# Advanced Persistent Threat Actors Targeting U.S. Think Tanks **us-cert.cisa.gov/ncas/alerts/aa20-336a** ## Summary _This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge_ _(ATT&CK®) framework. See the_ _[ATT&CK for Enterprise for all referenced threat actor tactics](https://attack.mitre.org/versions/v7/techniques/enterprise/)_ _and techniques._ The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or [national security policy.[1] The following guidance may assist U.S. think tanks in developing](https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/) network defense procedures to prevent or rapidly detect these attacks. APT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks. Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory. [Click here for a PDF version of this report.](https://us-cert.cisa.gov/sites/default/files/publications/AA20-336A-APT_Actors_Targeting_US_ThinkTanks.pdf) ## Technical Details **ATT&CK Profile** CISA created the following MITRE ATT&CK profile to provide a non-exhaustive list of tactics, techniques, and procedures (TTPs) employed by APT actors to break through think tanks’ defenses, conduct reconnaissance in their environments, exfiltrate proprietary or confidential ----- information, and execute effects on targets. These TTPs were included based upon closed reporting on APT actors that are known to target think tanks or based upon CISA incident response data. **_Initial Access_** [[TA0001]](https://attack.mitre.org/versions/v7/tactics/TA0001) _[Valid Accounts [T1078]](https://attack.mitre.org/versions/v7/techniques/T1078/)_ _[Valid Accounts: Cloud Accounts [T1078.004]](https://attack.mitre.org/versions/v7/techniques/T1078/004/)_ _[External Remote Services [T1133]](https://attack.mitre.org/versions/v7/techniques/T1133/)_ _Drive-by Compromise_ [[T1189]](https://attack.mitre.org/versions/v7/techniques/T1189) _Exploit Public-Facing Application_ [[T1190]](https://attack.mitre.org/versions/v7/techniques/T1190) _Supply Chain Compromise: Compromise Software Supply Chain_ [[T1195.002]](https://attack.mitre.org/versions/v7/techniques/T1195/002) _Trusted Relationship_ [[T1199]](https://attack.mitre.org/versions/v7/techniques/T1199) _Phishing: Spearphishing Attachment_ [[T1566.001]](https://attack.mitre.org/versions/v7/techniques/T1566/001) _Phishing: Spearphishing Link_ [[T1566.002]](https://attack.mitre.org/versions/v7/techniques/T1566/002) _Phishing: Spearphishing via Service_ [[T1566.003]](https://attack.mitre.org/versions/v7/techniques/T1566/003) **_Execution_** [[TA0002]](https://attack.mitre.org/versions/v7/tactics/TA0002) _[Windows Management Instrumentation [T1047]](https://attack.mitre.org/versions/v7/techniques/T1047)_ _[Scheduled Task/Job: Scheduled Task [T1053.005]](https://attack.mitre.org/versions/v7/techniques/T1053/005)_ _[Command and Scripting Interpreter: PowerShell [T1059.001]](https://attack.mitre.org/versions/v7/techniques/T1059/001)_ _Command and Scripting Interpreter: Windows Command Shell_ [[T1059.003]](https://attack.mitre.org/versions/v7/techniques/T1059/003) _Command and Scripting Interpreter: Unix Shell_ [[T1059.004]](https://attack.mitre.org/versions/v7/techniques/T1059/004) _[Command and Scripting Interpreter: Visual Basic [T1059.005]](https://attack.mitre.org/versions/v7/techniques/T1059/005)_ _[Command and Scripting Interpreter: Python [T1059.006]](https://attack.mitre.org/versions/v7/techniques/T1059/006)_ _[Native API [T1106]](https://attack.mitre.org/versions/v7/techniques/T1106)_ _Exploitation for Client Execution_ [[T1203]](https://attack.mitre.org/versions/v7/techniques/T1203) _[User Execution: Malicious Link [T1204.001]](https://attack.mitre.org/versions/v7/techniques/T1204/001)_ _User Execution: Malicious File_ [[T1204.002]](https://attack.mitre.org/versions/v7/techniques/T1204/002) _[Inter-Process Communication: Dynamic Data Exchange [T1559.002]](https://attack.mitre.org/versions/v7/techniques/T1559/002/)_ _[System Services: Service Execution [T1569.002]](https://attack.mitre.org/versions/v7/techniques/T1569/002)_ ----- **_Persistence_** [[TA0003]](https://attack.mitre.org/versions/v7/tactics/TA0003) _Boot or Logon Initialization Scripts: Logon Script (Windows)_ [[T1037.001]](https://attack.mitre.org/versions/v7/techniques/T1037/001) _Scheduled Task/Job: Scheduled Task_ [[T1053.005]](https://attack.mitre.org/versions/v7/techniques/T1053/005) _[Account Manipulation: Exchange Email Delegate Permissions [T1098.002]](https://attack.mitre.org/versions/v7/techniques/T1098/002)_ _Create Account: Local Account_ [[T1136.001]](https://attack.mitre.org/versions/v7/techniques/T1136/001) _[Office Application Startup: Office Test [T1137.002]](https://attack.mitre.org/versions/v7/techniques/T1137/002)_ _Office Application Startup: Outlook Home Page_ [[T1137.004]](https://attack.mitre.org/versions/v7/techniques/T1137/004) _Browser Extensions_ [[T1176]](https://attack.mitre.org/versions/v7/techniques/T1176) _BITS Jobs_ [[T1197]](https://attack.mitre.org/versions/v7/techniques/T1197/) _Server Software Component: Web Shell_ [[T1505.003]](https://attack.mitre.org/versions/v7/techniques/T1505/003) _Pre-OS Boot: Bootkit_ [[T1542.003]](https://attack.mitre.org/versions/v7/techniques/T1542/003/) _Create or Modify System Process: Windows Service_ [[T1543.003]](https://attack.mitre.org/versions/v7/techniques/T1543/003) _Event Triggered Execution: Change Default File Association_ [[T1546.001]](https://attack.mitre.org/versions/v7/techniques/T1546/001) _Event Triggered Execution: Windows Management Instrumentation Event_ _[Subscription [T1546.003]](https://attack.mitre.org/versions/v7/techniques/T1546/003)_ _Event Triggered Execution: Accessibility Features_ [[T1546.008]](https://attack.mitre.org/versions/v7/techniques/T1546/008) _Event Triggered Execution: Component Object Model Hijacking_ [[T1546.015]](https://attack.mitre.org/versions/v7/techniques/T1546/015) _Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder_ [[T1547.001]](https://attack.mitre.org/versions/v7/techniques/T1547/001) _Boot or Logon Autostart Execution: Shortcut Modification_ [[T1547.009]](https://attack.mitre.org/versions/v7/techniques/T1547/009) **_Privilege Escalation_** [[TA0004]](https://attack.mitre.org/versions/v7/tactics/TA0004) _Process Injection_ [[T1055]](https://attack.mitre.org/versions/v7/techniques/T1055) _Process Injection: Process Hollowing_ [[T1055.012]](https://attack.mitre.org/versions/v7/techniques/T1055/012) _Exploitation for Privilege Escalation_ [[T1068]](https://attack.mitre.org/versions/v7/techniques/T1068) _Access Token Manipulation: Token Impersonation/Theft_ [[T1134.001]](https://attack.mitre.org/versions/v7/techniques/T1134/001) _[Event Triggered Execution: Accessibility Features [T1546.008]](https://attack.mitre.org/versions/v7/techniques/T1546/008)_ _Boot or Logon Autostart Execution: Shortcut Modification_ [[T1547.009]](https://attack.mitre.org/versions/v7/techniques/T1547/009) _Abuse Elevation Control Mechanism: Bypass User Access Control_ [[T1548.002]](https://attack.mitre.org/versions/v7/techniques/T1548/002) _Hijack Execution Flow: DLL Side-Loading_ [[T1574.002]](https://attack.mitre.org/versions/v7/techniques/T1574/002) ----- **_Defense Evasion_** [[TA0005]](https://attack.mitre.org/versions/v7/tactics/TA0005) _Rootkit_ [[T1014]](https://attack.mitre.org/versions/v7/techniques/T1014) _[Obfuscated Files or Information: Binary Padding [T1027.001]](https://attack.mitre.org/versions/v7/techniques/T1027/001)_ _[Obfuscated Files or Information: Software Packing [T1027.002]](https://attack.mitre.org/versions/v7/techniques/T1027/002)_ _Obfuscated Files or Information: Steganography_ [[T1027.003]](https://attack.mitre.org/versions/v7/techniques/T1027/003) _Obfuscated Files or Information: Indicator Removal from Tools_ [[T1027.005]](https://attack.mitre.org/versions/v7/techniques/T1027/005) _Masquerading: Match Legitimate Name or Location_ [[T1036.005]](https://attack.mitre.org/versions/v7/techniques/T1036/005) _Indicator Removal on Host: Clear Windows Event Logs_ [[T1070.001]](https://attack.mitre.org/versions/v7/techniques/T1070/001) _Indicator Removal on Host: Clear Command History_ [[1070.003]](https://attack.mitre.org/versions/v7/techniques/T1070/003) _Indicator Removal on Host: File Deletion_ [[T1070.004]](https://attack.mitre.org/versions/v7/techniques/T1070/004) _Indicator Removal on Host: Timestomp_ [[T1070.006]](https://attack.mitre.org/versions/v7/techniques/T1070/006) _Modify Registry_ [[T1112]](https://attack.mitre.org/versions/v7/techniques/T1112) _[Deobfuscate/Decode Files or Information [T1140]](https://attack.mitre.org/versions/v7/techniques/T1140)_ _Exploitation for Defense Evasion_ [[T1211]](https://attack.mitre.org/versions/v7/techniques/T1211) _Signed Binary Proxy Execution: Compiled HTML File_ [[T1218.001]](https://attack.mitre.org/versions/v7/techniques/T1218/001) _Signed Binary Proxy Execution: Mshta_ [[T1218.005]](https://attack.mitre.org/versions/v7/techniques/T1218/005) _[Signed Binary Proxy Execution: Rundll32 [T1218.011]](https://attack.mitre.org/versions/v7/techniques/T1218/011)_ _Template Injection_ [[T1221]](https://attack.mitre.org/versions/v7/techniques/T1221) _Execution Guardrails: Environmental Keying_ [[T1480.001]](https://attack.mitre.org/versions/v7/techniques/T1480/001) _Abuse Elevation Control Mechanism: Bypass User Access Control_ [[T1548.002]](https://attack.mitre.org/versions/v7/techniques/T1548/002) _Use Alternate Authentication Material: Application Access Token_ [[T1550.001]](https://attack.mitre.org/versions/v7/techniques/T1550/001) _Subvert Trust Controls: Code Signing_ [[T1553.002]](https://attack.mitre.org/versions/v7/techniques/T1553/002) _Impair Defenses: Disable or Modify Tools_ [[T1562.001]](https://attack.mitre.org/versions/v7/techniques/T1562/001) _Impair Defenses: Disable or Modify System Firewall_ [[T1562.004]](https://attack.mitre.org/versions/v7/techniques/T1562/004) _[Hide Artifacts: Hidden Files and Directories [T1564.001]](https://attack.mitre.org/versions/v7/techniques/T1564/001)_ _Hide Artifacts: Hidden Window_ [[T1564.003]](https://attack.mitre.org/versions/v7/techniques/T1564/003) **_Credential Access_** [[TA0006]](https://attack.mitre.org/versions/v7/tactics/TA0006) _OS Credential Dumping: LSASS Memory_ [[T1003.001]](https://attack.mitre.org/versions/v7/techniques/T1003/001) _[OS Credential Dumping: Security Account Manager [T1003.002]](https://attack.mitre.org/versions/v7/techniques/T1003/002)_ _OS Credential Dumping: NTDS_ [[T1003.003]](https://attack.mitre.org/versions/v7/techniques/T1003/003) _OS Credential Dumping: LSA Secrets_ [[T1003.004]](https://attack.mitre.org/versions/v7/techniques/T1003/004) _OS Credential Dumping: Cached Domain Credentials_ [[T1003.005]](https://attack.mitre.org/versions/v7/techniques/T1003/005) _Network Sniffing_ [[T1040]](https://attack.mitre.org/versions/v7/techniques/T1040) _Input Capture: Keylogging_ [[T1056.001]](https://attack.mitre.org/versions/v7/techniques/T1056/001) _Brute Force: Password Cracking_ [[T1110.002]Brute Force: Password Spraying](https://attack.mitre.org/versions/v7/techniques/T1110/002) [[T1110.003]](https://attack.mitre.org/versions/v7/techniques/T1110/003) _Forced Authentication_ [[T1187]](https://attack.mitre.org/versions/v7/techniques/T1187) _Steal Application Access Token_ [[T1528]](https://attack.mitre.org/versions/v7/techniques/T1528) _Unsecured Credentials: Credentials in Files_ [[T1552.001]](https://attack.mitre.org/versions/v7/techniques/T1552/001) _Unsecured Credentials: Group Policy Preferences_ [[T1552.006]](https://attack.mitre.org/versions/v7/techniques/T1552/006) _Credentials from Password Stores: Credentials from Web Browsers_ [[T1555.003]](https://attack.mitre.org/versions/v7/techniques/T1555/003) ----- **_Discovery_** [[TA0007]](https://attack.mitre.org/versions/v7/tactics/TA0007) _System Service Discovery_ [[T1007]](https://attack.mitre.org/versions/v7/techniques/T1007) _Query Registry_ [[T1012]](https://attack.mitre.org/versions/v7/techniques/T1012) _System Network Configuration Discovery_ [[T1016]](https://attack.mitre.org/versions/v7/techniques/T1016) _[Remote System Discovery [T1018]](https://attack.mitre.org/versions/v7/techniques/T1018)_ _System Owner/User Discovery_ [[T1033]](https://attack.mitre.org/versions/v7/techniques/T1033) _Network Sniffing_ [[T1040]](https://attack.mitre.org/versions/v7/techniques/T1040) _Network Service Scanning_ [[T1046]](https://attack.mitre.org/versions/v7/techniques/T1046) _System Network Connections Discovery_ [[T1049]](https://attack.mitre.org/versions/v7/techniques/T1049) _Process Discovery_ [[T1057]](https://attack.mitre.org/versions/v7/techniques/T1057) _Permission Groups Discovery: Local Groups_ [[T1069.001]](https://attack.mitre.org/versions/v7/techniques/T1069/001) _Permission Groups Discovery: Domain Groups_ [[T1069.002]](https://attack.mitre.org/versions/v7/techniques/T1069/002) _System Information Discovery_ [[T1082]](https://attack.mitre.org/versions/v7/techniques/T1082) _File and Directory Discovery_ [[T1083]](https://attack.mitre.org/versions/v7/techniques/T1083) _Account Discovery: Local Account_ [[T1087.001]](https://attack.mitre.org/versions/v7/techniques/T1087/001) _Account Discovery: Domain Account_ [[T1087.002]](https://attack.mitre.org/versions/v7/techniques/T1087/002) _Peripheral Device Discovery_ [[T1120]](https://attack.mitre.org/versions/v7/techniques/T1120) _Network Share Discovery_ [[T1135]](https://attack.mitre.org/versions/v7/techniques/T1135) _[Password Policy Discovery [T1201]](https://attack.mitre.org/versions/v7/techniques/T1201/)_ _Software Discovery: Security Software Discovery_ [[T1518.001]](https://attack.mitre.org/versions/v7/techniques/T1518/001) **_[Lateral Movement [TA0008]](https://attack.mitre.org/versions/v7/tactics/TA0008)_** _Remote Services: Remote Desktop Protocol_ [[T1021.001]](https://attack.mitre.org/versions/v7/techniques/T1021/001) _[Remote Services: SSH [T1021.004]](https://attack.mitre.org/versions/v7/techniques/T1021/004)_ _[Taint Shared Content [T1080]](https://attack.mitre.org/versions/v7/techniques/T1080/)_ _[Replication Through Removable Media [T1091]](https://attack.mitre.org/versions/v7/techniques/T1091)_ _Exploitation of Remote Services_ [[T1210]](https://attack.mitre.org/versions/v7/techniques/T1210) _[Use Alternate Authentication Material: Pass the Hash [T1550.002]](https://attack.mitre.org/versions/v7/techniques/T1550/002)_ _Use Alternate Authentication Material: Pass the Ticket_ [[T1550.003]](https://attack.mitre.org/versions/v7/techniques/T1550/003) **_Collection_** [[TA0009]](https://attack.mitre.org/versions/v7/tactics/TA0009) _Data from Local System_ [[T1005]](https://attack.mitre.org/versions/v7/techniques/T1005) _Data from Removable Media_ [[T1025]](https://attack.mitre.org/versions/v7/techniques/T1025) _Data Staged: Local Data Staging_ [[T1074.001]](https://attack.mitre.org/versions/v7/techniques/T1074/001) _Screen Capture_ [[T1113]](https://attack.mitre.org/versions/v7/techniques/T1113) _Email Collection: Local Email Collection_ [[T1114.001]](https://attack.mitre.org/versions/v7/techniques/T1114/001) _Email Collection: Remote Email Collection_ [[T1114.002]](https://attack.mitre.org/versions/v7/techniques/T1114/002) _Automated Collection_ [[T1119]](https://attack.mitre.org/versions/v7/techniques/T1119) _Audio Capture_ [[T1123]](https://attack.mitre.org/versions/v7/techniques/T1123) _[Data from Information Repositories: SharePoint [T1213.002]](https://attack.mitre.org/versions/v7/techniques/T1213/002)_ _Archive Collected Data: Archive via Utility_ [[T1560.001]](https://attack.mitre.org/versions/v7/techniques/T1560/001) _Archive Collected Data: Archive via Custom Method_ [[T1560.003]](https://attack.mitre.org/versions/v7/techniques/T1560/003) ----- **_Command and Control_** [[TA0011]](https://attack.mitre.org/versions/v7/tactics/TA0011) _Data Obfuscation: Junk Data_ [[T1001.001]](https://attack.mitre.org/versions/v7/techniques/T1001/001/) _Fallback Channels_ [[T1008]](https://attack.mitre.org/versions/v7/techniques/T1008) _Application Layer Protocol: Web