EXCLUSIVE: Russia-Backed DNC Hackers Strike Washington Think Tanks
The same Kremlin-backed group that hacked the Pentagon, State Department, and DNC targeted DC insiders last week.
Last week, one of the Russia-backed hacker groups that attacked Democratic computer networks also attacked several Russia-focused think tanks in Washington, D.C., Defense One has learned.
The perpetrator is the group called COZY BEAR, or APT29, one of the two groups that cybersecurity company CrowdStrike blamed for the DNC hack, according to founder Dmitri Alperovitch. CrowdStrike discovered the attack on the DNC and provides security for the think tanks.
Alperovitch said fewer than five organizations and 10 staffers researching Russia were hit by the “highly targeted operation.” He declined to detail which think tanks and researchers were hit, out of concern for his clients’ interests and to avoid revealing tools and techniques or other data to hackers. CrowdStrike alerted the organizations immediately after the company detected the breaches and intruders were unable to exfiltrate any information, Alperovitch said.
Defense One reached out to several think tanks with programs in Russian research, one of which was the Center for Strategic and International Studies, or CSIS. “Last week we were under attack, but our small staff was very responsive. Beyond that, I'm not going to discuss the details because it is under active investigation,” the H. Andrew Schwartz, CSIS Senior Vice President for External Relations, said in an email.
James Andrew Lewis, Senior Vice President and director, strategic technologies program, at CSIS said, “It's like a badge of honor — any respectable think tank has been hacked. The Russians just don't get the idea of independent institutions, so they are looking for secret instructions from Obama. Another benefit is they can go to their bosses and show what they took to prove their worth as spies.”
Defense One contacted several think tanks with programs related to Russia. Most wrote back immediately and said that they had not been targeted. Harvard’s Belfer Center for Science and International Affairs said, “We have a policy of not commenting on Center security.” We will update this post if we hear back from others.
The hackers could have been trying to access data and information from officials that serve on the boards of prominent Washington think tanks, Alperovitch speculated. “Many of these people are former government officials that still advise current government officials,” said Alperovitch. The goal could have been “to look at their communications with government officials to see if they may have some plundered information that's been shared with them, or use them as a way to target government.”
Alperovitch said the think tanks were using CrowdStrike’s Falcon cybersecurity software, a 2mb endpoint management tool that enables CrowdStrike to monitor its clients’ networks for intrusions, including sophisticated remote access tools whose signatures would not show up on regular network traffic. “Think of it as a video camera that's recording everything that's executing. You open up Word, you open up Outlook and another process launches a network connection, which gets recorded and gets streamed to our cloud where we do machine learning and behavioral analytics on that… That's exactly what happened here. We picked up that there was a spearphish and immediately an alert went out. Our people contacted [the clients] and said okay, this is pretty serious, you need to contain this machine right away,” he said.
The cybersecurity company FireEye first discovered the group COZY BEAR, which they dubbed APT29, back in 2014. “APT29 is among the most capable groups that we track. While other APT groups try to cover their tracks to thwart investigators, APT29 stands out. They show discipline and consistency in reducing or eliminating forensic evidence, as well as adaptability in monitoring and circumventing network defenders’ remediation efforts,” they said in this blog post last year.
CrowdStrike and other cybersecurity researchers believe COZY BEAR is linked to the Russian Federal Security Service, or FSB. The list of U.S. entities they’ve staged successful attacks against includes the White House, the State Department, and the Joint Chiefs of Staff’s unclassified system.
The other Russian hacking group that CrowdStrike and other cybersecurity researchers have said was behind the DNC hack is known as FANCY BEAR, or APT28, which many in the cybersecurity community believe to be connected to the Russian military. Researchers also suspect FANCY BEAR to be behind the leaking of DNC documents to Wikileaks.
Importantly, while FANCY BEAR breached the DNC in April of this year, CrowdStrike’s research shows that COZY BEAR was on the network far longer, going back to the summer of 2015, potentially allowing them to access exponentially more information. Researchers consider them one of the most advanced persistent threat groups currently in operation.
Since those well-publicized hacks, COZY BEAR has improved the tools and techniques it uses considerably, according to Alperovitch, improving its ability to operate without detection and scaling up further its ability to move rapidly within a network after initial compromise. In this case, the spearphish, the perpetrators lured victims to open emails by using fake emails from known think tanks and geopolitical consultancy groups. He told Defense One that CrowdStrike was able detect the intrusion right away but it took one of the infected institutions 30 minutes to isolate that system from other machines on the network, “by that time, they were already in several systems.”
Rapid, lateral movement between machines, even after detection, is in keeping with the way COZY BEAR operates. After a targeted individual opens an email with a link to a bad domain, the target’s machine will download a remote access tool or RAT (in this case Microsoft Excel and Word docs.) That lets the hacker into the system. In the case of COZY BEAR, the hacker then attempts to map the network in search of other system to move to after initial detection. The hacker “starts typing away, like okay; What does the network look like? What other machines can I jump on from this machine? What permissions do I have,” he said.