{"id":86932,"date":"2018-12-03T08:00:10","date_gmt":"2018-12-03T16:00:10","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=86932"},"modified":"2025-12-16T08:17:47","modified_gmt":"2025-12-16T16:17:47","slug":"analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/","title":{"rendered":"Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Reuters recently reported a hacking campaign focused on a wide range of targets across the globe. In the days leading to the Reuters publication, Microsoft researchers were closely tracking the same campaign.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our sensors revealed that the campaign primarily targeted public sector institutions and non-governmental organizations like think tanks and research centers, but also included educational institutions and private-sector corporations in the oil and gas, chemical, and hospitality industries.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft customers using the complete&nbsp;<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Security-Privacy-and-Compliance\/Announcing-Microsoft-Threat-Protection\/ba-p\/262783\">Microsoft Threat Protection<\/a>&nbsp;solution were protected from the attack. Behavior-based protections in multiple Microsoft Threat Protection components blocked malicious activities and exposed the attack at its early stages.&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/office-365-atp\">Office 365 Advanced Threat Protection<\/a>&nbsp;caught the malicious URLs used in emails, driving the blocking of said emails, including first-seen samples. Meanwhile, numerous alerts in&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\">Windows Defender Advanced Threat Protection<\/a>&nbsp;exposed the attacker techniques across the attack chain.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Third-party security researchers have attributed the attack to a threat actor named APT29 or CozyBear, which largely overlaps with the activity group that Microsoft calls YTTRIUM. While our fellow analysts make a compelling case, Microsoft does not yet believe that enough evidence exists to attribute this campaign to YTTRIUM.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Regardless, due to the nature of the victims, and because the campaign features characteristics of previously observed nation-state attacks, Microsoft took the step of notifying thousands of individual recipients in hundreds of targeted organizations. As part of the&nbsp;<a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2018\/04\/13\/announcing-the-defending-democracy-program\/\">Defending Democracy Program<\/a>, Microsoft encourages eligible organizations to participate in&nbsp;<a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2018\/08\/20\/protecting-democracy-with-microsoft-accountguard\/\">Microsoft AccountGuard<\/a>, a service designed to help these highly targeted customers protect themselves from cybersecurity threats.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"attack-overview\">Attack overview<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The aggressive campaign began early in the morning of Wednesday, November 14. The targeting appeared to focus on organizations that are involved with policy formulation and politics or have some influence in that area.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"648\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/1-not-yttrium-phishing-targets-verticals-2.png\" alt=\"Phishing targets in different industry verticals\" class=\"wp-image-86974\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/1-not-yttrium-phishing-targets-verticals-2.png 1000w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/1-not-yttrium-phishing-targets-verticals-2-300x194.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/1-not-yttrium-phishing-targets-verticals-2-768x498.png 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Phishing targets in different industry verticals<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Although targets are distributed across the globe, majority are located in the United States, particularly in and around Washington, D.C. Other targets are in Europe, Hong Kong, India, and Canada.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"700\" height=\"652\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/12\/2-not-yttrium-phishing-targets-geo-map-thumb.png\" alt=\"Phishing targets in different locations\" class=\"wp-image-87034\" style=\"width:712px;height:auto\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/12\/2-not-yttrium-phishing-targets-geo-map-thumb.png 700w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/12\/2-not-yttrium-phishing-targets-geo-map-thumb-300x279.png 300w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Phishing targets in different locations<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The spear-phishing emails mimicked sharing notifications from OneDrive and, as noted by Reuters, impersonated the identity of individuals working at the United States Department of State. If recipients clicked a link on the spear-phishing emails, they began an exploitation chain that resulted in the implantation of a DLL backdoor that gave the attackers remote access to the recipients\u2019 machines.