This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.[1] The following guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.
APT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.
Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory.
Click here for a PDF version of this report.
CISA created the following MITRE ATT&CK profile to provide a non-exhaustive list of tactics, techniques, and procedures (TTPs) employed by APT actors to break through think tanks’ defenses, conduct reconnaissance in their environments, exfiltrate proprietary or confidential information, and execute effects on targets. These TTPs were included based upon closed reporting on APT actors that are known to target think tanks or based upon CISA incident response data.
CISA and FBI recommend think tank organizations apply the following critical practices to strengthen their security posture.
Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [email protected].
Initial Version: December 1, 2020
image.communications.cyber.nj.gov/lib/fe3e15707564047c7c1270/m/2/PIN+-+4.9.2020.pdf
www.fbi.gov/contact-us/field
attack.mitre.org/versions/v7/tactics/TA0001
attack.mitre.org/versions/v7/tactics/TA0002
attack.mitre.org/versions/v7/tactics/TA0003
attack.mitre.org/versions/v7/tactics/TA0004
attack.mitre.org/versions/v7/tactics/TA0005
attack.mitre.org/versions/v7/tactics/TA0006
attack.mitre.org/versions/v7/tactics/TA0007
attack.mitre.org/versions/v7/tactics/TA0008
attack.mitre.org/versions/v7/tactics/TA0009
attack.mitre.org/versions/v7/tactics/TA0010
attack.mitre.org/versions/v7/tactics/TA0011
attack.mitre.org/versions/v7/tactics/TA0040
attack.mitre.org/versions/v7/techniques/enterprise/
attack.mitre.org/versions/v7/techniques/T1001/001/
attack.mitre.org/versions/v7/techniques/T1003/001
attack.mitre.org/versions/v7/techniques/T1003/002
attack.mitre.org/versions/v7/techniques/T1003/003
attack.mitre.org/versions/v7/techniques/T1003/004
attack.mitre.org/versions/v7/techniques/T1003/005
attack.mitre.org/versions/v7/techniques/T1005
attack.mitre.org/versions/v7/techniques/T1007
attack.mitre.org/versions/v7/techniques/T1008
attack.mitre.org/versions/v7/techniques/T1012
attack.mitre.org/versions/v7/techniques/T1014
attack.mitre.org/versions/v7/techniques/T1016
attack.mitre.org/versions/v7/techniques/T1018
attack.mitre.org/versions/v7/techniques/T1021/001
attack.mitre.org/versions/v7/techniques/T1021/004
attack.mitre.org/versions/v7/techniques/T1025
attack.mitre.org/versions/v7/techniques/T1027/001
attack.mitre.org/versions/v7/techniques/T1027/002
attack.mitre.org/versions/v7/techniques/T1027/003
attack.mitre.org/versions/v7/techniques/T1027/005
attack.mitre.org/versions/v7/techniques/T1033
attack.mitre.org/versions/v7/techniques/T1036/005
attack.mitre.org/versions/v7/techniques/T1037/001
attack.mitre.org/versions/v7/techniques/T1040
attack.mitre.org/versions/v7/techniques/T1040
attack.mitre.org/versions/v7/techniques/T1041
attack.mitre.org/versions/v7/techniques/T1046
attack.mitre.org/versions/v7/techniques/T1047
attack.mitre.org/versions/v7/techniques/T1048/003
attack.mitre.org/versions/v7/techniques/T1049
attack.mitre.org/versions/v7/techniques/T1053/005
attack.mitre.org/versions/v7/techniques/T1053/005
attack.mitre.org/versions/v7/techniques/T1055
attack.mitre.org/versions/v7/techniques/T1055/012
attack.mitre.org/versions/v7/techniques/T1056/001
