u n d e r a t t a c k u n i v e r s i t i e s a u s t r a

AUSTRALIANUNIVERSITIES

UNDER ATTACKA Macquarie University

CiLab - PACE Project

Cyber Threat Report

CYBER INTELLIGENCE LAB2020 | DECEMBER

BACKGROUND

Spear-phishing attacks using social engineering to exploit human errorare the backbone of cyber operations across all threat actors;

There is some degree of commonality between threat actors from Chinasuch as Winnti and Double Dragon as they shared malware and attackstyles from previous operations; and

The politically-motivated state and state-sponsored actors tend to bemore sophisticated and targeted in their attacks, whereas independentcybercriminal groups such as the Mabna Institute and NetWalker aregenerally more indiscriminate and less sophisticated.

The Australian higher education sector is increasingly vulnerable to cyberattacks as it embraces digital transformation in the storage of vast amountof personal information, academic research, intellectual property andinnovative technology.

The Australian National University (ANU) cyber-attack of 2018 served as awake-up call for many in the education sector, when a suspected state-sponsored actor accessed the sensitive personal information of 200,000alumni, current students and employees, exfiltrating data such as names,addresses, passports and bank account details. Potentially, the informationgained could have been used to recruit/blackmail future sources or evensurveil critics.

At the time, the ANU hack prompted several universities to re-evaluate therisks posed by cyber threat actors globally. As cybercrime groupscontinuously evolve and improve on their technologies, Australianuniversities need to ensure they do not lag behind in updating their securityprocedures and protective measures to prevent future attacks on theirinfrastructure.

This report, presented by the Macquarie University Cyber Intelligence Lab(CiLab), has identified five cyber threat actors who pose varying levels ofthreat to Australian universities.

A number of observations emerged across the investigations of differentattacks:

Australian universities should be aware and anticipate potential cyberintrusions from the threat actors identified in the next pages, eachpossessing different motivations and skill sets.

MEMPHIS SOLUTIONS2018 | MARCH

CYBER INTELLIGENCE LAB2020 | DECEMBER 2

MABNAINSTITUTE

OVERVIEWThe Mabna Institute is an Iranian company formed in 2013. According toSecureworks' Counter Threat Unit Research Team , the Institute has targetedat least 380 universities from over 30 countries.

This data comprises 20 Australian universities, including every institutionfrom the 'Group of Eight' , with Monash University being by far the mostheavily attacked. Many of these universities are heavily involved inacademic research and in producing intellectual property, which makesthem a valuable target.

Between 2013 and 2017, the Mabna Institute is believed to have stolen 31 terabytes of data worth US$3.4 bill ion in the higher education sector.Nine members of the Institute were charged by the US Department ofJustice in 2018, though it did little to deter further attacks.

Mabna InstituteCobalt DickensSilent LibrarianTA407

NAMES

Government of the Islamic Republic of IranIslamic Revolutionary Guard Corps (IRGC)

ATTRIBUTION

Higher EducationTARGET

FinancialMOTIVE


TECHNICALMEANS

The Mabna Institute util ises relativelystraightforward cyber intrusion pathways in aprofessional manner.

They use phishing emails, often imitating librarystaff, asking victims to follow a URL to a spoofedlogin page. These login pages are highly accurate,often using publicised maintenance notices andalerts to add to their authenticity.


Victims are redirected to the legitimate university site after entering their logincredentials into the spoofed site. According to the Proofpoint Threat InsightTeam, compromised accounts are then used to send further phishing emails aswell as access academic data.

Stolen academic data is then sold on to the Iranian Government as well asuniversities and companies. This tactic has changed little due to its relativelyhigh success rate.

The Mabna Institute uses publicly available tools such as SingleFile and HTTrackWebsite Copier as well as URL shorteners and free domains.

Figure 1 Mabna Institute Methodology

Secureworks 2020

Figure 2. Australian Universities attacked by Mabna Institute 2013 - 2018by Indicators of Compromise

Figure 2Data Source:Alien Vault

OVERVIEWRed Apollo was first noticed in 2009. Their activity has been detected on sixcontinents, but particularly in Australia, Japan and the United States (PwC; Bae Systems).

Their campaign known as 'Operation Cloud Hopper' targeted managed ITservice providers (MSPs) and included a sub-campaign aimed at MeijiUniversity as well as Tokyo University.

Red Apollo operates according to political objectives and initiatives like the'Made in China 2025' plan. The aim is to access and collect sensitive dataand intellectual property. They also engage broadly in cyber espionage.