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"834\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/3-not-yttrium-attack-chain-1024x834.png\" alt=\"Attack chain\" class=\"wp-image-86941\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/3-not-yttrium-attack-chain-1024x834.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/3-not-yttrium-attack-chain-300x244.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/3-not-yttrium-attack-chain-768x625.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/3-not-yttrium-attack-chain.png 1130w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Attack chain<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"analysis-of-the-campaign\">Analysis of the campaign<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"delivery\">Delivery<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The spear-phishing emails used in this attack resemble file-sharing notifications from OneDrive.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"550\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/4-not-yttrium-email-sample-2-1024x550.png\" alt=\"spear-phishing email shown that resembles file-sharing notifications from OneDrive\" class=\"wp-image-86977\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/4-not-yttrium-email-sample-2-1024x550.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/4-not-yttrium-email-sample-2-300x161.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/4-not-yttrium-email-sample-2-768x413.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/4-not-yttrium-email-sample-2.png 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The emails contain a link to a legitimate, but compromised third-party website:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nhxxps:\/\/www.jmj.com\/personal\/nauerthn_state_gov\/TUJE7QJl[random string]\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">The random strings are likely used to identify distinct targeted individuals who clicked on the link. However, all observed variants of this link redirect to a specific link on the same site:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nhxxps:\/\/www.jmj.com\/personal\/nauerthn_state_gov\/VFVKRTdRSm\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">When users click the link, they are served a ZIP archive containing a malicious LNK file. All files in a given attack have the same file name, for example,&nbsp;<em>ds7002.pdf<\/em>,&nbsp;<em>ds7002.zip<\/em>, and&nbsp;<em>ds7002.lnk<\/em>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"installation\">Installation<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The LNK file represents the first stage of the attack. It executes an obfuscated PowerShell command that extracts a base64-encoded payload from within the LNK file itself, starting at offset&nbsp;<em>0x5e2be<\/em>&nbsp;and extending 16,632 bytes.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"746\" height=\"205\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/5-not-yttrium-encoded-content-lnk-file.png\" alt=\"Encoded content in the LNK file\" class=\"wp-image-86947\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/5-not-yttrium-encoded-content-lnk-file.png 746w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/5-not-yttrium-encoded-content-lnk-file-300x82.png 300w\" sizes=\"auto, (max-width: 746px) 100vw, 746px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Encoded content in the LNK file<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The encoded payload\u2014another heavily obfuscated PowerShell script\u2014is decoded and executed:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1217\" height=\"224\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/6-not-yttrium-decoded-second-script.png\" alt=\"Decoded second script\" class=\"wp-image-86950\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/6-not-yttrium-decoded-second-script.png 1217w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/6-not-yttrium-decoded-second-script-300x55.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/6-not-yttrium-decoded-second-script-768x141.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/6-not-yttrium-decoded-second-script-1024x188.png 1024w\" sizes=\"auto, (max-width: 1217px) 100vw, 1217px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Decoded second script<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The second script carves out two additional resources from within the .LNK file:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><em>ds7002.PDF<\/em>\u00a0(A decoy PDF)<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>cyzfc.dat<\/em>\u00a0(The first stage implant)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"command-and-control\">Command and control<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The first-stage DLL,&nbsp;<em>cyzfc.dat<\/em>, is created by the PowerShell script in the path&nbsp;<em>%AppData%\\Local\\cyzfc.dat<\/em>. It is a 64-bit DLL that exports one function:&nbsp;<em>PointFunctionCall<\/em>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The PowerShell script then executes&nbsp;<em>cyzfc.dat<\/em>&nbsp;by calling&nbsp;<em>rundll32.exe<\/em>. After connecting to the first-stage command-and-control server at&nbsp;<em>pandorasong[.]com<\/em>&nbsp;(95.216.59.92),&nbsp;<em>cyzfc.dat<\/em>&nbsp;begins to install the final payload by taking the following actions:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Allocate a\u00a0<em>ReadWrite<\/em>\u00a0page for the second-stage payload<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Extract the second-stage payload as a resource<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Take a header that is baked into the first payload with a size\u00a0<em>0xEF<\/em>\u00a0bytes<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Concatenate the header with the resource, starting at byte\u00a0<em>0x12A<\/em>.