attack.mitre.org/versions/v7/techniques/T1057
attack.mitre.org/versions/v7/techniques/T1059/001
attack.mitre.org/versions/v7/techniques/T1059/003
attack.mitre.org/versions/v7/techniques/T1059/004
attack.mitre.org/versions/v7/techniques/T1059/005
attack.mitre.org/versions/v7/techniques/T1059/006
attack.mitre.org/versions/v7/techniques/T1068
attack.mitre.org/versions/v7/techniques/T1069/001
attack.mitre.org/versions/v7/techniques/T1069/002
attack.mitre.org/versions/v7/techniques/T1070/001
attack.mitre.org/versions/v7/techniques/T1070/003
attack.mitre.org/versions/v7/techniques/T1070/004
attack.mitre.org/versions/v7/techniques/T1070/006
attack.mitre.org/versions/v7/techniques/T1071/001
attack.mitre.org/versions/v7/techniques/T1071/002
attack.mitre.org/versions/v7/techniques/T1071/003
attack.mitre.org/versions/v7/techniques/T1071/004
attack.mitre.org/versions/v7/techniques/T1074/001
attack.mitre.org/versions/v7/techniques/T1078/
attack.mitre.org/versions/v7/techniques/T1078/004/
attack.mitre.org/versions/v7/techniques/T1080/
attack.mitre.org/versions/v7/techniques/T1082
attack.mitre.org/versions/v7/techniques/T1083
attack.mitre.org/versions/v7/techniques/T1087/001
attack.mitre.org/versions/v7/techniques/T1087/002
attack.mitre.org/versions/v7/techniques/T1090/002
attack.mitre.org/versions/v7/techniques/T1090/003
attack.mitre.org/versions/v7/techniques/T1090/004
attack.mitre.org/versions/v7/techniques/T1091
attack.mitre.org/versions/v7/techniques/T1092
attack.mitre.org/versions/v7/techniques/T1095
attack.mitre.org/versions/v7/techniques/T1098/002
attack.mitre.org/versions/v7/techniques/T1102/001
attack.mitre.org/versions/v7/techniques/T1102/002
attack.mitre.org/versions/v7/techniques/T1104
attack.mitre.org/versions/v7/techniques/T1105
attack.mitre.org/versions/v7/techniques/T1106
attack.mitre.org/versions/v7/techniques/T1110/002
attack.mitre.org/versions/v7/techniques/T1110/003
attack.mitre.org/versions/v7/techniques/T1112
attack.mitre.org/versions/v7/techniques/T1113
attack.mitre.org/versions/v7/techniques/T1114/001
attack.mitre.org/versions/v7/techniques/T1114/002
attack.mitre.org/versions/v7/techniques/T1119
attack.mitre.org/versions/v7/techniques/T1120
attack.mitre.org/versions/v7/techniques/T1123
attack.mitre.org/versions/v7/techniques/T1132/001
attack.mitre.org/versions/v7/techniques/T1133/
attack.mitre.org/versions/v7/techniques/T1134/001
attack.mitre.org/versions/v7/techniques/T1135
attack.mitre.org/versions/v7/techniques/T1136/001
attack.mitre.org/versions/v7/techniques/T1137/002
attack.mitre.org/versions/v7/techniques/T1137/004
attack.mitre.org/versions/v7/techniques/T1140
attack.mitre.org/versions/v7/techniques/T1176
attack.mitre.org/versions/v7/techniques/T1187
attack.mitre.org/versions/v7/techniques/T1189
attack.mitre.org/versions/v7/techniques/T1190
attack.mitre.org/versions/v7/techniques/T1195/002
attack.mitre.org/versions/v7/techniques/T1197/
attack.mitre.org/versions/v7/techniques/T1199
attack.mitre.org/versions/v7/techniques/T1201/
attack.mitre.org/versions/v7/techniques/T1203
attack.mitre.org/versions/v7/techniques/T1204/001
attack.mitre.org/versions/v7/techniques/T1204/002
attack.mitre.org/versions/v7/techniques/T1210
attack.mitre.org/versions/v7/techniques/T1211
attack.mitre.org/versions/v7/techniques/T1213/002
attack.mitre.org/versions/v7/techniques/T1218/001
attack.mitre.org/versions/v7/techniques/T1218/005