REDAPOLLO

Red ApolloAPT10Stone PandaMenuPas

NAMES

A state-sponsored threat actor based in China withlinks to Chinese Ministry of State Security

ATTRIBUTION

Higher EducationCorporationsHealthPublic Sector

TARGETS

PoliticalMOTIVE


TECHNICALMEANS

Spear-phishing is primarily used, based onsignificant prior intelligence collection on targets.This indicates some level of sophistication in theiroperations.

For example, spear-phishing emails to Japaneseuniversities titled 'Scientific Research GrantProgram' included a compromised zip filecontaining a ChChes malware.

They use spoofed domains similar to legitimateorganisations such as: 'u tokyo-ac-jp[.]com' insteadof 'u-tokyo.ac.jp' for Tokyo University.


Attacks have been limited to Japanese universities mitigating the RedApollo threat to Australian Universities. However, cyber espionageactivities attributed to Red Apollo have been detected in Australiaaccording to PwC & BAE Systems.

Red Apollo is known to use Quasar as a malware in addition to Haymaker ,Bugjuice and Snugride to disrupt systems according to FireEye iSIGHTIntelligence (2017). Once the group gains access, they collect data and move it toinfrastructure they control.

Figure 3 Red Apollo methodology

PwC & BAE Systems 2017


OVERVIEWFirst identified in a Kaspersky report, the Winnti Group is both a hacker groupand a type of malware. Winnti began conducting attacks on gamingcompanies in 2013 and by 2019, subsequently shifted their focus to theeducation sector.

Winnti infiltrated two Hong Kong universities at the height of the Hong Kongindependence protests. Although the type of information stolen remainsunclear, the goal was to disrupt pro-democracy protests conducted bystudents who attended the universities, and was politically motivated onbehalf of the Chinese government according to ESET (2020).

WINNTI

WinntiWinnti UmbrellaBariumAxiom

NAMES

A state-sponsored hacker group with links to Chinese State Intelligence

ATTRIBUTION

Higher EducationGamingTechnologySoftware

TARGETS

PoliticalFinancial

MOTIVES


TECHNICALMEANS

Winnti have been associated with multiple hackergroups such as LEAD, Axiom, BARIUM and WickedPanda due to similar malware, resources,infrastructure, and suspected backing by theChinese government. However, the exact nature ofthe shared infrastructure and shared resourcesbetween these groups is currently unclear.

Winnti has also been known to move laterally from one network to another incases where one infected network has access to other networks, such as a parentorganisation.

Lastly, they util ise backdoor platforms such as Shadowpad to provide easyaccess upon re-entering the host network.

Winnti’s threat to Australian universities is mainly attributed to the factthat they are very sophisticated and their target sectors now includehigher education. Moreover, the threat is compounded by the largeamount of resources at Winnti’s disposal due to the sharing ofinfrastructure and resources within the group.

Winnti aims to gain access to the host network through phishing emails, thenuses trojan horse malware such as Cobalt Strike to infect the network. Once thehost network is infected, Winnti uses legitimate software to gain further access,lowering the chances of being detected.


Figure 4Winnti Methodology


OVERVIEWAccording to FireEye, Double Dragon is a Chinese state-sponsored cyberespionage and cybercrime group. Evidence from Chinese internet forums hasshown that users who are linked to Double Dragon also advertise their hackingservices outside of office hours.

This leads us to conclude that members of this group are working two jobs,supporting the assumption that Double Dragon is made of regular citizens withexcellent programming skills. These skills are then leveraged by the Chinesegovernment.

DOUBLEDRAGON

Double DragonAPT4

NAMES

Chinese state-sponsored cyber espionage and cybercrime group

ATTRIBUTION

Higher EducationEnergyFinanceHealthcare

TARGETS

EspionageFinancial

MOTIVES

High TechMediaPharmaceuticalVideo Games


TECHNICALMEANS

Double Dragon began targeting the video gameindustry with ransomware in 2012, and have sincedramatically built up the number of sectors they target.

Advanced spear-phishing emails are initially usedto gain access to targeted systems, and thensophisticated malware is deployed to stay hiddenin the system and collect data.


Espionage conducted by Double Dragon is likely to be motivatedby information gain from multiple industries, in order to supportChina's 'Made In China 2025' plan, a strategy aimed attransforming the country into a manufacturing superpower fornext-generation technology.

