Suspected Russia-based hackers who had attacked the Democratic National Committee (DNC) network are at it again, this time targeting think tanks in Washington focussed on Russia. The alleged cybercriminals – Cozy Bear or APT29 – are reportedly one of the two groups believed to be responsible for the DNC breach.

According to a report by DefenceOne, cybersecurity firm CrowdStrike, which confirmed attribution of the DNC hack to the Cozy Bear and Fancy Bear hacker groups, also discovered that around five Washington-based think tanks and 10 employees, researching Russia, had been targeted by the hackers as part of a "highly targeted operation".

CrowdStrike founder Dmitri Alperovitch said that once the cyberattack was detected, the concerned organisations were immediately alerted, adding that the hackers were not successful in gaining access to any information. However, Alperovitch refrained from naming the organisations and individuals targeted over concerns for his clients' interests and in efforts to not disclose the tools and data to hackers.

According to DefenceOne's report, The Center for Strategic and International Studies (CSIS) has confirmed that it was hit by hackers. "Last week we were under attack, but our small staff was very responsive. Beyond that, I'm not going to discuss the details because it is under active investigation," said H. Andrew Schwartz, CSIS senior vice president for external relations.

James Andrew Lewis, senior vice president and director, strategic technologies program, at CSIS said, "It's like a badge of honor — any respectable think tank has been hacked. The Russians just don't get the idea of independent institutions, so they are looking for secret instructions from Obama. Another benefit is they can go to their bosses and show what they took to prove their worth as spies."

Meanwhile, Alperovitch further said that the hackers were most likely attempting to access data and information from the Washington think tanks' senior officials and board members.

"Many of these people are former government officials that still advise current government officials," he said, adding that the hacker group's aim may have been "to look at their communications with government officials to see if they may have some plundered information that's been shared with them, or use them as a way to target government".

Modus operandi

In this case, Cozy Bear hackers used spearphishing emails to lure victims into clicking on malicious links. The hackers sent out fake emails posing as those sent from legitimate think tanks and geopolitical consultancy groups to trick employees into clinking on the malicious URLs. CrowdStrike's founder claimed that his firm was able to detect the attack immediately, but one of the organisations targeted, took around 30 minutes to isolate the infected system from other machines on the network, by which time the hackers "were already in several systems".

Suspected Russia-based DNC hackers strike again targeting Washington think tanks
, Cozy Bear hackers used spearphishing emails to lure victims into clicking on malicious links iStock

Russian bears in the woods

Despite the pseudonymous hacker Guccifer 2.0 having claimed responsibility for the DNC breach, security researchers at CrowdStrike and other firms like Fedelis and ThreatConnect maintain that the hacker groups behind the attack are Kremlin-linked Cozy Bear and Fancy Bear. While Cozy Bear is believed to be connected to the Russian Federal Security Service (FSB), Fancy Bear is believed to be linked to the Russian military.

According to Alperovitch, post the DNC hack, Cozy Bear is believed to have upped its game. The hacker group is using enhanced tools and techniques to conduct attacks, while remaining almost undetectable, in efforts to escalate their ability to move across networks following an initial compromise.

What next?

Cozy Bear and Fancy Bear appear to be still active, going after various targets. ThreatConnect security researchers said that Fancy Bear was also responsible for the recent World Anti-Doping Agency (WADA) website hack. Recent reports also indicate that the DNC hackers have gone after Republican presidential candidate Donald Trump's campaign.

The breach on the Washington-based think tanks comes even as US security officials express concerns over the possibility of Russia attempting to influence the US elections via targeted cyberattacks, indicating that a cyberwar may indeed be brewing between the long-time rival nations.