attack.mitre.org/versions/v7/techniques/T1218/011
attack.mitre.org/versions/v7/techniques/T1219
attack.mitre.org/versions/v7/techniques/T1221
attack.mitre.org/versions/v7/techniques/T1480/001
attack.mitre.org/versions/v7/techniques/T1486
attack.mitre.org/versions/v7/techniques/T1496
attack.mitre.org/versions/v7/techniques/T1505/003
attack.mitre.org/versions/v7/techniques/T1518/001
attack.mitre.org/versions/v7/techniques/T1528
attack.mitre.org/versions/v7/techniques/T1529
attack.mitre.org/versions/v7/techniques/T1542/003/
attack.mitre.org/versions/v7/techniques/T1543/003
attack.mitre.org/versions/v7/techniques/T1546/001
attack.mitre.org/versions/v7/techniques/T1546/003
attack.mitre.org/versions/v7/techniques/T1546/008
attack.mitre.org/versions/v7/techniques/T1546/008
attack.mitre.org/versions/v7/techniques/T1546/015
attack.mitre.org/versions/v7/techniques/T1547/001
attack.mitre.org/versions/v7/techniques/T1547/009
attack.mitre.org/versions/v7/techniques/T1547/009
attack.mitre.org/versions/v7/techniques/T1548/002
attack.mitre.org/versions/v7/techniques/T1548/002
attack.mitre.org/versions/v7/techniques/T1550/001
attack.mitre.org/versions/v7/techniques/T1550/002
attack.mitre.org/versions/v7/techniques/T1550/003
attack.mitre.org/versions/v7/techniques/T1552/001
attack.mitre.org/versions/v7/techniques/T1552/006
attack.mitre.org/versions/v7/techniques/T1553/002
attack.mitre.org/versions/v7/techniques/T1555/003
attack.mitre.org/versions/v7/techniques/T1559/002/
attack.mitre.org/versions/v7/techniques/T1560/001
attack.mitre.org/versions/v7/techniques/T1560/003
attack.mitre.org/versions/v7/techniques/T1561/002
attack.mitre.org/versions/v7/techniques/T1562/001
attack.mitre.org/versions/v7/techniques/T1562/004
attack.mitre.org/versions/v7/techniques/T1564/001
attack.mitre.org/versions/v7/techniques/T1564/003
attack.mitre.org/versions/v7/techniques/T1566/001
attack.mitre.org/versions/v7/techniques/T1566/002
attack.mitre.org/versions/v7/techniques/T1566/003
attack.mitre.org/versions/v7/techniques/T1568/002
attack.mitre.org/versions/v7/techniques/T1569/002
attack.mitre.org/versions/v7/techniques/T1571
attack.mitre.org/versions/v7/techniques/T1572
attack.mitre.org/versions/v7/techniques/T1573/001
attack.mitre.org/versions/v7/techniques/T1573/002
attack.mitre.org/versions/v7/techniques/T1574/002
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Advanced%20Persistent%20Threat%20Actors%20Targeting%20U.S.%20Think%20Tanks+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-336a
us-cert.cisa.gov/ncas/alerts/aa20-120a
us-cert.cisa.gov/ncas/alerts/aa20-133a
us-cert.cisa.gov/ncas/alerts/aa20-183a
us-cert.cisa.gov/ncas/alerts/aa20-245a
us-cert.cisa.gov/sites/default/files/publications/AA20-336A-APT_Actors_Targeting_US_ThinkTanks.pdf
www.cisa.gov/telework
www.cisa.gov/vpn-related-guidance
www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/
www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-336a&title=Advanced%20Persistent%20Threat%20Actors%20Targeting%20U.S.%20Think%20Tanks
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-336a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-336a
www.us-cert.gov/ncas/tips/ST04-010
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Advanced%20Persistent%20Threat%20Actors%20Targeting%20U.S.%20Think%20Tanks&body=www.cisa.gov/news-events/cybersecurity-advisories/aa20-336a