Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Alert: APT Groups Targeting US Think Tanks
CISA and FBI Say Focus Is on Those Working on International Affairs, National SecurityThe Cybersecurity and Infrastructure Security Agency and the FBI have issued a warning that advanced persistent threat groups are waging cyberespionage campaigns against U.S. think tanks, especially those working on international affairs or national security policy.
See Also: 57 Tips to Secure Your Organization
The alert did not name any think tanks that have been targeted or identify the APT groups involved. But earlier reports from the agencies and researchers have noted that think tanks have been targeted by groups from China and North Korea.
"APT actors have relied on multiple avenues for initial access,” the alert states. “These have included low-effort capabilities such as spear-phishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities."
If intrusion efforts succeed, the APT groups use their access to steal sensitive information and acquire user credentials that will be used to gain further information, the agencies say.
CISA and the FBI say the threat is particularly dangerous because think tanks play a significant role in supporting and shaping U.S. policies.
APT Attack Profile
CISA has created a MITRE ATT&CK profile offering a list of tactics, techniques and procedures the APT groups may use in an attack.
Initial access is often obtained by using valid accounts, gaining access to external remote services such as VPNs, executing drive-by compromises or exploiting a public-facing application, according to the alert.
During the execution phase, CISA has observed attackers using Windows Management Instrumentation or Windows Task Scheduler for initial or recurring execution of malicious code. Native APIs are also among the on-board services used.
The APT groups maintain persistence using 17 methods. These include using boot or logon initialization scripts or the Windows Task Scheduler by creating a new account controlled by the threat actor, or using the Microsoft Office startup test function or Outlook's homepage, according to the alert.
Hackers achieve privilege escalation by injecting code into processes to evade process-based defenses; using token manipulation, which entails duplicating and then impersonating another user's token to escalate privileges; and bypassing access controls or hijacking execution flow, which involves executing malicious payloads by hijacking the library manifest used to load Dynamic Link Libraries, CISA and the FBI note.
Other steps the attackers take include using evasion tactics, attempting to gain additional credential access, conducting recon of the affected system and achieving lateral movement, the alert notes.
The APT group’s goal is to exfiltrate data through a command-and-control server, the alert says. In some cases, the groups may encrypt data, hijack resources or conduct a system wipe or shutdown, according to CISA and the FBI.
To mitigate the risks posted by APT groups, the agencies recommend think tanks use multifactor authentication, segment and segregate networks and functions, change the default username and password of applications and appliances and deploy antivirus software to automatically scan and quarantine suspicious files.
Earlier Alerts
In an October alert, CISA and the FBI provided details on the activities of a North Korean hacking group dubbed Kimsuky that has a track record of attacking think tanks, government agencies and individuals (see: Sizing Up Activities of North Korea's Kimsuky APT Group).
Cybereason reported last month that it had uncovered a fresh set of malicious tools tied to Kimsuky that targeted a U.S. think tank in 2018 (see: Additional Hacking Tools Tied to North Korea-Linked Group).
A Proofpoint report issued in November noted that the China-associated APT group TA416, also known as Mustang Panda and RedDelta, was deploying an updated version of the PlugX remote access Trojan recently rewritten in the Golang programming language. TA416 has targeted think tanks in the U.S., Southeast Asia and Africa, along with diplomatic missions (see: Chinese Hacking Group Rebounds With Fresh Malware).