to be the work of Russian government-affiliated hackers — Volexity tied past incidents involving attacks on a U.S. think tank to the exploit. 

In May of last year, Microsoft reported a recent campaign from the threat actor behind the SolarWind compromise that used spear phishing from a compromised vendor email account used by United States Agency for International Development (USAID) to target organizations, including think tanks, across 24 countries. 

“At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work,” Microsoft wrote. 

In the latest report, Microsoft says Russia is not only deploying cyber as part of the hybrid warfare playing out on the ground in Ukraine, but across a much wider digital front that includes cyberespionage and vast misinformation campaigns.  

This new era of digital conflict requires a more comprehensive response, according to the company. 

“The cyber defense of Ukraine relies critically on a coalition of countries, companies, and NGOs,” the report concluded.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Andrea Peterson

Andrea Peterson

(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.