Figure 5 Double Dragon industry targets

2012 - 2019, FireEye 2019


OVERVIEWDiscovered in 2019, NetWalker is a cybercriminal group that uses their ownbranded malware to infiltrate networks, hold victims to ransom and demandpayment. There is no evidence of state-sponsorship by Russia.

While NetWalker do conduct their own attacks they also have recentlyexpanded their services to include a ransomware-as-a service (RaaS) model.

Among several US universities in 2020 alone, NetWalker successfully attackedthe University of California which paid US$1.14 million in ransom (Tidy 2020)and the University of Utah which paid US$457,059 (Cimpanu 2020).

NETWALKER

NetWalker Mailto

NAMES

Cybercrime group based in RussiaATTRIBUTION

Higher EducationHealthcareLegal

TARGETS

FinancialMOTIVE

GovernmentGlobal BusinessesCorporations


TECHNICALMEANS

NetWalker malware gains initial access tosystems through spear-phishing emails withmalicious attachments and trojanisedapplications, compromised accounts or large-scale network intrusions.

NetWalker have used post-exploit toolkits, fi lelessdelivery and ' l iving off the land' tactics (legitimatesoftware) to make their ransomware both moreeffective and more difficult to detect.

Recent attacks have delivered the ransomware payload through a reflectivedynamic-link library injection, specifically through a PowerShell loader.

The script is buried within various layers of encryption, and the ransomware runscode directly in memory space without being stored onto the disk, shielding itfrom antivirus detection.

In January 2020, Australian transportation and logistics company TollGroup were compromised. NetWalker left a backdoor that was usedin March by another criminal affiliate called Nefilim, and led to 200GBof Toll Group’s files being released on the dark web. Other Australianbusinesses attacked in 2020 include customer experience firmStellar (May), design firm Tandem Corp and lighting company Jands(September respectively).

Figure 6 NetWalker Victim Journey

NetWalker Targetting Australian Businesses


THREATREVIEW

The threat to Australian universities is significantconsidering NetWalker’s sophisticated technicalabilities and their interest in the education sectorand Australian businesses.

This is supported by the Australian SignalsDirectorate in 2020, who singled out universitiesto be on high alert for NetWalker.

It remains difficult to tell whether specific attacksare driven by NetWalker themselves or RaaSaffil iates, and how deeply NetWalker is l inked withother criminal ransomware groups.

Figure 7NetWalker University

attacks 2020

In light of past attacks on educational institutions both domesticand foreign, academia must prioritise the protection of sensitivepersonal data, academic research, intellectual property as well asother important functions and services of Australian universities.

Cyber threat actors, including those not featured in this report,have seen significant growth in activity in recent years. The fieldcontinues to be highly dynamic, and further research will beneeded to identify and assess these threats as they evolve.

CLOSINGREMARKS


AUTHORSThis report was prepared in collaboration with:

CiLab Master Interns: Amanta Cotan (Leader)Andreane LaurinPriandhini Triana Asih

PACE Team Members:Cooper AndersonArad BehdarvandAndrew CameronTalia ChalitaCeline DimaanoHayden FergussonCameron LawrenceDanielle Le Large (Leader)Matthew Le GuayMegan MegevandWyatt Mola (Leader)

Academic Mentors:Stephen McCombieFred SmithAllon Uhlmann


BIBLIOGRAPHYAlienVault n.d., ‘Adversary: Silent Librarian’, accessed 13 August 2020,<https://otx.alienvault.com/adversary/Silent%20Librarian>.

Australian National University 2019, Incident report on the breach of theAustralian National University's administrative systems , accessed 13 August2020, <https://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf>.

Australian Signals Directorate 2020, 2020-003: Mailto ransomware incidents,Australian Signals Directorate, Canberra , accessed 1 October 2020,<https://www.cyber.gov.au/acsc/view-allcontent/alerts/2020-003-mailto-ransomware-incidents>.

Bongiovanni, I & Renaud, K 2020, ‘Universities are a juicy prize for cybercriminals. Here are 5 Ways to improve their defences’, The Conversation , 8September, accessed 16 October 2020 <https://theconversation.com/universities-are-a-juicy-prize-for-cyber-criminals-here-are-5-ways-to-improve-their-defences-144859>.

Challis, N 2019, ‘ANU data breach stretching back 19 years detected’, ABCNews , 4 June, accessed 17 October 2020, <https://www.abc.net.au/news/2019-06-04/anu-data-hack-bank-records-personal-information/11176788>.

