The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy, says CISA. The guidance is aimed at assisting U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.

APT actors have relied on multiple avenues for initial access, says CISA. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.

Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of the Advisory.

Stephen Banda, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, notes that cybercriminals are continuously targeting organizations that develop or manage high-value intellectual property, so it makes sense that think tanks are a prime target. In fact, Lookout's latest industry threat report  found that 77% of mobile phishing attempts on pharmaceutical organizations through the third quarter of 2020 intended on delivering malware.

Banda further explains that think tanks should realize that phishing attacks can install a type of mobile malware known as surveillanceware.

"This type of threat can provide an attacker with silent access to a device’s microphone and camera so that private conversations can be captured and even quickly transcribed to text. Surveillanceware tools are often used in nation-state sponsored attacks. For example, this past summer the Lookout Threat Intelligence team discovered four Android surveillanceware tools used by the Chinese government to target the Uyghur ethnic minority group. These malware tools were suspected to be part of a larger mobile advanced persistent threat (mAPT) dating back to 2013," he says.  "Unfortunately, despite some of the conveniences and efficiencies that remote work can provide, it has greatly expanded the attack surface for all businesses including think tanks. For instance, the expert team of ten researchers who would typically convene in one central office is now collaborating from ten individual remote offices. Each ‘personal office’ has its own security requirements and variety of connected mobile and fixed endpoints. 

Banda adds, "For those think tanks leveraging a BYOD strategy, personal devices that lack certain data protection controls can introduce risk, which should be property managed. Therefore, as these endpoints include connect to cloud services outside of perimeter protections such as firewalls and VPNs, it is imperative to have modern endpoint protection in place. Considering 85% of mobile phishing attacks occur outside of email, the days of only paying attention to email-based phishing attacks is well past. Phishing attacks are targeting mobile users across text messaging, social messaging platforms, and mobile apps.”