Multiple think tanks in Washington, D.C, were recently breached by the Russia-backed hacker group Cozy Bear (also referred to as APT29), sources have revealed to Patrick Tucker, Defense One's technology editor.
These attacks were part of a "highly targeted operation" focused on think tanks researching Russia, according to Dmitri Alperovitch, founder of cybersecurity company CrowdStrike. Alperovitch declined to disclose the targets' identities to Defense One, though Tucker reached out to several potential clients, including the Center for Strategic and International Studies, which confirmed an active investigation into an intruder is ongoing.
However, no information was exfiltrated from the fewer than five organizations and 10 staffers hit, Alperovitch told Defense One, though he believes the group's objective could have been to view think tank "communications with government officials to see if they may have some plundered information that's been shared with them, or use them as a way to target government."
CrowdStrike, which previously discovered Cozy Bear’s involvement in hacking Democratic National Committee computers, provides the think tanks with endpoint management tools to monitor networks for intrusions. In this instance, CrowdStrike’s Falcon software was able to detect the infection right away and systems were isolated, but Cozy Bear has shown increasing adaptability.
Cozy Bear — which is believed to be linked to the Russian Federal Security Service and has staged attacks on the White House, State Department and Joint Chiefs of Staff — gained access through a spear-phishing technique. Spoof emails from familiar, trusted organizations and officials contained URLs to domains that would download Microsoft Office documents that act as remote access tools. Group members then execute rapid searches of system structure, looking for permissions needed to advance through the network and stay ahead of detection as they extract data.
