Russia Targeting Think Tanks in Coronavirus Vaccine Hacks

Here is more from the Wall Street Journal:

U.S. and U.K. government officials said a prominent state-backed Russian hacking group is responsible for ongoing cyber espionage against organizations involved in the development of coronavirus vaccines and other healthcare-related work, showing escalating security risks at a crucial time in the global response to the pandemic.

The National Cyber Security Centre, part of the U.K.’s GCHQ electronic-intelligence agency, and backed by U.S. and Canadian security officials, said Thursday they jointly assessed the source of the persistent hacking activity in several countries. The targets, officials said, include governments, think tanks, universities, private companies and other organizations working on vaccine research and testing globally.

They identified the hacking group as Russia-supported APT29, which is also known as Cozy Bear. 

APT29 has reportedly been involved in past hacking of US and other think tanks, and apparently targeted US think tanks in a post-election hacking campaign in 2016.

North Korean Hackers Target Think Tanks

Here is more from Reuters:

Microsoft Corp said on Monday it has taken control of web domains which were used by a hacking group called “Thallium” to steal information.

Thallium is believed to be operating from North Korea, Microsoft said in a blog post, and the hackers targeted government employees, think tanks, university staff members and individuals working on nuclear proliferation issues, among others.

Most of the targets were based in the United States, as well as Japan and South Korea, the company said.

North Korea has been hacking into think tanks around the world for years.  Here is an example from 2013.  Another of other countries have also been accused of hacking into think tanks, including China and Russia.

Microsoft Helping to Secure Think Tanks, 2020 Elections

Microsoft has a new security service called Microsoft AccountGuard designed to help targeted customers, including think tanks, protect themselves from cybersecurity threats.

Here is more from Microsoft:

While Microsoft AccountGuard is new, it’s grounded in work we’ve done for years to protect democratic processes. This includes support for the Iowa caucuses in 2016, our role as a technology supplier to conventions for both major U.S. parties, and the work of our Washington, D.C.-based team to serve both political campaigns and U.S. government institutions. Based on these foundational experiences, we constructed Microsoft AccountGuard to account for the threats these organizations face, their unique resource constraints and the mix of technologies they often use.

Microsoft AccountGuard is open to all current candidates for federal, state and local office in the United States and their campaigns; the campaign organizations of all sitting members of Congress; national and state party committees; technology vendors who primarily serve campaigns and committees; and certain nonprofit organizations and nongovernmental organizations. Microsoft AccountGuard is offered free of charge. Organizations must be using Office 365 to register.

Microsoft AccountGuard will provide notification about cyberthreats, including attacks by known nation-state actors, in a unified way across both email systems run by organizations and the personal accounts of these organizations’ leaders and staff who opt in. Eligible organizations can invite staff and other associates to enroll in Microsoft AccountGuard, and notification will only occur with the consent of the account owner.

Microsoft is also expanding AccountGuard in Europe, citing similar threats to democracy:

We all saw hacking and disinformation attacks on the French presidential election in 2017, and European leaders have recently warned that attacks will continue across Europe in 2019. At Microsoft, we’ve seen recent activity targeting democratic institutions in Europe as part of the work our Threat Intelligence Center (MSTIC) and Digital Crimes Unit (DCU) carry out every day to protect all of our customers.

These attacks are not limited to campaigns themselves but often extend to think tanks and non-profit organizations working on topics related to democracy, electoral integrity, and public policy and that are often in contact with government officials. For example, Microsoft has recently detected attacks targeting employees of the German Council on Foreign Relations, The Aspen Institutes in Europe and The German Marshall Fund.

The service launched in August 2018, in preparation for the 2018 US midterm elections.  AccountGuard is now helping secure "the 2020 US general elections and broader political and think tank community," says Microsoft.

Over the past several years, Think Tank Watch has documented cyber attacks and cyber intrusions on scores of think tanks in the US, Europe, and elsewhere.

Russian Hackers Targeted US Think Tanks in Europe

Here is more from CNN:

A hacking group that is thought to be linked to Russian military intelligence targeted the European offices of two American think tanks, Microsoft revealed late Tuesday.