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">De-XOR the second-stage payload with a rolling XOR (ROR1), starting from key\u00a0<em>0xC5<\/em>.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"620\" height=\"362\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/7-not-yttrium.png\" alt=\"Screenshot of some code\" class=\"wp-image-86953\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/7-not-yttrium.png 620w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/7-not-yttrium-300x175.png 300w\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The second stage is an instance of Cobalt Strike, a commercially available penetration testing tool, which performs the following steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Define a local named pipe with the format\u00a0<em>\\\\.\\pipe\\MSSE-&lt;number>-server<\/em>, where\u00a0<em>&lt;number><\/em>\u00a0is a random number between 0 and 9897<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Connecting to the pipe, write it global data with size\u00a0<em>0x3FE00<\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\">Implement a backdoor over the named pipe:\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Read from the pipe (maximum\u00a0<em>0x3FE00<\/em>\u00a0bytes) to an allocated buffer<\/li>\n\n\n\n<li class=\"wp-block-list-item\">DeXOR the payload onto a new RW memory region, this time with a much simple XOR key: simple XORing every 4 bytes with\u00a0<em>0x7CC2885F<\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\">Turn the region to be RX<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Create a thread that starts running the payload\u2019<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"656\" height=\"143\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/8-not-yttrium.png\" alt=\"Screenshot of some code\" class=\"wp-image-86956\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/8-not-yttrium.png 656w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/8-not-yttrium-300x65.png 300w\" sizes=\"auto, (max-width: 656px) 100vw, 656px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"838\" height=\"533\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/9-not-yttrium.png\" alt=\"Screenshot of some code\" class=\"wp-image-86959\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/9-not-yttrium.png 838w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/9-not-yttrium-300x191.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/9-not-yttrium-768x488.png 768w\" sizes=\"auto, (max-width: 838px) 100vw, 838px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"676\" height=\"269\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/10-not-yttrium.png\" alt=\"Screenshot of some code\" class=\"wp-image-86962\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/10-not-yttrium.png 676w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/10-not-yttrium-300x119.png 300w\" sizes=\"auto, (max-width: 676px) 100vw, 676px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The phase that writes to global data to the pipe actually writes a third payload. That payload is XORed with the same XORing algorithm used for reading. When decrypted, it forms a PE file with a Meterpreter header, interpreting instructions in the PE header and moving control to a reflective loader:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"404\" height=\"261\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/11-not-yttrium.png\" alt=\"Screenshot of some code\" class=\"wp-image-86965\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/11-not-yttrium.png 404w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/11-not-yttrium-300x194.png 300w\" sizes=\"auto, (max-width: 404px) 100vw, 404px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The third payload eventually gets loaded and connects to the command-and-control (C&amp;C) server address that is baked-in inside configuration information in the PE file. This configuration information is de-XORed at the third payload runtime:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"457\" height=\"171\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/12-not-yttrium.png\" alt=\"Screenshot of some code\" class=\"wp-image-86968\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/12-not-yttrium.png 457w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/12-not-yttrium-300x112.png 300w\" sizes=\"auto, (max-width: 457px) 100vw, 457px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The configuration information itself mostly contains C&amp;C information:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"643\" height=\"304\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/13-not-yttrium.png\" alt=\"Screenshot of some code\" class=\"wp-image-86971\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/13-not-yttrium.png 643w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/13-not-yttrium-300x142.png 300w\" sizes=\"auto, (max-width: 643px) 100vw, 643px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">CobaltStrike is a feature-rich penetration testing tool that provides remote attackers with a wide range of capabilities, including escalating privileges, capturing user input, executing arbitrary commands through PowerShell or WMI, performing reconnaissance, communicating with C&amp;C servers over various protocols, and downloading and installing additional malware.