Cyber Incident Victim: Center for Strategic and International Studies
Date:
Jan 2019
Location:
United States of America
Summary
The Center for Strategic and International Studies was targeted by Fancy Bear, a Russian military intelligence-linked hacking group, through a spearphishing campaign involving fraudulent domains designed to mimic the think tank's internal login systems. Microsoft obtained a court order to seize control of these malicious domains, which were part of a broader pattern of attacks against political and research institutions. The Washington think tank stated it detected the incident promptly and collaborated with Microsoft to mitigate the threat, noting no evidence of successful data compromise. The group, also known as APT28 or Strontium, previously employed similar tactics in high-profile breaches, including the Democratic National Committee hack. Microsoft highlighted ongoing efforts to disrupt such operations, having previously taken down fake websites targeting other organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In January 2019, Russian hacking group Fancy Bear—also known as APT28 or Strontium and linked to Russian military intelligence—targeted the Center for Strategic and International Studies (CSIS), a Washington-based think tank. The group employed a spearphishing tactic by creating fraudulent website domains designed to mimic legitimate CSIS login portals. These domains—LOGIN-CSIS.ORG, CSIS.EVENTS, CSIS.EXCHANGE, and CSIS.CLOUD—could have been used to host fake authentication pages or send deceptive emails to individuals affiliated with CSIS, aiming to harvest credentials. This method mirrored the group’s 2016 compromise of Hillary Clinton campaign chairman John Podesta’s emails and their prior intrusion into the Democratic National Committee. Microsoft identified the threat and sought legal intervention, resulting in a Virginia court granting the company control over the malicious domains on January 30, 2019, under the designation “Strontium Domains.” Court filings indicated no evidence of successful data exfiltration or system breaches at CSIS. The think tank’s communications chief, Andrew Schwartz, acknowledged persistent cyberattacks against CSIS by state-sponsored actors but declined to confirm whether any information was accessed during this incident.
CSIS detected the phishing campaign early and collaborated with Microsoft to disrupt the operation before attackers could exploit the fake domains. Microsoft’s corporate vice president for customer security and trust, Tom Burt, characterized the action as part of a broader effort to safeguard democratic institutions, noting the company had similarly dismantled 89 fraudulent websites across 13 cases since 2017. This incident followed an August 2018 court order allowing Microsoft to seize domains targeting the U.S. Senate and two other think tanks—the Hudson Institute and the International Republican Institute. Microsoft argued in court filings that Fancy Bear had crafted the domains to appear as trusted Microsoft services, leveraging realistic-looking URLs to deceive targets. The company’s president, Brad Smith, emphasized that such tactics aimed to maximize the credibility of phishing attempts. While CSIS hosts high-profile figures like former Secretary of State Henry Kissinger, the court documents and CSIS statements confirmed no operational disruptions or confirmed data losses resulting from the attack. The coordinated legal and technical response neutralized the immediate threat, though CSIS reiterated its status as a frequent target of state-sponsored cyber campaigns.