Beginning in mid-2015, two Russian-linked cyber actors launched a concerted hacking effort against a variety of political campaigns, nonprofit organizations, and other groups. Both attackers targeted users with a barrage of spear phishing emails, attempting to gain access to their respective networks. Their most famous victim was of course the Democratic National Committee, the breach of which received massive media attention. What garnered less notice, however, was that this spate of cyber intrusions also marked a continuation of a broad effort to breach the networks of American think tanks by a variety of highly skilled hackers.
As several experts have identified, think tanks represent a “bench” of talent for incoming presidential administrations. Their employees often serve as trusted outside advisers to those in government. Combined with the fact that their academic atmosphere encourages open collaboration–but not necessarily good cybersecurity practices–they represent outstanding targets for actors seeking to gain insight into American government thinking on a variety of issues. The large troves of data they maintain regarding their affiliates are also tempting for garden-variety cyber criminals.
The most recent Russian campaign illustrates the magnitude of the threat, but several previous incidents highlight a range of hacking tactics used against think thanks, and what these organizations can do about them.
First, relying on passwords for authenticating users and controlling access to data is inherently insecure, a fact which attackers have easily exploited. Second, “super users” with broad administrator privileges represent an excellent target for intruders, who often immediately seek to hijack them upon compromising a network. Finally, and most importantly, think tanks–along with many other enterprises–do not consistently employ end-to-end encryption, making both locally- and cloud-stored information vulnerable to theft and corruption.
The Problem with Passwords
In early 2015, the nonprofit Urban Institute found itself in the crosshairs of cyber intruders who may have been targeting the tax-related information it receives on behalf of its partner groups. The attackers stole usernames, passwords, and email addresses from hundreds of thousands of organizations working with the Urban Institute. Although the most sensitive information – the tax filings themselves – appeared to have been safe from prying eyes, the data the attackers stole was in itself highly valuable.
Although the think tank required its users to change their account passwords on its web site after announcing the breach, the attack likely had a second-order effect. As the Urban Institute recognized in a warning to users, it is highly likely that at least some of them recycled their passwords for other accounts and web sites. Combined with the victims’ email addresses and other identifiers, the attackers likely gained access to additional accounts on other platforms.
Passwords themselves are major security vulnerabilities; hackers have frequently socially engineered users into giving them up, cracked them, and guessed them. The inconvenience of having to remember them also leads people to re-use them among web sites and across accounts, which can be devastating if just one is successfully breached.
Two-factor authentication is a useful security measure, but the additional step it requires in logging on makes it unpalatable to most. Experts have estimated adoption of this technology to be at the single digit percentage level, at least for one major platform. Especially for organizations not focused on cybersecurity and without major budgets for advanced intrusion-detection systems, such as think tanks, “secure-by-default” communications systems that dispense with passwords are critical to ensuring that private correspondence remains that way.
The Perils of “Super Users”
In addition to passwords, the existence of powerful “super user” administrator accounts in think tank networks is another threat to those organizations. According to an analysis by the firm Crowdstrike, a variety of national security-focused think tanks have come under assault from a group it calls DEEP PANDA. Probably based in China, these hackers employ a standard set of tactics when probing the networks of their targets. Among one of their first moves during initial reconnaissance of victim networks is to identify users with administrator privileges.
These “super users” are obvious targets for hijacking due to their ability to access broad swaths of organizational data and user communications. Even major software companies have historically been complacent with regard to the potential dangers of these accounts, making them standard features of their operating systems and even giving them blank passwords by default. Safeguarding think tanks’ communications by eliminating or restricting the number of “super users” with access to them is an easy step to take.
End-to-End Encryption is a Necessity
Finally, a late 2015 hack of the Heritage Foundation is instructive with regard to a third point: the vulnerability of data stored in the cloud and the importance of properly deployed end-to-end encryption. Although the think tank explained that its “internal servers were not part of this breach,” the location of its data would have been irrelevant if properly end-to-end encrypted.
Using this security technique, communications are encrypted with a secret key before leaving the sender’s device. They are thus unreadable both while in transit and while sitting on servers, either those owned by the organization in question or those maintained by a cloud computing provider. Decryption only occurs at the device of the recipients, and nowhere else. Unfortunately, most widely used webmail services such as Gmail, Yahoo, and Microsoft Office 365 do not use this technology by default.
Furthermore, even when encrypting data at every step of the way, it is critical that organizations do so properly. Retaining control of the requisite decryption keys–not placing them on the same servers as sensitive data–is one such measure. According to one study, an incredible 37% of enterprises voluntarily give cloud providers complete control of the keys to unlock their communications, leaving the former organizations vulnerable to breaches. Even if encrypted from the start of its journey to the finish, information stored in the cloud is vulnerable to attackers in this scenario. If intruders successfully breach a cloud provider’s server, they could also steal any decryption keys stored there and unlock the corresponding information. As masses of data move to the cloud, properly implemented end-to-end encryption will only become more critical in ensuring their safety and integrity.
Turning Think Tanks into “Hard Targets”
Military leaders often stress the importance to their troops of being a “hard target.” What they mean–denying an adversary an easy vector by which to attack you–sounds obvious. Unfortunately, many enterprises still have critical vulnerabilities in their networks. Think tanks are especially juicy hacking targets for anyone seeking to gain insight into Washington’s policymaking process or simply steal their troves of valuable personal and financial information.
Fortunately, there is hope. Next generation email, file-sharing, and storage systems designed for security and ease of use are now coming to market. They do not rely on passwords–as vulnerable as they are–to access user data, but rather locally stored cryptographic keys. These systems also do not require administrators to have “super user” privileges. They instead distribute power to “approval groups” of trusted individuals, a model far more resilient to cyber intrusions as it lacks a single point of attack. Most importantly, these systems safeguard information by automatically protecting all emails and files with end-to-end encryption.
Employing these systems to plug the gaps in think tank defenses could go a long way towards safeguarding them. Defending these organizations against electronic intruders should be a priority in today’s cyber threat environment.