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"end-to-end-defense-through-microsoft-threat-protection\">End-to-end defense through Microsoft Threat Protection<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Security-Privacy-and-Compliance\/Announcing-Microsoft-Threat-Protection\/ba-p\/262783\">Microsoft Threat Protection<\/a>&nbsp;is a comprehensive solution for enterprise networks, protecting identities, endpoints, user data, cloud apps, and infrastructure. By integrating Microsoft services, Microsoft Threat Protection facilitates signal sharing and threat remediation across services. In this attack, Office 365 Advanced Threat Protection and Windows Defender Advanced Threat Protection quickly mitigated the threat at the onset through durable behavioral protections.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/office-365-atp\">Office 365 ATP<\/a>&nbsp;has enhanced phishing protection and coverage against new threats and polymorphic variants. Detonation systems in Office 365 ATP caught behavioral markers in links in the emails, allowing us to successfully block campaign emails\u2014including first-seen samples\u2014and protect targeted customers. Three existing behavioral-based detection algorithms quickly determined that the URLs were malicious. In addition, Office 365 ATP uses security signals from Windows Defender ATP, which had a durable behavior-based antivirus detection (<em>Behavior:Win32\/Atosev.gen!A<\/em>) for the second-stage malware.&nbsp;If you are not already secured against advanced cyberthreat campaigns via email,&nbsp;<strong><a href=\"https:\/\/portal.office.com\/signup\/logout?OfferId=101bde18-5ffb-4d79-a47b-f5b2c62525b3&amp;dl=ENTERPRISEPREMIUM&amp;culture=en-US&amp;country=US\">begin a free Office 365 E5 trial<\/a>&nbsp;<\/strong>today.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/atp-safe-links\">Safe Links protection<\/a>&nbsp;in Office 365 ATP protects customers from attacks like this by analyzing unknown URLs when customers try to open them.&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/zero-hour-auto-purge\">Zero-hour Auto Purge<\/a>&nbsp;(ZAP) actively removes emails post-delivery after they have been verified as malicious\u2014this is often critical in stopping attacks that weaponize embedded URLs after the emails are sent.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">All of these protections and signals on the attack entry point are shared with the rest of the Microsoft Threat Protection components. Windows Defender ATP customers would see alerts related to the detection of the malicious emails by Office 365 ATP, as well the behavior-based antivirus detection.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\">Windows Defender ATP<\/a>&nbsp;detects known filesystem and network artifacts associated with the attack. In addition, the actions of the LNK file are detected behaviorally. Alerts with the following titles are indicative of this attack activity:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><em>Artifacts associated with an advanced threat detected<\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>Network activity associated with an advanced threat detected<\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>Low-reputation arbitrary code executed by signed executable<\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>Suspicious LNK file opened<\/em><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Network protection blocks connections to malicious domains and IP addresses. The following&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-exploit-guard\/attack-surface-reduction-exploit-guard\">attack surface reduction<\/a>&nbsp;rule also blocks malicious activities related to this attack:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><em>Block executable files from running unless they meet a prevalence, age, or trusted list criteria<\/em><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Through Windows Defender Security Center, security operations teams could investigate these alerts and pivot to machines, users, and the new&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-atp\/incidents-queue\">Incidents<\/a>&nbsp;view to trace the attack end-to-end. Automated investigation and response capabilities,&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-atp\/threat-analytics\">threat analytics<\/a>, as well as advanced hunting and new&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-atp\/custom-detection-rules\">custom detections<\/a>, empower security operations teams to defend their networks from this attack.