Australian Universities Under Attack

Cyber Threat Report

AUSTRALIAN UNIVERSITIES UNDER ATTACK

A Macquarie University CiLab - PACE Project

2020 | DECEMBER CYBER INTELLIGENCE LAB 2018 | MARCH MEMPHIS SOLUTIONS BACKGROUND The Australian higher education sector is increasingly vulnerable to cyber attacks as it embraces digital transformation in the storage of vast amount of personal information, academic research, intellectual property and innovative technology.

The Australian National University (ANU) cyber-attack of 2018 served as a wake-up call for many in the education sector, when a suspected state- sponsored actor accessed the sensitive personal information of 200,000 alumni, current students and employees, exfiltrating data such as names, addresses, passports and bank account details. Potentially, the information gained could have been used to recruit/blackmail future sources or even surveil critics.

At the time, the ANU hack prompted several universities to re-evaluate the risks posed by cyber threat actors globally. As cybercrime groups continuously evolve and improve on their technologies, Australian universities need to ensure they do not lag behind in updating their security procedures and protective measures to prevent future attacks on their infrastructure.

This report, presented by the Macquarie University Cyber Intelligence Lab (CiLab), has identified five cyber threat actors who pose varying levels of threat to Australian universities.

A number of observations emerged across the investigations of different attacks:

Spear-phishing attacks using social engineering to exploit human error are the backbone of cyber operations across all threat actors;

There is some degree of commonality between threat actors from China such as Winnti and Double Dragon as they shared malware and attack styles from previous operations; and

The politically-motivated state and state-sponsored actors tend to be more sophisticated and targeted in their attacks, whereas independent cybercriminal groups such as the Mabna Institute and NetWalker are generally more indiscriminate and less sophisticated.

Australian universities should be aware and anticipate potential cyber intrusions from the threat actors identified in the next pages, each possessing different motivations and skill sets.

2020 | DECEMBER 2 CYBER INTELLIGENCE LAB MABNA INSTITUTE

NAMES Mabna Institute Cobalt Dickens Silent Librarian TA407

ATTRIBUTION Government of the Islamic Republic of Iran Islamic Revolutionary Guard Corps (IRGC)

TARGET Higher Education

MOTIVE Financial

OVERVIEW The Mabna Institute is an Iranian company formed in 2013. According to Secureworks' Counter Threat Unit Research Team, the Institute has targeted at least 380 universities from over 30 countries.

This data comprises 20 Australian universities, including every institution from the 'Group of Eight', with Monash University being by far the most heavily attacked. Many of these universities are heavily involved in academic research and in producing intellectual property, which makes them a valuable target.

Between 2013 and 2017, the Mabna Institute is believed to have stolen 31 terabytes of data worth US$3.4 billion in the higher education sector. Nine members of the Institute were charged by the US Department of Justice in 2018, though it did little to deter further attacks.

2020 | DECEMBER 3 CYBER INTELLIGENCE LAB 2018 | MARCH MEMPHIS SOLUTIONS The Mabna Institute utilises relatively TECHNICAL straightforward cyber intrusion pathways in a professional manner. MEANS They use phishing emails, often imitating library staff, asking victims to follow a URL to a spoofed login page. These login pages are highly accurate, often using publicised maintenance notices and alerts to add to their authenticity.

Victims are redirected to the legitimate university site after entering their login credentials into the spoofed site. According to the Proofpoint Threat Insight Team, compromised accounts are then used to send further phishing emails as well as access academic data.

Figure 1 Mabna Institute Methodology Secureworks 2020

Stolen academic data is then sold on to the Iranian Government as well as universities and companies. This tactic has changed little due to its relatively high success rate.

The Mabna Institute uses publicly available tools such as SingleFile and HTTrack Website Copier as well as URL shorteners and free domains.

Figure 2. Australian Universities attacked by Mabna Institute 2013 - 2018 by Indicators of Compromise

Figure 2 Data Source: Alien Vault RED APOLLO

NAMES Red Apollo APT10 Stone Panda MenuPas

ATTRIBUTION A state-sponsored threat actor based in China with links to Chinese Ministry of State Security

TARGETS Higher Education Corporations Health Public Sector MOTIVE Political

OVERVIEW Red Apollo was first noticed in 2009. Their activity has been detected on six continents, but particularly in Australia, Japan and the United States (PwC; Bae Systems).

