China Targeted US Think Tanks Doing Military Research

China seems to be stepping up efforts to target think tankers who work on defense and military affairs.  Here is more from CrowdStrike:

In late October and early November, 2017, CrowdStrike® Falcon Intelligence™ observed People’s Republic of China (PRC)-based actors conducting espionage-driven targeted attacks against at least four Western think tanks and an additional two non-governmental organizations (NGOs). This marks a significant increase in China-based activity from months prior, as the majority of observed activity in Q3 was predominantly focused on Southeast and East Asia. The previous “smash-and-grab” type of cyber operations, which typically characterized a majority of pre-2016 PRC espionage cases, appear to have ceased in favor of much more targeted intrusions focused on specific outcomes.

Previous operations targeting think tanks resembled the digital equivalents of so-called smash-and-grab robberies: the attackers indiscriminately exfiltrated data, vacuuming up whatever information was available. However, in these most recent incidents, adversaries specifically targeted the communications of foreign personnel involved in Chinese economic policy research and the Chinese economy, as well as users with noted expertise in defense, international finance, U.S.-Sino relations, cyber governance, and democratic elections.

An interesting case study was observed by both CrowdStrike Services and the Falcon OverWatch™ managed hunting team in late October 2017, when a China-based adversary attempted to compromise the web server of a think tank. The specific target appeared to be related to an ongoing military research project. As with many of the currently observed Chinese targeted intrusions, the adversary attempted to use China Chopper for reconnaissance and lateral movement after logging in via an account compromised by spear phishing. As is prevalent among CrowdStrike customers, webshell blocking was enabled in the Falcon platform, which prevented the actor from using the webshell to run any commands.

A number of think tanks in the US conduct military research, including the Center for Strategic and International Studies (CSIS), Atlantic Council, RAND Corporation, Brookings Institution, Carnegie Endowment for International Peace, Council on Foreign Relations (CFR), Heritage Foundation, and Center for a New American Security (CNAS).

BAE: Reading Think Tank Reports Can Harm Your Company

The threats intelligence department of  defense giant BAE Systems says that even though think tanks have been the subject of targeted cyber attacks for quite some time, it has seen a particularly aggressive campaign against think tanks over the past year.

BAE says that think tanks are attractive targets because they have an unusual combination of a high level of trust among the participants with relatively low resources for defense.

In a video with James Hatch, Director of Cyber Services at BAE Systems Applied Intelligence, the attacks against think tanks are described in more details:

Attackers want to access think tank network for two purposes:  Firstly, they are interested in the conversations and policy discussions that go on within those organization, and secondly, they are interested in using them as staging posts to attack major corporations and government departments.  They'll do this either by compromising email infrastructure to be able to set up spearfishing attacks or by compromising websites to be able to set up watering hole attacks.

We recently investigated an attack on a major think tank where their website was compromised.  The compromise was undertaken using an exploit that had only been publicly known about for a few days.  Anyone who accessed the website would have had software downloaded on their machine that would have given a toehold to the attackers.  Given the nature of that think tank, most of the people accessing that website would have been doing so from the machines of major corporations.  We traced the attack group to be a nation-state with a particular interest in commercial espionage.

In other words, think tanks could very likely be exposing your business to cyber attacks and espionage. 

As Think Tank Watch has reported, during the past few years, it has been publicly (and privately) disclosed that nearly every major US think tank has been hacked.  Besides attacks on Heritage and Urban Institute, Think Tank Watch has documented hacks on think tanks such as the Aspen Institute, Brookings, American Enterprise Institute (AEI), Center for American Progress (CAP), Council on Foreign Relations (CFR), and Center for Strategic and International Studies (CSIS).