Fancy Bear, the same hacking group that is believed to be behind some of the 2016 hacking of the Democratic National Committee, targeted The Aspen Institute and The German Marshall Fund of the United States, Microsoft said. The German Council on Foreign Relations was also targeted.

The attacks on the three high-profile think tanks took place between September and December 2018, according to Microsoft. The company didn't say whether the attackers were successful but said that it quickly notified the organizations that they were being targeted and helped them secure their systems. 

Andrew Kolb, a spokesperson for The German Marshall Fund — which receives funding from the United States, Germany and other governments — told CNN Business that it didn't appear that its systems had been compromised as a result of the hacking attempt.

The fund's president, Karen Donfried, suggested in a statement that the organization may have been targeted because its work has included supporting efforts to combat alleged attempts by Russia and other nations to "undermine democracy and democratic institutions."

Every major think tank in the United States has been hit with cyber attacks over the past few years, and many major think tanks outside of the US have also been targets.

In December, it was reported that the Lowy Institute in Australia was targeted by Chinese hackers.

And currently, the UK's Institute for Statecraft has a message on its homepage saying that "all content has been temporarily removed from this site, pending an investigation into the theft of data from the Institute for Statecraft and its programme, the Integrity Initiative."

The think tank added that initial findings indicate that the theft was part of "a campaign to undermine the work of the Integrity Initiative in researching, publicising and countering the threat to European democracies from disinformation and other forms of hybrid warfare."

Hackers Tried to Infiltrate German Think Tanks

Here is more from Bloomberg:

Hackers have released private data linked to Chancellor Angela Merkel and hundreds of other German politicians in the biggest data dump of its kind in the country.

Hackers tried to infiltrate computers of think tanks associated with the governing CDU and SPD parties in 2017. A year earlier, scammers set up a fake server in Latvia to flood German lawmakers with phishing emails.

Germany has 225 think tanks.

Iran Targets US Think Tanks

Here is more from Associates Press:

As U.S. President Donald Trump re-imposed harsh economic sanctions on Iran last month, hackers scrambled to break into personal emails of American officials tasked with enforcing them, The Associated Press has found — another sign of how deeply cyberespionage is embedded into the fabric of US-Iranian relations.

The AP drew on data gathered by the London-based cybersecurity group Certfa to track how a hacking group often nicknamed Charming Kitten spent the past month trying to break into the private emails of more than a dozen U.S. Treasury officials. Also on the hackers’ hit list: high-profile defenders, detractors and enforcers of the nuclear deal struck between Washington and Tehran, as well as Arab atomic scientists, Iranian civil society figures and D.C. think tank employees.

[One] Charming Kitten target was an intern working for the Foundation for Defense of Democracies, a Washington think tank that has been one of the Iran deal’s fiercest critics. How the intern — whose email isn’t public and whose name appears nowhere on the organization’s website — crossed the hackers’ radar is not clear.

Every major US think tank has faced various cyber attacks and hacking attempts from foreign government entities.  Many non-US think tanks have also been targeted by state actors.

Serious Spearphishing Campaign Against Think Tanks

Here is more from Politico:

A spearphishing campaign that targeted nonprofit groups and think tanks in Washington, D.C., drew Microsoft’s attention because it had “characteristics of previously observed nation-state attacks,” the tech giant said Monday. Because of the people being targeted and the specifics of the spearphishing messages, “Microsoft took the step of notifying thousands of individual recipients in hundreds of targeted organizations,” the company explained in a blog post that shared the technical specifics of the attack. Cyber firm FireEye first publicized the campaign last month, and MC and Reuters subsequently added details.

“Our sensors revealed that the campaign primarily targeted public sector institutions and non-governmental organizations like think tanks and research centers, but also included educational institutions and private-sector corporations in the oil and gas, chemical, and hospitality industries,” Microsoft’s research and threat intelligence teams said in the blog post. The company acknowledged that other firms had attributed the campaign to APT 29, the Russian intelligence service also known as Cozy Bear, but it said it “does not yet believe that enough evidence exists to attribute this campaign” to that group.

