ANU outlines "shockingly sophisticated" cyber attack

By Dylan Bushell-Embling
Thursday, 03 October, 2019

ANU outlines "shockingly sophisticated" cyber attack

The Australian National University has released a detailed report outlining the findings of its forensic investigation into the major data breach disclosed earlier this year.

The report, which Vice Chancellor Brian Schmidt said is believed to be the first publicly available report of its kind published following an attack on an Australian institution, found that the breach was not as bad as initially thought.

It tells the story of some pretty fundamental lapses in security among the ANU’s IT staff, including maintaining legacy email systems and servers running expired trial software.

On the bright side, the investigation found that while it’s not possible to confirm exactly what data was taken, it is much less than the 19 years’ worth that the ANU had previously disclosed.

The stolen data has also not currently been further misused, the report states.

Shockingly sophisticated

The report confirmed that the breach was the result of a highly targeted spearphishing attack that was “shocking in its sophistication”. It did not even require the affected staff member to download an attachment or click on a link to compromise their email system.

Due to the sophisticated nature of the attack, security officials have previously flagged China as a likely culprit, citing fears that information stolen from the hacked email accounts could be used in the future to compromise senior defence and government officials and turn them into double agents.

Schmidt said that while the ANU is committed to transparency and the forensic report could prove a useful tool for other organisations to help defend against the chance of similar attacks, the university has had to strike a balance between that objective and avoiding giving future attackers an “instruction manual” for how to carry out attacks on ANU systems.

According to the report, the attack commenced on 9 November, the date the first spearphishing email was sent to a senior member of staff.

The attacker appears to have used compromised credentials obtained in the initial attack to access an internet facing webserver used by one of the ANU’s schools on 12 November, and used this over the course of two days to set up the infrastructure and tools to be used throughout the campaign.

From the compromised webserver, the attacker was able to gain access to a legacy server hosting trial software and scheduled for decommissioning late this year. This was attached to a virtual LAN with extensive access across the ANU network.

This virtual LAN was used to set up two “attack stations” used to run scripts and perform remote management tasks including scheduled deletion of logs to hide their activities.

The attacker then started to map the ANU network on 21 November, and exfiltrated this data by connecting to a legacy mail server and sending three emails to external addresses.

But despite the wide range of access, the attacker was laser focused on the ANU’s Enterprise Systems Domain (ESD).

The targeted activity of the perpetrator or perpetrators indicates that the sole aim was to compromise the ESD, the component of its network which houses human resources, financial management, student administration and enterprise e-forms systems.

There is no forensic evidence to suggest that the threat actor accessed or even had any interest in files containing research data, intellectual property or general administrative documents, the report states.

The report found that three further spearphishing campaigns were conducted throughout the attack, using compromised information gained from the first campaign.

“The tactics, techniques and procedures used during the attack highlight the sophistication and determination of the actor,” the report states.

“In addition to their efficiency and precision, the actor evaded detection systems, evolved their techniques during the campaign, used custom malware and demonstrated an exceptional degree of operational security that left few traces of their activities.”

The attacker routinely erased files, logs and entire disks to hide their tracks, and used other sophisticated software including network session and mapping tools as well as bespoke JavaScript and PowerShell scripts.

The incident has raised several issues that the ANU is now working to address, such as the requirement to improve phishing awareness campus-wide, and to fully identify legacy and at-risk devices on the ANU network.

The university also plans to accelerate its implementation of two-factor authentication, and to conduct network hardening activities such as revalidating firewall coverage for all parts of the public network, and implementing network segmentation, zoning and vulnerability and patch management initiatives.

According to the report, the ANU also plans to start conducting ongoing practice and simulation exercises to improve its responsiveness to future attacks, with the first exercise scheduled to be complete in 2020.

The first indications of an intrusion were detected in April, and the breach itself was detected on 17 May.

After the attack was uncovered, the ANU implemented a range of additional security controls inside its network and the ESD in particular. This was conducted in the two weeks prior to the ANU disclosing the breach — which was required because the domain was under continued attack during this period.

Image credit: © Jackson

Related Articles

Australia condemns state attacks on health infrastructure

Australia's Ambassador for Cyber Affairs has condemned state-backed malicious actors that are...

Toll Group still recovering from ransomware attack

Toll Group is still facing disruption to some IT systems after falling victim to its second major...

APT groups targeting Australian health sector

State-backed APT groups are targeting Australia's health sector for COVID-19 research and...

  • All content Copyright © 2020 Westwick-Farrow Pty Ltd