University Hacker Remained Hidden Behind 'Shadow Ecosystem' for Six Weeks

The Australian National University (ANU) says the perpetrator behind a cyber attack on the university built a "shadow ecosystem" that allowed them to carry out their activities undetected for around six weeks.

The attack was made public in June this year but occurred in November 2018, when a hacker accessed the ANU network via a spear-phishing email sent to a senior member of staff.

According to a 20-page incident report released by the ANU, the "malicious code in the email didn't require the staff member to click on a link or download and open an attachment", but this "interaction-less attack" resulted in the staff member’s credentials being sent to several external web addresses, where it is "highly likely that the credentials taken from this account were used to gain access to other systems."

The report stated that the pathway taken by the hacker made it obvious they were only interested in accessing the Enterprise Systems Domain (ESD) that houses the human resources, financial management, student administration and enterprise e-forms systems. There was no evidence to suggest the hacker was interested in other files, such as administrative documents or research data.

"By gaining access to ESD, the (hacker) was able to copy and steal an unknown quantity of data contained in the systems," said the ANU. "There is some evidence to suggest the (hacker) attempted to regain access to ESD during February 2019, but this second attack was ultimately unsuccessful."

Initially it was thought the data, which at the time (June) was said to include names, tax file numbers, payroll information, bank account details and passport details, went back nearly 20 years. That figure was revised in the report.

"It was assumed that all data, dating back some 19 years, had been potentially affected and reported as such to err on the side of caution," said the ANU. "More recent forensic analysis has been able to determine that the amount of data taken is much less than 19 years’ worth; although it is not possible to determine how many, or precisely which, records were taken."

The ANU also noted the sophistication and determination of the hacker: "(They) evaded detection systems, evolved their techniques during the campaign, used custom malware and demonstrated an exceptional degree of operational security that left few traces of their activities."

Once the hacker gained access to the ANU network, they built a "shadow ecosystem" of compromised ANU machines, tools and network connections, and it was here they worked, undetected, for what was to be six weeks.

During this time the hacker gained access to a legacy server that, while hosting trial software, was attached to a virtual LAN with extensive access across the ANU network. The ANU is unclear how the hacker accessed the legacy server but think a "privilege escalation exploit was used to gain full control." It was from this server, which came to be known as 'attack station one', that much of the damage was done, including launching several more phishing email attacks (several of which were successful).

According to the report, since the first breach in May 2018 the ANU "has increased its technical cybersecurity efforts considerably ... and is now nearing the end of the tactical measures program arising from that incident. However, given the complexity and age of the IT network, the rollout of these measures has taken considerable time."

The report goes on: "Without the measures already in place, the second intrusion would not have been detected, and the subsequent attacks might have been more successful. Unfortunately, there was not sufficient time to universally implement all measures across the ANU network between the two attacks in 2018."

Numerous recommendations have come in the wake of the attack, including the rollout of two-factor authentication, segmentation of the Enterprise Systems Domain, removing legacy authentication across all systems, reviewing firewall coverage (with industry assistance) and 'cyber' simulation exercises (the first is scheduled for 2020).

The identity of the attacker remains a mystery.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.