Think tanks are a major target of foreign governments, with many of them facing cyber attacks on a daily basis.

Russian Hackers Targeting Conservative Think Tanks

Here is more from Reuters:

Hackers linked to Russia’s government tried to target the websites of two right-wing U.S. think-tanks, suggesting they were broadening their attacks in the build-up to November elections, Microsoft said.

The software giant said it thwarted the attempts last week by taking control of sites that hackers had designed to mimic the pages of The International Republican Institute and The Hudson Institute. Users were redirected to fake addresses where they were asked to enter usernames and passwords. 

The International Republican Institute has a roster of high-profile Republican board members, including Senator John McCain of Arizona who has criticized U.S. President Donald Trump’s interactions with Russia, and Moscow’s rights record.

The Hudson Institute, another conservative group, has hosted discussions on topics including cybersecurity, according to Microsoft. It has also examined the rise of kleptocracy, especially in Russia and has been critical of the Russian government, the New York Times reported.

Hudson President and CEO Kenneth Weinstein has been tweeting about the attack, noting that the think tank's Kleptocracy Initiative got them targeted by Russia's GRU:

Deeply proud of the work of my ⁦@HudsonInstitute⁩ colleagues, especially ⁦@KleptocracyIntv⁩ that got us targeted by the GRU. Proud as well to stand with our good friends ⁦@IRIglobal⁩ ⁦@DCTwining⁩. https://t.co/bHHiztSiFI

— Kenneth Weinstein (@KenWeinstein) August 21, 2018

Here is more on the attacks from Microsoft.

Here is a previous Think Tank Watch post about how a Mueller probe witness was linked to shady payments to the Hudson Institute.

Several Trump Administration staffers have come from Hudson.

The Chinese government reportedly crashed Hudson's website last year.

Russian Hackers Seeking Hush Money From Think Tank?

Here is what Bloomberg is reporting:

Russian hackers are targeting U.S. progressive groups in a new wave of attacks, scouring the organizations’ emails for embarrassing details and attempting to extract hush money, according to two people familiar with probes being conducted by the FBI and private security firms.

At least a dozen groups have faced extortion attempts since the U.S. presidential election, said the people, who provided broad outlines of the campaign. The ransom demands are accompanied by samples of sensitive data in the hackers’ possession.

At least some groups have paid the ransoms even though there is little guarantee the documents won’t be made public anyway. Demands have ranged from about $30,000 to $150,000, payable in untraceable bitcoins, according to one of the people familiar with the probe.

The Center for American Progress, a Washington think tank with strong links to both the Clinton and Obama administrations, and Arabella Advisors, which guides liberal donors who want to invest in progressive causes, have been asked to pay ransoms, according to people familiar with the probes.

The Center for American Progress declined a pre-publication request for comment. "CAP has no evidence we have been hacked, no knowledge of it and no reason to believe it to be true. CAP has never been subject to ransom,” Allison Preiss, a spokeswoman for the center, said in a statement Monday morning.

Center for American Progress (CAP) President Neera Tanden is also saying that there is "zero reason to believe" her think tank has been hacked and "certainly hasn't" faced a ransom.  She acknowledged, however, that CAP has faced phishing attempts.

Last year, CAP founder John Podesta had his email hacked and leaked to the public.

A report released by the Office of the Director of National Intelligence (ODNI) earlier this year said that Russia targeted think tanks, and nearly every major US think tank has been targeted by foreign spies.

Here is Think Tank Watch's latest piece on foreign intelligence services spying on think tanks.

US Intel Agency Says Russia Targeted Think Tanks

A new report from the Office of the Director of National Intelligence (ODNI) confirms many previous reports from the media and cybersecurity firms in saying that Russian has been hacking into think tanks.  Here is an excerpt:

We assess Russian intelligence services collected against the US primary campaigns, think tanks, and lobbying groups they viewed as likely to shape US policy...Immediately after Election Day, we assess Russian intelligence began a spearphishing campaign targeting US Government employees and individuals associated with US think tanks and NGOs in national security, defense, and foreign policy fields.  This campaign could provide material for future influence efforts as well as foreign intelligence collection on the incoming administration's goals and plans.

