Following the release of the ANU’s incident report on the June 2018 breach of their administrative systems, much more has been revealed about the true nature of the attack. The report, which details the timeline and specifics of the event, revealed that the attack was not only extremely sophisticated but also occurred over several months.
The attack began on November 9, 2018, with the first spearphishing email sent to a senior member of the ANU staff. The email installed malware on the target’s computer, which sent their credentials to “several external web addresses.” The malware then accessed the target’s calendar to help plan future attacks.
Unlike most simple phishing operations, the malware did not enter through a hyperlink or a downloaded file but instead was installed through merely previewing the email.
Between November 12 and 14, the invaders used the stolen credentials to access an internet-facing web server and create a ‘webshell.’ A webshell is program which allows external access and administration of a machine as well as other devices on the same network. This program was used to create the tools and infrastructure which would be used throughout the attack.
On November 16, the actors used the compromised web server to access a ‘legacy server,’ which was scheduled for decommissioning in late 2019 and contained only trial software. Despite this, the server was still attached to a virtual LAN, meaning it had full access to the ANU’s network. As the stolen credentials were not those of a system administrator, it is believed that the actors used a ‘privilege escalation exploit’ to gain control of the server. The actors then used a second webshell to download the rest of the tools which primarily mapped the ANU network and deleted activity logs throughout the attack.
About a week later, the actors created two virtual machines on the server which began to sniff for credentials on monitored or redirected network traffic as well as gain access to a school machine. The following day the actors used a legacy mail server to send three emails to external email addresses. These emails most likely contained the data collected from the network mapping and traffic monitoring of the previous two days. The actors also established a ‘tunnelling proxy,’ a program which is used to take data out of a network.
On November 22, the actors began to extract records, converting them to a PDF format and withdrawing them from the compromised computer.
The second round of spearphishing emails occurred between November 24 and 25 and was much less successful than previous attempts. While the actors targeted 10 ANU email addresses in the second round of attacks, they only collected one set of credentials with limited success due to the target’s “lack of access.” The actors also accessed the network’s Lightweight Directory Access Protocol (LDAP), which allowed them to discover information about the ANU’s pool of windows users and devices.
On November 27, the actors began a “network-wide attempt to compromise a range of servers,” eventually accessing file shares in Enterprise System Domain (ESD). The ESD contains systems for human resources, financial management, student administration and enterprise e-forms. After failing to access these systems directly, the actors downloaded more code onto the network, which they used to gain access to the systems. It is believed that gaining access to the ESD was the ultimate goal of the attackers.
On November 29, in an attempt to bolster their spearphishing efforts, the actors connected to the University’s spam filter and attempted to disable its ability to detect malicious emails. There exists no forensic evidence, however, that they were successful in this attempt.
From here, they sent 75 more emails, 50 of which were ANU addresses, and were successful in collecting at least one more administrative credential.
As a result of a routine firewall change on November 30, the actors were cut off from access to the original legacy server, which had become the base of operations for the attack.
It took nearly two weeks for the actors to regain access, finding an exploit in a second legacy server and continuing their attempts to access information. On December 19, the actors extracted 13 files using TOR, an open-source software for enabling anonymous communication.
While this was occurring, the actors sent 40 more emails, targeting users with administrative access. These emails bolstered their legitimacy by adding details which were taken from the calendar accessed in the first phishing attack.
While several privileged accounts were harvested, their use on a second hijacked device was detected by ANU IT, and the computer was removed from the network. This was seen as an individual event and thus, did not alert staff to the broader attack taking place. Before its removal, however, the actors were able to scan yet another web-facing server.
One final intrusion attempt occurred on February 22, using the server which had been scanned on December 21 but was ultimately unsuccessful. The last known activity by the actors on ANU systems was believed to have occurred in early March.
Though the attack was ultimately unsuccessful in accessing any large volumes of sensitive information, it was incredibly sophisticated. The report released by the ANU comments that the attack most likely required “a team of between 5 and 15 people working around the clock” and that they “likely spent months planning this.” As a result of their careful cleanup, it is still not clear who is responsible for the attack or why specific systems were targeted.
An inability to identify what was accessed and removed has only further complicated the investigation, and, until a complete analysis of the affected machines can be concluded, it is unknown if it will ever be discovered.