Cimpanu, C 2020, ‘University of Utah pays $457,000 to ransomware gang’,ZDNet , 21 August, accessed 1 October 2020, <https://www.zdnet.com/article/university-of-utah-pays-457000-to-ransomwaregang/>.

Council on Foreign Relations n.d., Winnti Umbrella , CFR, accessed 12 October2020, <https://www.cfr.org/cyber-operations/winnti-umbrella>. Counter Threat Unit Research Team 2019, Cobalt Dickens goes back toschool...again , Secureworks, accessed 11 August 2020,<https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again>. ESET 2020, Amid student protests, Winnti Group targets Hong Konguniversities, ESET discovers , ESET, viewed 25 October 2020,<https://www.eset.com/int/about/newsroom/press-releases/research/amid-student-protests-winnti-group-targets-hong-kong-universities-eset-discovers-1/>.

Federal Bureau of Investigation 2018, Nine Iranians charged in massivehacking campaign on behalf of Iran government, FBI, accessed 20October 2020, <https://www.fbi.gov/news/stories/nine-iranians-charged-in-hacking-scheme-032318>.


BIBLIOGRAPHY CONT.FireEye 2019, Double Dragon, APT41, a dual espionage and cyber crimeoperation , FireEye, accessed 27 August 2020, <https://content.fireeye.com/apt-41/rpt-apt41/>. FireEye iSIGHT Intelligence 2017, APT10 (Menupass Group): New tools, globalcampaign latest manifestation of longstanding threat , FireEye, accessed 1October 2020, <https://www.fireeye.com/blog/threatresearch/2017/04/apt10_menupass_grou.html>. Freed, B 2020, ‘Michigan State hit by ransomware threatening leak of studentand financial data’, EDScoop , 27 May, accessed 1 October 2020,<https://edscoop.com/michigan-state-hit-by-ransomwarethreatening-leak-of-student-and-financial-data/>. Gordon, D 2020, ‘What even is Winnti?’ Risky Business , accessed 14 October2020, <https://risky.biz/whatiswinnti/>.

Hassold, C 2018, ‘Silent l ibrarian: More to the story of the Iranian MabnaInstitute indictment’ , Phishlabs , 26 March, accessed 2 October 2020,<https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment>.

Hegel, T 2018, ‘Burning umbrella: An intelligence report on the Winnti Umbrellaand associated state sponsored attackers’ , Protectwise 401TRG, 3 May,accessed 14 October 2020, <https://401trg.com/burning-umbrella/>.

Hellard, B 2020, ‘ ‘NetWalker’ ransomware explodes thanks to ‘as a service’expansion’, ITPro , 4 September, accessed 28 September 2020,<https://www.itpro.co.uk/security/ransomware/356999/netwalker-ransomware-has-raked-in-29m-since-march>.

Hurst, D 2020, ‘Cyber-attack Australia: sophisticated attacks from ‘state-basedactor’ , PM says’, The Guardian , 19 June, accessed 28 August 2020,<https://www.theguardian.com/australia-news/2020/jun/19/australia-cyber-attack-attacks-hack-state-based-actor-says-australian-prime-minister-scott-morrison>.

Ilascu, I 2020, ‘Chinese malware used in attacks against Australian orgs’,Bleeping Computer , June 28, accessed 23 September 2020,<https://www.bleepingcomputer.com/news/security/chinesemalware-used-in-attacks-against-australian-orgs/>.

Kaspersky Lab Global Research and Analysis Team 2013, ‘Winnti ’ more thanjust a game , Kaspersky Lab, accessed 2 October 2020<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf>.


BIBLIOGRAPHY CONT.Macquarie University 2015, Privacy management plan , Macquarie University,accessed 17 October 2020, <https://www.mq.edu.au/__data/assets/pdf_file/0010/7597/Draft-Revised-MQ-Privacy-Planv3.4.pdf>.

Macquarie University 2018, Cancer , Macquarie University, accessed 1 October2020, <https://www.mq.edu.au/about/about-the-university/faculties-and-departments/medicine-and-health-sciences/our-research/cancer>.