Here is a previous Think Tank Watch post on Russia's alleged targeting of think tanks during the election season.  Nearly every major US think tank has been targeted by foreign intelligence agencies over the past few years.

Think Tanks Targeted in Post-Election Hacking Campaign

Here is more from The Hill:

Think tanks and NGOs have received a flurry of spear phishing attempts linked to a Russian espionage group since the election.  

“Think tanks being targeted by APT29/COZY today, spearphishing emails claiming to be about election,” tweeted Adam Segal, Lipman chair of emerging technologies at the Council on Foreign Relations, on Wednesday.

APT 29, also called Cozy Bear, is a hacking group believed to be connected with the Russian government. It recently made headlines as part of the hack on the Democratic National Committee. 

The attempts echoed attacks over the past couple of years similarly targeting think tanks, universities and NGOs, including Transparency International, the International Institute for Strategic Studies, Eurasia Group and the Council on Foreign Relations.

Morning Consult notes that hackers "sent malware-laden emails" to people who worked at the Brookings Institution, RAND Corporation, Atlantic Council, and other organizations.

Think Tank Watch should note that during the presidential election season hackers were very active in trying to gather intelligence from think tanks and think tankers.

Think Tanks Pounded by Cyber Attacks

August 2016 has been the month of hell for US think tanks.

First was the damning New York Times exposé that uncovered widespread pay-for-play at major US think tanks.  And now, think tank land has been hit with a major cyber attack.

Here is more from Defense One which broke the story:

Last week, one of the Russia-backed hacker groups that attacked Democratic computer networks also attacked several Russia-focused think tanks in Washington, D.C., Defense One has learned.

The perpetrator is the group called COZY BEAR, or APT29, one of the two groups that cybersecurity company CrowdStrike blamed for the DNC hack, according to founder Dmitri Alperovitch. CrowdStrike discovered the attack on the DNC and provides security for the think tanks.

Alperovitch said fewer than five organizations and 10 staffers researching Russia were hit by the “highly targeted operation.” He declined to detail which think tanks and researchers were hit, out of concern for his clients’ interests and to avoid revealing tools and techniques or other data to hackers. CrowdStrike alerted the organizations immediately after the company detected the breaches and intruders were unable to exfiltrate any information, Alperovitch said.

Defense One reached out to several think tanks with programs in Russian research, one of which was the Center for Strategic and International Studies, or CSIS. “Last week we were under attack, but our small staff was very responsive. Beyond that, I’m not going to discuss the details because it is under active investigation,” the H. Andrew Schwartz, CSIS Senior Vice President for External Relations, said in an email.

James Andrew Lewis, Senior Vice President and director, strategic technologies program, at CSIS said, “It’s like a badge of honor — any respectable think tank has been hacked. The Russians just don’t get the idea of independent institutions, so they are looking for secret instructions from Obama. Another benefit is they can go to their bosses and show what they took to prove their worth as spies.”

Russia's RT suggests propaganda warfare.

Besides CSIS, other big US think tanks that have Russia programs or Russia researchers include:

• Carnegie Endowment for International Peace
• Council on Foreign Relations (CFR)
• Brookings Institution
• Atlantic Council
• Hudson Institute

It is not a surprise that hackers are targeting think tanks.  Think Tank Watch noted back in June that hackers targeting the Democratic National Committee (DNC) were also targeting think tanks. And over the years Think Tank Watch has documented the fact that nearly every major think tank has been hit by hackers.