&nbsp;To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks,&nbsp;<strong><a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\">sign up for a free Windows Defender ATP trial<\/a><\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The following Advanced hunting query can help security operations teams search for any related activities within the network:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n\/\/Query 1: Events involving the DLL container\nlet fileHash = \"9858d5cb2a6614be3c48e33911bf9f7978b441bf\";\nfind in (FileCreationEvents, ProcessCreationEvents, MiscEvents, \nRegistryEvents, NetworkCommunicationEvents, ImageLoadEvents)\nwhere SHA1 == fileHash or InitiatingProcessSHA1 == fileHash\n| where EventTime > ago(10d)\n\n\/\/Query 2: C&C connection\nNetworkCommunicationEvents \n| where EventTime > ago(10d) \n| where RemoteUrl == \"pandorasong.com\" \n\n\/\/Query 3: Malicious PowerShell\nProcessCreationEvents \n| where EventTime > ago(10d) \n| where ProcessCommandLine contains \n\"-noni -ep bypass $zk=' JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0\" \n\n\/\/Query 4: Malicious domain in default browser commandline\nProcessCreationEvents \n| where EventTime > ago(10d) \n| where ProcessCommandLine contains \n\"https:\/\/www.jmj.com\/personal\/nauerthn_state_gov\" \n\n\/\/Query 5: Events involving the ZIP\nlet fileHash = \"cd92f19d3ad4ec50f6d19652af010fe07dca55e1\";\nfind in (FileCreationEvents, ProcessCreationEvents, MiscEvents, \nRegistryEvents, NetworkCommunicationEvents, ImageLoadEvents)\nwhere SHA1 == fileHash or InitiatingProcessSHA1 == fileHash\n| where EventTime > ago(10d)\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">The provided queries check events from the past ten days. Change EventTime to focus on a different period.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em><strong>Windows Defender Research team<\/strong>,&nbsp;<strong>Microsoft Threat Intelligence Center<\/strong>, and&nbsp;<strong>Office 365 ATP research team<\/strong><\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"indicators-of-attack\">Indicators of attack<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Files (SHA-1)<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">ds7002.ZIP: cd92f19d3ad4ec50f6d19652af010fe07dca55e1<\/li>\n\n\n\n<li class=\"wp-block-list-item\">ds7002.LNK: e431261c63f94a174a1308defccc674dabbe3609<\/li>\n\n\n\n<li class=\"wp-block-list-item\">ds7002.PDF (decoy PDF): 8e928c550e5d44fb31ef8b6f3df2e914acd66873<\/li>\n\n\n\n<li class=\"wp-block-list-item\">cyzfc.dat (first-stage): 9858d5cb2a6614be3c48e33911bf9f7978b441bf<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">URLs<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">hxxps:\/\/www.jmj[.]com\/personal\/nauerthn_state_gov\/VFVKRTdRSm<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">C&amp;C servers<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">pandorasong[.]com (95.216.59.92) (first-stage C&amp;C server)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"talk-to-us\"><strong>Talk to us<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Questions, concerns, or insights on this story? Join discussions at the&nbsp;<a href=\"https:\/\/answers.microsoft.com\/en-us\/protect\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft community<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\" target=\"_blank\" rel=\"noreferrer noopener\">Windows Defender Security Intelligence<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Follow us on Twitter&nbsp;<a href=\"https:\/\/twitter.com\/WDSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">@WDSecurity<\/a>&nbsp;and Facebook&nbsp;<a href=\"https:\/\/www.facebook.com\/MsftWDSI\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows Defender Security Intelligence<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Reuters recently reported a hacking campaign focused on a wide range of targets across the globe. In the days leading to the Reuters publication, Microsoft researchers were closely tracking the same campaign.<\/p>\n","protected":false},"author":61,"featured_media":86938,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","_alt_title":"","ms-ems-related-posts":[87040,86650,86800],"footnotes":""},"post_tag":[3906],"threat-intelligence":[3727,3730],"content-type":[3663],"job-role":[],"product":[],"topic":[3674,3687],"coauthors":[1968],"class_list":["post-86932","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-non-governmental-organizations","threat-intelligence-attacker-techniques-tools-and-infrastructure","threat-intelligence-cybercrime","content-type-research","topic-incident-response","topic-threat-intelligence","review-flag-1694638272-264","review-flag-1694638264-948","review-flag-1694638265-576","review-flag-1694638265-310","review-flag-1694638271-781","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-4-1694638266-512","review-flag-5-1694638266-171","review-flag-new-1694638263-340"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Reuters recently reported a hacking campaign focused on a wide range of targets across the globe. In the days leading to the Reuters publication, Microsoft researchers were closely tracking the same campaign.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-12-03T16:00:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-16T16:17:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/2-not-yttrium-phishing-targets-geo-map.