Russia’s military intelligence directorate, the GRU, has been caught in a new round of computer intrusion attempts, this time aimed at the Center for Strategic and International Studies, a prominent Washington, D.C. think tank heavy with ex-government officials.
The new efforts by the Kremlin hackers who notoriously breached the DNC and Hillary Clinton campaign to support Donald Trump suggests that indictments, international sanctions, a botched assassination and an unprecedented global spotlight have done little to deter Vladimir Putin from continuing to target the West with his hacker army, even as American intelligence agencies warn that Russia is gearing up to interfere in the 2020 election.
“We’ve about exhausted our ability to achieve some kind of deterrent model that works,” said Robert Johnston, the security expert who investigated the 2016 DNC breach, and now heads the financial cybersecurity firm Adlumin. “You have indictments. You have Cyber Command releasing Russian malware. We ran psyops inside of Russia saying, ‘We know what you’re up to, stop it.’ Sanctions and diplomatic measures. The combination of all those isn’t enough to make it come to a complete halt.”
The GRU hackers, known variously as Fancy Bear, APT28 and Strontium, have developed new attack tools since 2016, but still rely heavily on tried-and-true methods for penetrating a target network, chief among them so-called spear-phishing attacks in which a victim is tricked into entering their login credentials into a fake website.
In 2017 Microsoft lawyers won an injunction allowing the company’s security team to legally hijack the domain names registered by Fancy Bear hackers if the web address encroaches on a Microsoft trademark. In August the company used that capability to thwart attacks against two conservative think tanks, the Hudson Institute and the International Republican Institute.
In a court filing Wednesday, Microsoft wrote that Fancy Bear was behind the spoof sites registered last month. The hackers set up a slew of fake websites and a mail server mimicking systems at the Center for Strategic and International Studies, a non-profit think tank that’s closely studied Russia’s influence. Microsoft seized four of the domains on Dec. 20, csis.cloud, login-csis.org, csis.exchange and csis.events.
“CSIS is under consistent cyber-attack from a variety of state actors,” said CSIS chief communications officer Andrew Schwartz. “We spotted this incident immediately and were able to work with Microsoft to put a stop to it.”
Microsoft also disclosed that it seized a domain name that Fancy Bear had registered in November. Public internet records show that domain was used to host a site at rferl.my-shareonline.com, likely created to spoof an internal login at Radio Free Europe/Radio Liberty, a US government-funded media organization focused on Russia’s Eastern European backyard, with dedicated programming for Ukraine. RFERL didn’t respond to an email inquiry for this story.
The new attacks are not Russia’s first run at CSIS. The Kremlin successfully infiltrated the organization's network at least once before in 2016. This time the hackers were particularly persistent. After Microsoft lawyers seized the first round of CSIS spoof domains in December, two more appeared this month pointing to the same rented server in South Korea.
“They have a lot of government and ex-government officials,” said Johnston. “I understand why Russia would target them. It’s a big one.”