[BreachExchange] ANU incident report on massive data breach is a must-read

Destry Winant destry at riskbasedsecurity.com
Thu Oct 3 01:55:24 EDT 2019


https://www.zdnet.com/article/anu-incident-report-on-massive-data-breach-a-must-read/

"This report from ANU is an example to everyone else of how to deal
with cyberattacks," tweeted Vanessa Teague, associate professor in
cybersecurity at the University of Melbourne, on Wednesday.

"Honest, technical, detailed, and full of good advice for protecting
data. Attacks will keep happening. This is the way to understand them
and learn to improve our defences."

She's right.

The report in question is a detailed incident report [PDF] of the
massive data breach suffered by Australian National University (ANU)
in late 2018, discovered in May 2019, and revealed two weeks later in
June.

The hackers had gained access to up to 19 years' worth of data in the
university's Enterprise Systems Domain (ESD), which houses its human
resources, financial management, student administration, and
"enterprise e-forms systems".

ANU's vice-chancellor and president, Professor Brian Schmidt, had
committed to making the breach investigation public. This report more
than delivers on that promise. It's a must-read.

"The perpetrators of our data breach were extremely sophisticated.
This report details the level of sophistication, the likes of which
has shocked even the most experienced Australian security experts,"
Schmidt wrote this week.

The report details how the attackers organised four separate
spearphishing campaigns and built their data exfiltration
infrastructure on compromised web servers and legacy systems.

"In addition to their efficiency and precision, the actor evaded
detection systems, evolved their techniques during the campaign, used
custom malware, and demonstrated an exceptional degree of operational
security that left few traces of their activities," the report said.

The attacker's tradecraft included:

Altering the signatures of more common malware to avoid detection
Assembling malware and some tools inside the ANU network after a
foothold had been established. Individual components did not trigger
endpoint protection
Downloading "several types of virtualisation software before selecting one"
Downloading disk images for Windows XP and Kali Linux, although "there
is little evidence to suggest much use of Kali Linux"
Compiling bespoke malware within the ANU network to gain access to
ESD. "The purpose of this code remains unknown, and no forensic traces
of it or the executable file which was compiled from the code have
been found at the time of this report," the report said

"The actor's use of a third-party tool to extract data directly from
the underlying databases of our administrative systems effectively
bypassed application-level logging. Safeguards against this happening
again have been implemented," the report said.

The attackers even tried to maximise the effectiveness of their
spearphishing efforts by attempting to disable the university's email
spam filters, although "there is no forensic evidence to suggest that
they were successful in this attempt".

ANU's analysis shows that the attackers exfiltrated much less data
than the 19 years' worth that was originally feared, but does not show
exactly what was taken.

"Despite our considerable forensic work, we have not been able to
determine, accurately, which records were taken ... We also knew the
stolen data has not been further misused," Schmidt wrote.

"Frustratingly this brings us no closer to the motivations of the actor."

Even though the attacker had gained broader access, ANU said it's
clear from the pathway taken that their sole aim was to penetrate ESD.

"There is no forensic evidence to suggest the actor accessed or
displayed any interest in files containing general administrative
documents or research data; nor was the ANU Enterprise Records
Management System (ERMS) affected," the report said.

"It is worth noting that ANU was subject to further intrusion attempts
within one hour of the public announcement and on the following day,
both of which were stopped."

ANU has declined to attribute the attack to any particular adversary.

For years now, chief information security officers (CISOs) and others
have been telling organisations to share cybersecurity information to
improve their defences. But few do, except perhaps as secret squirrels
within their own closed industry groups.

In the past, I've been highly sceptical about whether all this cyber
collaboration talk would ever become cyber action. ANU has now set the
example. Who will follow?


More information about the BreachExchange mailing list