On the day following a historic presidential election, American think tanks are being targeted by a Russian spearphishing campaign with emails claiming to be about Tuesday’s vote.
The victims, citing cybersecurity specialists they consult with, say attacker is COZY BEAR, or APT29, one of the groups blamed for the hack of the Democratic National Committee as well as the subsequent leaks that impacted the American election. CyberScoop was unable to confirm the identity of the attacker.
Spearphishing is a tightly targeted fake email that tricks a person into taking an action that can end up giving hackers complete access to their computers and data. It’s a technique used by criminals, spies, and hacktivists of all stripes. It’s how John Podesta, Hillary Clinton’s campaign chief of staff, was hacked and had his emails leaked in recent weeks.
Adam Segal of the Council on Foreign Relations and Maeve Whelan-Wuest of the Brookings Institute Foreign Policy, two of Washington’s most prominent think tanks, were among the first to publicly report the post-election day campaign. Both CFR and Brookings focus extensively on American policy facing Russia.
Segal and Wuest, along with several of their colleagues, received an email claiming to be from Harvard explaining “Why American Elections are Flawed.” The hacker spoofs a fake harvard.edu email and claims to be sending a PDF (misspelled once as PFD) that must be downloaded. You can see the phishing email below:
For good measure, the email even points a user to Harvard’s information security website, exactly the kind of people fighting against spearphishing campaigns. That’s kind of winking behavior is reminiscent of the OPM hack where the attackers, widely believed to be Chinese, used the names of American comic book superheroes to disguise their hacking.
The Russians have since supplanted China as America’s most prominent rival in cyberspace. Over the last year, Russian groups have been blamed by American officials for a number of attacks in addition to the DNC hack.
A Wednesday report from security firm Trend Micro said that Fancy Bear, also known as APT 28, have continued cyberattacks against “various governments and embassies around the world” in the last few weeks. In an increasingly volatile cyberwar, the pace does not appear to have slowed yet. The effect of Donald Trump’s electoral victory remains to be seen.
Dmitri Alperovitch, the CEO of the security firm Crowdstrike, told Wired that numerous American targets have been hacked but have not yet revealed the compromises.
Numerous U.S. intelligence sources have warned that Moscow-sponsored attacks have touched much more than the already-revealed target list. Both the private sector and government targets have been impacted.
Tuesday’s spearphishing campaign against American think tanks is closely related to a similar campaign this past summer that was first reported by Defense One. The targets are slightly different this time around. The Center for Strategic and International Studies was previously in the crosshairs, but says they didn’t see an attack on Wednesday.
Prominent American think tanks are valuable targets because they have close contact with the Washington D.C. political establishment. Institutions like these are much of where American policy is created, the people involved are in direct contact with government officials and are often former and future government officials themselves. If and when think tank employees are compromised, it becomes that much easier to attack U.S. government employees and politicians.
For an aggressive and opportunistic nation-state, that’s a target too tempting to pass up.