Last week, one of the Russia-backed hacker groups that attacked Democratic computer networks also attacked several Russia-focused think tanks in Washington, D.C., Defense One has learned.
The perpetrator is the group called COZY BEAR, or APT29, one of the two groups cybersecurity company CrowdStrike blamed for the DNC hack, according to founder Dmitri Alperovitch. CrowdStrike discovered the attack on the DNC and provides security for the think tanks.
Alperovitch said fewer than five organizations and 10 staffers researching Russia were hit by the “highly targeted operation.” He declined to detail which think tanks and researchers were hit, out of concern for his clients’ interests and to avoid revealing tools and techniques or other data to hackers.
CrowdStrike alerted the organizations immediately after the company detected the breaches and intruders were unable to exfiltrate any information, Alperovitch said.
Defense One reached out to several think tanks with programs in Russian research, one of which was the Center for Strategic and International Studies, or CSIS.
“Last week, we were under attack, but our small staff was very responsive. Beyond that, I’m not going to discuss the details because it is under active investigation,” H. Andrew Schwartz, CSIS senior vice president for external relations, said in an email.
James Andrew Lewis, senior vice president and director, strategic technologies program, at CSIS said: “It’s like a badge of honor—any respectable think tank has been hacked. The Russians just don’t get the idea of independent institutions, so they are looking for secret instructions from Obama. Another benefit is they can go to their bosses and show what they took to prove their worth as spies.”
Defense One contacted several think tanks with programs related to Russia. Most wrote back immediately and said they had not been targeted. Harvard’s Belfer Center for Science and International Affairs said, “We have a policy of not commenting on Center security.” We will update this post if we hear back from others.
The hackers could have been trying to access data and information from officials who serve on the boards of prominent Washington think tanks, Alperovitch speculated.
“Many of these people are former government officials that still advise current government officials,” Alperovitch said. The goal could have been “to look at their communications with government officials to see if they may have some plundered information that’s been shared with them, or use them as a way to target government.”
Alperovitch said the think tanks were using CrowdStrike’s Falcon cybersecurity software, a 2mb endpoint management tool that enables CrowdStrike to monitor its clients’ networks for intrusions, including sophisticated remote access tools whose signatures would not show up on regular network traffic.
“Think of it as a video camera that’s recording everything that’s executing," he said. "You open up Word, you open up Outlook and another process launches a network connection, which gets recorded and gets streamed to our cloud where we do machine learning and behavioral analytics on that… That’s exactly what happened here. We picked up that there was a spearphish and immediately an alert went out. Our people contacted [the clients] and said, 'OK, this is pretty serious, you need to contain this machine right away.'"
The cybersecurity company FireEye first discovered the group COZY BEAR, which it dubbed APT29, back in 2014.
“APT29 is among the most capable groups that we track," FireEye said in this blog post last year. "While other APT groups try to cover their tracks to thwart investigators, APT29stands out. They show discipline and consistency in reducing or eliminating forensic evidence, as well as adaptability in monitoring and circumventing network defenders’ remediation efforts."
CrowdStrike and other cybersecurity researchers believe COZYBEAR is linked to the Russian Federal Security Service, or FSB. The list of U.S. entities it has staged successful attacks against includes the White House, the State Department and the Joint Chiefs of Staff’s unclassified system.
The other Russian hacking group CrowdStrike and other cybersecurity researchers have said was behind the DNC hack is known as FANCY BEAR, or APT28, which many in the cybersecurity community believe to be connected to the Russian military. Researchers also suspect FANCY BEAR to be behind the leaking of DNC documents to WikiLeaks.
Importantly, while FANCY BEAR breached the DNC in April of this year, CrowdStrike’s research shows COZY BEAR was on the network far longer, going back to the summer of 2015, potentially allowing it to access exponentially more information. Researchers consider it one of the most advanced persistent threat groups currently in operation.
Since those well-publicized hacks, COZY BEAR has improved the tools and techniques it uses considerably, according to Alperovitch, improving its ability to operate without detection and scaling up further its ability to move rapidly within a network after initial compromise. In this case, the perpetrators lured victims to open emails by using fake emails from known think tanks and geopolitical consultancy groups.
Alperovitch told Defense One CrowdStrike was able detect the intrusion right away but it took one of the infected institutions 30 minutes to isolate that system from other machines on the network, “by that time, they were already in several systems.”
Rapid, lateral movement between machines, even after detection, is in keeping with the way COZY BEAR operates. After a targeted individual opens an email with a link to a bad domain, the target’s machine will download a remote access tool or RAT (in this case Microsoft Excel and Word docs.) That lets the hacker into the system. In the case of COZY BEAR, the hacker then attempts to map the network in search of other system to move to after initial detection. The hacker “starts typing away, like OK; What does the network look like? What other machines can I jump on from this machine? What permissions do I have,” Alperovitch said.