Think Tank Quickies (#194)

• Russian hacks peppering think tanks.
• Readers react to thinking on think tanks series in the Washington Post.
• James McGann: Think tanks need to innovate or die.
• Jane Harman in WPost: Are think tanks too partisan?
• Ellen Laipson of Stimson: Why our demand for instant results hurts think tanks.
• Jessica Matthews of CEIP: Why think tanks should embrace "new media."
• USTR official Wendy Cutler becomes VP of Asia Society Policy Institute (ASPI).
• Newt Gingrich a "political consultant for conservative think tanks."
• Joe Lieberman working on projects related to foreign policy and defense for such conservative think tanks as AEI and Hudson.
• Jane Smiley's new book "Golden Age" tells all about think tanks.
• Jason Stahl (Salon) on Elizabeth Warren: Why her war with a corporate-friendly think tank matters.
• How USAID's secret think tank funding hurts the poor; and most Australian think tanks keep their funding secret, according to new data.

Stolen: Donor & Email Information From Heritage Foundation

It was the best of times and the worst of times.  The conservative think tank Heritage Foundation announced this week that it has received a $2.7 million gift.  Then, a day later, it announced that it had an unauthorized data breach in which donor information and emails were stolen.  Here is more from Politico:

The Heritage Foundation suffered a data breach this week in which intruders swiped sensitive emails and donor information, the right-wing think tank confirmed Wednesday.

The breach occurred at the same time that the foundation’s multimedia news organization, the Daily Signal, has criticized the Obama administration and federal agencies such as the Office of Personnel Management over lax cybersecurity. One article in July was headlined “How Obama’s Poor Judgment Led to the Chinese Hack of OPM.”

Any information dating back six years would preclude the arrival of former Sen. Jim DeMint as president of Heritage, and predate the existence of Heritage Action, the Foundation’s advocacy arm. Heritage’s review thus far has found no evidence of credit card or bank information being breached.

Politico notes that some of the stolen data may have recently been appearing on the Internet.  The article notes that in 2012, then-House Intelligence Chairman Mike Rogers (R-MI) said tanks were "juicy targets" for foreign intelligence services and were "under constant cyber espionage assault."  The article also notes that Heritage has been the target of cyberattacks before.

Politico also notess that earlier this year, the think tank Urban Institute disclosed to charitable organizations that its National Center for Charitable Statistics, a system for filing taxes, had been breached and around 600,000 to 700,000 organizations were affected.  Here is more on the Urban Institute hack from a previous Think Tank Watch post.

Here is a statement on the data breach from the Heritage Foundation.  It says that the breach was of data that was six years old and on an external server.

Currently, the Heritage Foundation has 12 different "membership" levels.  The lowest level is the "basic member" one for $25, and the highest is the "founder" level at $100,000.

For those conservatives not phased by the data breach, don't forget that Heritage now accepts donations with Visa, MasterCard, American Express, and Discovery.

During the past few years, it has been publicly (and privately) disclosed that nearly every major US think tank has been hacked.  Besides attacks on Heritage and Urban Institute, Think Tank Watch has documented hacks on think tanks such as the Aspen Institute, Brookings, American Enterprise Institute (AEI), Center for American Progress (CAP), Council on Foreign Relations (CFR), and Center for Strategic and International Studies (CSIS).

Think Tanker Quote of the Week: Peter Singer on Cyber Attacks

The think tanker quote of the week is a Twitter dialogue that Peter Singer of the New America Foundation (NAF), and formerly of the Brookings Institution, had with Wesley Morgan.

@peterwsinger If the Chinese were zapping GPS satellites right now, the little geolocation arrow wouldn't come up when I open Tinder, right?

— Wesley Morgan (@wesleysmorgan) July 8, 2015

The most important casualty in a cyber attack. https://t.co/52cWC1YAP6

— Peter W. Singer (@peterwsinger) July 8, 2015

Just going to hunker down and read GHOST FLEET all afternoon to calm my nerves. It ends happily, right @peterwsinger?

— Wesley Morgan (@wesleysmorgan) July 8, 2015

The last tweet refers to Singer's new book Ghost Fleet, which is getting tons of attention.

And in related cybersecurity (?) news, the Brookings Institution's website has been down for quite awhile today.  We wonder if Mr. Singer has any comments about a possible cyber attack on his former think tank...