Their campaign known as 'Operation Cloud Hopper' targeted managed IT service providers (MSPs) and included a sub-campaign aimed at Meiji University as well as Tokyo University.

Red Apollo operates according to political objectives and initiatives like the 'Made in China 2025' plan. The aim is to access and collect sensitive data and intellectual property. They also engage broadly in cyber espionage.

2020 | DECEMBER 5 CYBER INTELLIGENCE LAB 2018 | MARCH MEMPHIS SOLUTIONS Spear-phishing is primarily used, based on TECHNICAL significant prior intelligence collection on targets. This indicates some level of sophistication in their MEANS operations. For example, spear-phishing emails to Japanese universities titled 'Scientific Research Grant Program' included a compromised zip file containing a ChChes malware.

They use spoofed domains similar to legitimate organisations such as: 'u tokyo-ac-jp[.]com' instead of 'u-tokyo.ac.jp' for Tokyo University.

Figure 3 Red Apollo methodology PwC & BAE Systems 2017

Red Apollo is known to use Quasar as a malware in addition to Haymaker, Bugjuice and Snugride to disrupt systems according to FireEye iSIGHT Intelligence (2017). Once the group gains access, they collect data and move it to infrastructure they control.

Attacks have been limited to Japanese universities mitigating the Red Apollo threat to Australian Universities. However, cyber espionage activities attributed to Red Apollo have been detected in Australia according to PwC & BAE Systems.

2020 | DECEMBER 6 CYBER INTELLIGENCE LAB WINNTI

NAMES Winnti Winnti Umbrella Barium Axiom

ATTRIBUTION A state-sponsored hacker group with links to Chinese State Intelligence

TARGETS Higher Education Gaming Technology Software

MOTIVES Political Financial

OVERVIEW First identified in a Kaspersky report, the Winnti Group is both a hacker group and a type of malware. Winnti began conducting attacks on gaming companies in 2013 and by 2019, subsequently shifted their focus to the education sector.

Winnti infiltrated two Hong Kong universities at the height of the Hong Kong independence protests. Although the type of information stolen remains unclear, the goal was to disrupt pro-democracy protests conducted by students who attended the universities, and was politically motivated on behalf of the Chinese government according to ESET (2020).

2020 | DECEMBER 7 CYBER INTELLIGENCE LAB 2018 | MARCH MEMPHIS SOLUTIONS Winnti have been associated with multiple hacker TECHNICAL groups such as LEAD, Axiom, BARIUM and Wicked Panda due to similar malware, resources, MEANS infrastructure, and suspected backing by the Chinese government. However, the exact nature of the shared infrastructure and shared resources between these groups is currently unclear.

Winnti aims to gain access to the host network through phishing emails, then uses trojan horse malware such as Cobalt Strike to infect the network. Once the host network is infected, Winnti uses legitimate software to gain further access, lowering the chances of being detected.

Figure 4 Winnti Methodology

Winnti has also been known to move laterally from one network to another in cases where one infected network has access to other networks, such as a parent organisation.

Lastly, they utilise backdoor platforms such as Shadowpad to provide easy access upon re-entering the host network.

Winnti’s threat to Australian universities is mainly attributed to the fact that they are very sophisticated and their target sectors now include higher education. Moreover, the threat is compounded by the large amount of resources at Winnti’s disposal due to the sharing of infrastructure and resources within the group.

2020 | DECEMBER 8 CYBER INTELLIGENCE LAB DOUBLE DRAGON

NAMES Double Dragon APT4

ATTRIBUTION Chinese state-sponsored cyber espionage and cybercrime group

TARGETS Higher Education High Tech Energy Media Finance Pharmaceutical Healthcare Video Games

MOTIVES Espionage Financial

OVERVIEW According to FireEye, Double Dragon is a Chinese state-sponsored cyber espionage and cybercrime group. Evidence from Chinese internet forums has shown that users who are linked to Double Dragon also advertise their hacking services outside of office hours.

This leads us to conclude that members of this group are working two jobs, supporting the assumption that Double Dragon is made of regular citizens with excellent programming skills. These skills are then leveraged by the Chinese government.

2020 | DECEMBER 9 CYBER INTELLIGENCE LAB 2018 | MARCH MEMPHIS SOLUTIONS Double Dragon began targeting the video game TECHNICAL industry with ransomware in 2012, and have since dramatically built up the number of sectors MEANS they target. Advanced spear-phishing emails are initially used to gain access to targeted systems, and then sophisticated malware is deployed to stay hidden in the system and collect data.

