CISA, FBI Warn that U.S. Think Tanks Are in Hackers’ Crosshairs

Just Super/

The agencies share guidance for shoring up defenses in a remote work environment that can disguise attackers.

The Cybersecurity and Infrastructure Security Agency and the FBI urged U.S. think tanks—particularly those focused on national security and international affairs—to take steps to mitigate “persistent continued cyber intrusions” from likely state-sponsored groups. 

“Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory,” the alert states

Think tanks are not a novel target. In 2016, COZY BEAR, or APT29, a Russia-linked group tied to the hack of the Democratic National Committee, attacked think tanks with Russian research programs. The other infamous DNC hack group, FANCY BEAR, turned its attention in 2019 to European think tanks working on election integrity.

In the latest wave of activity, the perpetrators hit employees' professional and personal accounts with phishing attempts, but also use the increase in remote work as a cover for their own connections. They’re exploiting web-facing devices, virtual private networks and other remote-work tools to blend in with network traffic. 

CISA and FBI offer several mitigation strategies for users, including training on identifying and avoiding phishing and other social engineering attempts, using different passwords for corporate and personal accounts, enabling multifactor authentication and other cyber hygiene best practices such as running antivirus software and keeping software patches up to date. 

The agencies also offer IT teams expanded recommendations, including changing default passwords for apps and appliances, encrypting data at rest and in transit, additional scanning and potentially blocking certain types of email attachments, disabling printer and file-sharing services, and specific guidance for reducing the risk of TOR-based activities.