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"652\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Defender Security Research Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Defender Security Research Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Defender Security Research Team\"}],\"headline\":\"Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers\",\"datePublished\":\"2018-12-03T16:00:10+00:00\",\"dateModified\":\"2025-12-16T16:17:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/\"},\"wordCount\":1606,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/2-not-yttrium-phishing-targets-geo-map.png\",\"keywords\":[\"Non-governmental organizations (NGOs)\"],\"articleSection\":[\"Advanced Threat Analytics\",\"Endpoint security\",\"Microsoft security intelligence\",\"Office 365 Security\",\"Security Intelligence\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/\",\"name\":\"Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/2-not-yttrium-phishing-targets-geo-map.png\",\"datePublished\":\"2018-12-03T16:00:10+00:00\",\"dateModified\":\"2025-12-16T16:17:47+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/2-not-yttrium-phishing-targets-geo-map.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/2-not-yttrium-phishing-targets-geo-map.png\",\"width\":1000,\"height\":652},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/person\/a385e64377ec1eb81d3bd7f9839f060b\",\"name\":\"Microsoft Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/0242738c3da64c97e705834683728e774a3f4e29c071681ed74a68e3a671d270?s=96&d=microsoft&r=gea2dea4ce5dbbbe4077dc25334909eb7\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0242738c3da64c97e705834683728e774a3f4e29c071681ed74a68e3a671d270?s=96&d=microsoft&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0242738c3da64c97e705834683728e774a3f4e29c071681ed74a68e3a671d270?s=96&d=microsoft&r=g\",\"caption\":\"Microsoft Security\"},\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/mssecurity\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/","og_locale":"en_US","og_type":"article","og_title":"Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers | Microsoft Security Blog","og_description":"Reuters recently reported a hacking campaign focused on a wide range of targets across the globe. In the days leading to the Reuters publication, Microsoft researchers were closely tracking the same campaign.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/","og_site_name":"Microsoft Security Blog","article_published_time":"2018-12-03T16:00:10+00:00","article_modified_time":"2025-12-16T16:17:47+00:00","og_image":[{"width":1000,"height":652,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/2-not-yttrium-phishing-targets-geo-map.png","type":"image\/png"}],"author":"Microsoft Defender Security Research Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Defender Security Research Team","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/","@type":"Person","@name":"Microsoft Defender Security Research Team"}],"headline":"Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers","datePublished":"2018-12-03T16:00:10+00:00","dateModified":"2025-12-16T16:17:47+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/"},"wordCount":1606,"commentCount":0,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/2-not-yttrium-phishing-targets-geo-map.png","keywords":["Non-governmental organizations (NGOs)"],"articleSection":["Advanced Threat Analytics","Endpoint security","Microsoft security intelligence","Office 365 Security","Security Intelligence"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/","name":"Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/2-not-yttrium-phishing-targets-geo-map.png","datePublished":"2018-12-03T16:00:10+00:00","dateModified":"2025-12-16T16:17:47+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/2-not-yttrium-phishing-targets-geo-map.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/2-not-yttrium-phishing-targets-geo-map.png","width":1000,"height":652},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/03\/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/person\/a385e64377ec1eb81d3bd7f9839f060b","name":"Microsoft Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/0242738c3da64c97e705834683728e774a3f4e29c071681ed74a68e3a671d270?s=96&d=microsoft&r=gea2dea4ce5dbbbe4077dc25334909eb7","url":"https:\/\/secure.gravatar.com\/avatar\/0242738c3da64c97e705834683728e774a3f4e29c071681ed74a68e3a671d270?s=96&d=microsoft&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0242738c3da64c97e705834683728e774a3f4e29c071681ed74a68e3a671d270?s=96&d=microsoft&r=g","caption":"Microsoft Security"},"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/mssecurity\/"}]}},"bloginabox_animated_featured_image":null,"bloginabox_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/86932","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=86932"}],"version-history":[{"count":1,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/86932\/revisions"}],"predecessor-version":[{"id":144572,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/86932\/revisions\/144572"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/86938"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=86932"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/post_tag?post=86932"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=86932"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=86932"},{"taxonomy":"job-role","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/job-role?post=86932"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/product?post=86932"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=86932"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=86932"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}