Protocols_ [[T1071.001]](https://attack.mitre.org/versions/v7/techniques/T1071/001) _Application Layer Protocol: File Transfer Protocols_ [[T1071.002]](https://attack.mitre.org/versions/v7/techniques/T1071/002) _Application Layer Protocol: Mail Protocols_ [[T1071.003]](https://attack.mitre.org/versions/v7/techniques/T1071/003) _Application Layer Protocol: DNS_ [[T1071.004]](https://attack.mitre.org/versions/v7/techniques/T1071/004) _Proxy: External Proxy_ [[T1090.002]](https://attack.mitre.org/versions/v7/techniques/T1090/002) _Proxy: Multi-hop Proxy_ [[T1090.003]](https://attack.mitre.org/versions/v7/techniques/T1090/003) _Proxy: Domain Fronting_ [[T1090.004]](https://attack.mitre.org/versions/v7/techniques/T1090/004) _Communication Through Removable Media_ [[T1092]](https://attack.mitre.org/versions/v7/techniques/T1092) _Non-Application Layer Protocol_ [[T1095]](https://attack.mitre.org/versions/v7/techniques/T1095) _Web Service: Dead Drop Resolver_ [[T1102.001]](https://attack.mitre.org/versions/v7/techniques/T1102/001) _Web Service: Bidirectional Communication_ [[T1102.002]](https://attack.mitre.org/versions/v7/techniques/T1102/002) _Multi-Stage Channels_ [[T1104]](https://attack.mitre.org/versions/v7/techniques/T1104) _Ingress Tool Transfer_ [[T1105]](https://attack.mitre.org/versions/v7/techniques/T1105) _Data Encoding: Standard Encoding_ [[T1132.001]](https://attack.mitre.org/versions/v7/techniques/T1132/001) _Remote Access Software_ [[T1219]](https://attack.mitre.org/versions/v7/techniques/T1219) _Dynamic Resolution: Domain Generation Algorithms_ [[T1568.002]](https://attack.mitre.org/versions/v7/techniques/T1568/002) _Non-Standard Port_ [[T1571]](https://attack.mitre.org/versions/v7/techniques/T1571) _Protocol Tunneling_ [[T1572]](https://attack.mitre.org/versions/v7/techniques/T1572) _Encrypted Channel: Symmetric Cryptography_ [[T1573.001]](https://attack.mitre.org/versions/v7/techniques/T1573/001) _Encrypted Channel: Asymmetric Cryptography_ [[T1573.002]](https://attack.mitre.org/versions/v7/techniques/T1573/002) **_Exfiltration_** [[TA0010]](https://attack.mitre.org/versions/v7/tactics/TA0010) _Exfiltration Over C2 Channel_ [[T1041]](https://attack.mitre.org/versions/v7/techniques/T1041) _Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated_ _Non-C2 Protocol_ [[T1048.003]](https://attack.mitre.org/versions/v7/techniques/T1048/003) **_[Impact [TA0040]](https://attack.mitre.org/versions/v7/tactics/TA0040)_** _Data Encrypted for Impact_ [[T1486]](https://attack.mitre.org/versions/v7/techniques/T1486) _Resource Hijacking_ [[T1496]](https://attack.mitre.org/versions/v7/techniques/T1496) _System Shutdown/Reboot_ [[T1529]](https://attack.mitre.org/versions/v7/techniques/T1529) _Disk Wipe: Disk Structure Wipe_ [[T1561.002]](https://attack.mitre.org/versions/v7/techniques/T1561/002) ## Mitigations CISA and FBI recommend think tank organizations apply the following critical practices to strengthen their security posture. **Leaders** Implement a training program to familiarize users with identifying social engineering techniques and phishing emails. **Users/Staff** ----- Log off remote connections when not in use. Be vigilant against tailored spearphishing attacks targeting corporate and personal accounts (including both email and social media accounts). Use different passwords for corporate and personal accounts. Install antivirus software on personal devices to automatically scan and quarantine suspicious files. Employ strong multi-factor authentication for personal accounts, if available. Exercise caution when: Opening email attachments, even if the attachment is expected and the sender [appears to be known. See Using Caution with Email Attachments.](https://www.us-cert.gov/ncas/tips/ST04-010) Using removable media (e.g., USB thumb drives, external drives, CDs). **IT Staff/Cybersecurity Personnel** Segment and segregate networks and functions. Change the default username and password of applications and appliances. Employ strong multi-factor authentication for corporate accounts. Deploy antivirus software on organizational devices to automatically scan and quarantine suspicious files. Apply encryption to data at rest and data in transit. Use email security appliances to scan and remove malicious email attachments or links. Monitor key internal security tools and identify anomalous behavior. Flag any known indicators of compromise or threat actor behaviors for immediate response. Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on Defending Against Malicious Cyber Activity Originating from Tor for mitigation options and additional information. Prevent exploitation of known software vulnerabilities by routinely applying software patches and upgrades. Foreign cyber threat actors continue to exploit publicly known— and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. If these vulnerabilities are left unpatched, exploitation often requires few resources and provides threat actors with easy access to victim networks. Review CISA and FBI’s [Top 10 Routinely Exploited Vulnerabilities and other](https://us-cert.cisa.gov/ncas/alerts/aa20-133a) CISA alerts that identify vulnerabilities exploited by foreign attackers. Implement an antivirus program and a formalized patch management process. Block certain websites and email attachments commonly associated with malware (e.g., .scr, .pif, .cpl, .dll, .exe). Block email attachments that cannot be scanned by antivirus software (e.g., .zip files). Implement Group Policy Object and firewall rules. Implement filters at the email gateway and block suspicious IP addresses at the firewall. ----- Routinely audit domain and local accounts as well as their permission levels to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Follow best practices for design and administration of the network to limit privileged account use across administrative tiers. Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system. Disable or block unnecessary remote services. Limit access to remote services through centrally managed concentrators. Deny direct remote access to internal systems or resources by using network proxies, gateways, and firewalls. Limit unnecessary lateral communications. Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication. Ensure applications do not store sensitive data or credentials insecurely. Enable a firewall on agency workstations, configured to deny unsolicited connection requests. Disable unnecessary services on agency workstations and servers. Scan for and remove suspicious email attachments; ensure any scanned attachment is its "true file type" (i.e., the extension matches the file header). Monitor users' web browsing habits; restrict access to suspicious or risky sites. Contact law enforcement or CISA immediately regarding any unauthorized network access identified. Visit the MITRE ATT&CK techniques and tactics pages linked in the ATT&CK Profile section above for additional mitigation and detection strategies for this malicious activity targeting think tanks. ## Contact Information Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or](http://www.fbi.gov/contact-us/field) [by email at CyWatch@fbi.gov. When available, please include the following information](http://10.10.0.46/mailto:CyWatch@fbi.gov) regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or [technical assistance related to these threats, contact CISA at Central@cisa.gov.](http://10.10.0.46/mailto:Central@cisa.gov) ## References References ----- [[1] CyberScoop: As Europe prepares to vote, Microsoft warns of Fancy Bear attac…](https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/) ## Revisions Initial Version: December 1, 2020 [This product is provided subject to this Notification and this](https://us-cert.cisa.gov/privacy/notification) [Privacy & Use policy.](https://www.dhs.gov/privacy-policy) **Please share your thoughts.** [We recently updated our anonymous product survey; we'd welcome your feedback.](https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/alerts/aa20-336a) -----