UNCLASSIFIED//FOR OFFICIAL USE ONLY OFFICE OF INTELLIGENCE AND ANALYSIS INTELLIGENCE NOTE (U//FOUO) Cyber Theft of Data from US Think Tank Networks 22 August 2016 (U//FOUO) This Intelligence Note provides current intelligence on a threat to think tanks. This Note was prepared by the Office of Intelligence and Analysis (I&A) in direct support of the National Cybersecurity and Communications Integration Center (NCCIC). (U//FOUO) Cyber Activity Against US Think Tanks (U//FOUO) Think tanks are an enduring target of nation-state cyber actors. Cyber actors since late 2015 have exfiltrated sensitive information from US think tank networks on more than a dozen occasions. Most of these incidents targeted information related to US foreign and military policy, including theft of correspondence regarding US relations with foreign governments. » (U//FOUO) Cyber actors in May exfiltrated data from a US think tank regarding US strategy in Syria, according to defense reporting.1 Cyber actors over a three-day period in May exfiltrated information regarding US defense cooperation with European allies, according to separate defense reporting.2 » (U//FOUO) Cyber actors between January and March likely targeted a US think tank and several other US organizations to obtain information on the entities’ networks and employees, according to defense reporting.3 » (U//FOUO) A cyber actor in late November 2015 collected information from a US think tank on Russia– Turkey relations, specifically information pertaining to the 24 November 2015 downing of a Russian military aircraft by the Turkish military, according to defense reporting.4 » (U//FOUO) A cyber actor in mid-November 2015 gained access to unclassified documents related to a US Special Operations Command (USSOCOM) project from a compromised US think tank network, according to defense reporting.5 (U//FOUO) Mitigation Techniques and Best Practices (U//FOUO) Recommended practices and general guidelines on how to protect networks from remote access tools are available on the US-CERT website at https://www.us-cert.gov. To report a computer security incident, either contact US-CERT at 1-888-282-0870 or go to https://forms.us-cert.gov/report/ and complete the US-CERT Incident Reporting System form. (U//FOUO) I&A Assessment of Cyber Threats to US Think Tanks (U//FOUO) The targeting and theft of data from think tanks in part is likely being conducted by stateIA-0XXX-16 (U) Warning: This document is UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public, the media, or other personnel who do not have a valid need to know without prior approval of an authorized DHS official. State and local homeland security officials may share this document with critical infrastructure and key resource personnel or private sector security officials without further approval from DHS. (U) US person information has been minimized. Should you require the minimized US person information, please contact the I&A Production Branch at IA.PM@hq.dhs.gov, IA.PM@dhs.sgov.gov, or IA.PM@dhs.ic.gov. UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY sponsored actors due to the nature of US government-related information that is housed and flows through these policy and research institutes. The exfiltration of employee rosters may also aid in possible further counterintelligence targeting of think tank personnel and their associates. I&A assesses cyber actors likely will continue to target think tanks and similar organizations, as many maintain significant connections to US government information and personnel, especially foreign policy sa. (U//FOUO); 179207-16; 271151Z JUL 16; DOI UNK; (U//FOUO); A Cyber Actor Exfiltrates Data from a U.S. Think Tank, May 2016; Extracted information is U//FOUO; Overall document classification is U//FOUO. 2 (U//FOUO); 161866-16; 151832Z JUN 16; DOI UNK; (U//FOUO); A Cyber Actor Collected Information on U.S. Foreign and Defense Policy, May 2016; Extracted information is U//FOUO; Overall document classification is U//FOUO. 3 (U//FOUO); 132326-16; 311948Z MAR 16; DOI UNK; (U//FOUO); American and International Organizations Likely Targeted, January to March 2016; Extracted information is U//FOUO; Overall document classification is U//FOUO. 4 (U//FOUO); 149647-16; 131759Z MAY 16; DOI UNK; (U//FOUO); Cyber Actors Collect Data on Russia-Turkey Relations from Turkish MFA, U.S. Think Tank, Late November 2015; Overall document classification is U//FOUO; Extracted information is U//FOUO. 5 (U//FOUO); 101808-16; 081548Z JAN 16; DOI UNK; (U//FOUO); Cyber Actor Collects U.S. Military Documents Through Compromise of U.S. Think Tank, November 2015; Extracted information is U//FOUO; Overall document classification is U//FOUO. 1 UNCLASSIFIED//FOR OFFICIAL USE ONLY