ANU hackers built 'shadow ecosystem' to stay hidden for six weeks

The attacker that infiltrated the Australian National University’s enterprise systems built up a “shadow ecosystem” of compromised machines - physical and virtual - that allowed them to stay undetected for six weeks.

The university released a 20-page post-incident report [pdf] on Wednesday that shone new light on the attack, which was publicly announced in June.

The intrusion was only detected in April “during a baseline threat hunting exercise”. ANU said it engaged defence contractor Northrop Grumman to lead the cleanup effort and forensics.

ANU said the attack was initiated in November 2018 via a spearphishing email that was previewed by a senior staffer.

Its report lays out a detailed chronology of the attack.

“Based on available logs this email was only previewed but the malicious code contained in the email did not require the recipient to click on any link nor download and open an attachment,” the university said.

“This ‘interaction-less’ attack resulted in the senior staff member’s credentials being sent to several external web addresses. 

“It is highly likely that the credentials taken from this account were used to gain access to other systems. 

“The actor also gained access to the senior staff member’s calendar - information which was used to conduct additional spearphishing attacks later in the actor’s campaign.”

The attacker is thought to have first used the stolen credentials to access a web server, and then moved internally to a “legacy server hosting trial software” that was scheduled for decommissioning in late 2019.

“Unfortunately, the server was attached to a virtual LAN with extensive access across the ANU network,” ANU said.

ANU is uncertain how the attacker managed to access the legacy server, but suspects a “privilege escalation exploit was used to gain full control”.

That server was then set up as an “attack station” over a period of two days. It was used - among other things - to sniff out other credentials on “monitored or redirected network traffic”, and as a base to move laterally into other parts of the ANU network.

More spearphishing campaigns followed, along with the use of malware and password cracking, as the attacker searched for credentials that could be used to access databases and temporary storage underpinning key enterprise systems, such as HR and finance.

ANU inadvertently cut the attacker off from accessing the ‘attack station’ following a “routine firewall change”.

This was fortunate for ANU in more ways than one. The attacker had "exhibited exceptional operational security during the campaign and left very little in the way of forensic evidence", but did not have time to clean up the first 'attack station' prior to being cut off from it.

"Analysis of attack station one is still underway at the time of this report," ANU said, noting it is the biggest source of forensic evidence available.

It took the attacker a fortnight but they were able to re-establish an entry point and create another ‘attack station’ using different infrastructure.

The attacker then tried to phish 40 staff with privileged accounts, sending an email called “New Planning for Information Technology Services”.

A “handful” of account credentials were harvested, but ANU IT also detected the new ‘attack station’ and cut it off.

“At the time, however, this activity was treated as an individual event, by ANU IT, rather than part of a broader campaign,” the university noted.

The attacker appeared to try again to re-establish a connection into the university’s core enterprise systems in February this year, but was ultimately unsuccessful.

ANU said it is still unsure how much data was exfiltrated, and the nature of it, but said it "is highly likely" to be "much less" than the 19 years’ worth of data first thought to have been lost.

"Despite our considerable forensic work, we have not been able to determine, accurately, which records were taken," vice-chancellor Professor Brian Schmidt said.

"However, our analysis has been able to establish that while the hackers had access to data up to 19-years-old, the hackers took much less than the 19 years’ worth of data we originally feared.

"We also knew the stolen data has not been further misused.

"Frustratingly this brings us no closer to the motivations of the actor."

ANU said it was conducting a sweep of its IT environment to locate legacy gear and systems.

It is also segmenting, zoning and otherwise hardening its network, expediting the rollout of two-factor authentication, and reworking its risk management strategies.

Additionally, the university plans to run simulated attacks on its environmnent in future as part of ongoing preparedness.