On December 21, 2018 the IT department of the Australian National University (ANU) detected unusual behavior on its network. Upon investigation they discovered a compromised workstation on campus was being used as a command and control (C&C) server by a cyber criminal. They immediately shut down the workstation and severed the attackers access to the network. They thought that it was an isolated incident. They were wrong.

By the time the C&C server was discovered, the attacker had already been in the network for over a month collecting login credentials, compromising servers and stealing financial and personal data. The attack which began with a successful phishing attempt, was stopped when the C&C server was discovered, however the hacker continued to attempt to infiltrate the network using the information they had collected until March 2019.

ANU has very courageously shared their story so that all of us could learn from it. Here is a step by step break down of the attack.

1. Spear phishing email with an attachment is sent to a senior staff member. The email has a plausible premise for contact and looks like it is coming from within the University. The email results in the collection of the targets login credentials. 
2. Login credentials are used to access the senior staff members calendar. Information for future spear phishing attacks is collected.
3. Login credentials are used to access a webserver. The attacker sets up remote access on this server. This allows them to access the server without having to continue to use the stolen credentials as well as gives them the ability to access other devices connected to the server.
4. An old, no longer used server is accessed from the compromised webserver using the stolen credentials. The credentials do not allow administrative access to this legacy server limiting what the hacker can access. 
5. The hacker finds flaws in the system and uses them to elevate their privileges, giving them full administrative access and control over the legacy server.
6. The attacker locates and compromises a second webserver. 
7. The second compromised webserver is used to download tools and scripts that are then installed on the legacy server. The legacy server becomes their command and control server. The tools downloaded are used to map the network and automatically delete logs so their presence wouldn’t be detected. 
8. The hacker creates a virtual machine on the second compromised webserver that scans monitored or redirected network traffic looking for additional login credentials.
9. An old outdated school workstation with a publicly routable IP address located outside of the University’s firewall  is compromised through a remote desktop. 
10. The attacker uses an old mail server to send emails from the University. These emails likely contained network mapping, user and machine data.
11. An encrypted connection designed to hide traffic between the hackers computer and the University’s network is established
12. The hacker begins intercepting data being transferred on the network and analyzing it.  At this point, the attacker still does not have the level of network access that they are looking for as their stolen credentials don’t have the right permissions and they are only able to escalate them on an old server. Even with all of the work they have done, they are not able to move beyond a few compromised systems.
13. A second spear phishing email is sent to one external and 10 internal email addresses. Only one login credential is stolen with limited privileges.
14. This login is not enough to gain access to the desired servers. The hacker continues to look for additional credentials in the network traffic.
15. The attacker gains access to file shares with found credentials. They focus on the ones storing finance and HR related files. 
16. Using the file share information the hacker tracks down the database servers but is unable to immediately gain access.
17. The hacker uses password cracking tools to gain access to the database servers and then uses a commercial tool to search and extract database records from the database server.
18. Database records are sent to the old compromised workstation and then outside of the university network.
19. The attacker attempts to disable the email spam filters.
20. The attacker sends out 50 spear phishing emails to University email addresses and 25 to emails outside of the University. They are able to steal credentials with administrator level access. It is at this point that ANU changed their firewall as part of their routine maintenance. This cut the hacker off from the legacy server and they lost access to their control and command server.
21. After two weeks the hacker is able to compromise a machine running an old operating system, access the network again and set up a second control and command server. This machine is outside of the firewall and using publicly routed IP addresses.
22. The attacker sends 40 spear phishing emails to ANU staff with privileged accounts. The emails contain information from the calendar breached after the first spear phishing attack. Several login credentials are obtained.
23. ANU staff detect unusual activity on the network and take down the second control and command server. IT staff think this is an isolated incident.
24. Repeated attempts to regain access to the ANU network and database are made and stopped.
25. ANU publicly announces that they have had a breach.
26. Within an hour the network was hit with a botnet attack that was stopped by ANU.
27. The following night an attempted attack against the spam filter and mail gateway was unsuccessful.
28. ANU continues to investigate the repeated attempts to access their database.that occurred after the detection of the breach.

What can we learn from this? A few things stand out.

• This started with one phishing email.
• The people who received the phishing emails had no idea their login credentials were stolen.
• Even though the stolen credentials did not give the attacker the access they wanted, they were able to use vulnerabilities in the systems to escalate their privileges and gain greater access.
• Old machines that were no longer updated or maintained were compromised using known vulnerabilities.

To sum it all up,  that phishing email that arrives in your inbox is usually just the beginning of a planned, concentrated and persistent effort to access your data.  This effort often starts by quietly stealing your login credentials. When they can’t convince you to give them their credentials, they will use password cracking tools to gain access. They can leverage known vulnerabilities in old systems to gain further access. These tactics along with others allows hackers to spend weeks collecting information off of a network without anyone noticing. This information is then used to carry out more attacks or is sold.

You can prevent this from happening just by stopping and thinking before you click, keeping your software updated, having a strong password and reporting suspicious emails to abuse@mtroyal.ca. Let’s be safe out there!