Macquarie University n.d., MQCQE , Macquarie University, accessed 1 October2020, <https://www.mq.edu.au/research/research-centres-groups-and-facilities/innovative-technologies/centres/mqcqe>. McGowan, M 2020, ‘China behind massive Australian National University hack,intelligence officials say’, The Guardian , 6 June, accessed 2 October 2020,<https://www.theguardian.com/australia-news/2019/jun/06/china-behind-massive-australian-national-university-hack-intelligence-officials-say>. Nichols, S 2020, ‘China's Winnti hackers (apparently): Forget the money, let'sget political and start targeting Hong Kong students for protest info’, TheRegister , accessed 14 October 2020, <https://www.theregister.com/2020/01/31/winnti_hackers_students>. Polidori , K & Devereaux, M 2020, ‘Breaking: Columbia student information atrisk in ransomware attack’, The Columbia Chronicle , 5 June, accessed 1October 2020, <https://columbiachronicle.com/breaking-columbia-student-information-at-risk-in-ransomware-attack>. ProofPoint Threat Insight Team 2019, ‘Threat actor profile:TA407, the Silent Librarian’, ProofPoint , web log post, 14 October, accessed 18October 2020, <https://www.proofpoint.com/au/threat-insight/post/threat-actor-profile-ta407-silent-librarian>.

PWC & Bae Systems 2017, Operation Cloud Hopper , PWC, accessed29 September 2020, <https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf>. QS World University Rankings 2020, World research ranking universities , QSWorld Ranking, accessed 20 October 2020, <https://www.topuniversities.com/university-rankings/university-subject-rankings/2019/statistics-operational-research#:~:text=QS%20World%20University%20Rankings%20by%20Subject%202019%3A%20Statistics%20%26%20Operational%20Research&text=The%20same%20three%20US%20universities,Harvard%20University%20and%20Stanford%20University>. Samtani, S, Chinn, R, Chen, H, & Nunamaker, JF 2017, ‘Exploring emerginghacker assets and key hackers for proactive cyber threat intelligence’, Journalof Management Information Systems , vol. 34, no. 4, pp.1023-1053.


BIBLIOGRAPHY CONT.Seals, T 2020, ‘NetWalker ransomware gang hunts for top-notch affil iates’,ThreatPost , 20 May, accessed 28 September, <https://threatpost.com/netwalker-ransomware-gang-top-notch-affil iates/155946/>.

Security Affairs, 2019, Iran-linked group Cobalt Dickens hit over 60 universitiesworldwide , Security Affairs, accessed 16 October 2020,<https://securityaffairs.co/wordpress/91157/apt/cobalt-dickens-targets-universities.html>.

Seret, T, Mairet, V, Sman, J, Alvarado, A, Jux, T, Mundo, A, Fokker, J, Lopez, M& Roccia, T 2020, Take a “NetWalk” on the wild side , McAfee, accessed 25September 2020, <https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side>.

Tidy, J 2020, ‘How hackers extorted $1.14m from University of California, SanFrancisco’, BBC News , 29 June, accessed 1 October 2020,<https://www.bbc.com/news/technology-53214783>.

Tonkin, C 2020, ‘Toll Group recovers after ransomware attack’, InformationAge , 6 February, accessed 1 October 2020, <https://ia.acs.org.au/article/2020/toll-group-recovers-after-ransomwareattack.html>.

Tsing, W 2019, ‘The advanced persistent threat files: APT1’, Malwarebytes , 16January, accessed 18 October 2020 <https://blog.malwarebytes.com/cybercrime/2019/01/advanced-persistent-threat-files-apt10/>.

Varghese, S 2020, ‘Australian firm Tandem Corp hit by Windows NetWalkerransomware', ITWire , 2 September, accessed 5 September 2020,<https://www.itwire.com/security/australian-firm-tandemcorp-hit-by-windows-netwalker-ransomware.html>.

Victor, K 2020, ‘Reflective loading runs NetWalker fileless ransomware’,TrendMicro , 18 May, accessed 1 October 2020. <www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injectedvia-reflective-loading.html>. Walter, J 2020, ‘NetWalker ransomware: no respite, no English required’,Sentinel Labs , 4 June, accessed 1 October 2020,<https://labs.sentinelone.com/netwalker-ransomware-no-respite-no-englishrequired/>.

Wroe, D 2019, ‘China ‘behind’ huge ANU hack amid fears governmentemployees could be compromised’, The Sydney Morning Herald , 5 June,accessed 6 October 2020, <https://www.smh.com.au/politics/federal/china-behind-huge-anu-hack-amid-fears-government-employees-could-be-compromised-20190605-p51uro.html>.


u n d e r a t t a c k u n i v e r s i t i e s a u s t r a

Documents