Figure 5 Double Dragon industry targets 2012 - 2019, FireEye 2019

Espionage conducted by Double Dragon is likely to be motivated by information gain from multiple industries, in order to support China's 'Made In China 2025' plan, a strategy aimed at transforming the country into a manufacturing superpower for next-generation technology.

2020 | DECEMBER 10 CYBER INTELLIGENCE LAB NET WALKER

NAMES NetWalker Mailto

ATTRIBUTION Cybercrime group based in Russia

TARGETS Higher Education Government Healthcare Global Businesses Legal Corporations

MOTIVE Financial

OVERVIEW Discovered in 2019, NetWalker is a cybercriminal group that uses their own branded malware to infiltrate networks, hold victims to ransom and demand payment. There is no evidence of state-sponsorship by Russia.

While NetWalker do conduct their own attacks they also have recently expanded their services to include a ransomware-as-a service (RaaS) model.

Among several US universities in 2020 alone, NetWalker successfully attacked the University of California which paid US$1.14 million in ransom (Tidy 2020) and the University of Utah which paid US$457,059 (Cimpanu 2020).

2020 | DECEMBER 11 CYBER INTELLIGENCE LAB NetWalker malware gains initial access to TECHNICAL systems through spear-phishing emails with malicious attachments and trojanised MEANS applications, compromised accounts or large- scale network intrusions.

NetWalker have used post-exploit toolkits, fileless delivery and 'living off the land' tactics (legitimate software) to make their ransomware both more effective and more difficult to detect.

Recent attacks have delivered the ransomware payload through a reflective dynamic-link library injection, specifically through a PowerShell loader.

The script is buried within various layers of encryption, and the ransomware runs code directly in memory space without being stored onto the disk, shielding it from antivirus detection.

Figure 6 NetWalker Victim Journey

NetWalker Targetting Australian Businesses In January 2020, Australian transportation and logistics company Toll Group were compromised. NetWalker left a backdoor that was used in March by another criminal affiliate called Nefilim, and led to 200GB of Toll Group’s files being released on the dark web. Other Australian businesses attacked in 2020 include customer experience firm Stellar (May), design firm Tandem Corp and lighting company Jands (September respectively).

2020 | DECEMBER 12 CYBER INTELLIGENCE LAB The threat to Australian universities is significant THREAT considering NetWalker’s sophisticated technical abilities and their interest in the education sector REVIEW and Australian businesses. This is supported by the Australian Signals Directorate in 2020, who singled out universities to be on high alert for NetWalker.

It remains difficult to tell whether specific attacks are driven by NetWalker themselves or RaaS affiliates, and how deeply NetWalker is linked with other criminal ransomware groups.

Figure 7 NetWalker University attacks 2020

CLOSING REMARKS In light of past attacks on educational institutions both domestic and foreign, academia must prioritise the protection of sensitive personal data, academic research, intellectual property as well as other important functions and services of Australian universities.

Cyber threat actors, including those not featured in this report, have seen significant growth in activity in recent years. The field continues to be highly dynamic, and further research will be needed to identify and assess these threats as they evolve.

2020 | DECEMBER 13 CYBER INTELLIGENCE LAB AUTHORS This report was prepared in collaboration with:

CiLab Master Interns: Amanta Cotan (Leader) Andreane Laurin Priandhini Triana Asih

PACE Team Members: Cooper Anderson Arad Behdarvand Andrew Cameron Talia Chalita Celine Dimaano Hayden Fergusson Cameron Lawrence Danielle Le Large (Leader) Matthew Le Guay Megan Megevand Wyatt Mola (Leader)

Academic Mentors: Stephen McCombie Fred Smith Allon Uhlmann

2020 | DECEMBER 14 CYBER INTELLIGENCE LAB BIBLIOGRAPHY AlienVault n.d., ‘Adversary: Silent Librarian’, accessed 13 August 2020, .

Australian National University 2019, Incident report on the breach of the Australian National University's administrative systems, accessed 13 August 2020, .

Australian Signals Directorate 2020, 2020-003: Mailto ransomware incidents, Australian Signals Directorate, Canberra, accessed 1 October 2020, .

Bongiovanni, I & Renaud, K 2020, ‘Universities are a juicy prize for cyber criminals. Here are 5 Ways to improve their defences’, The Conversation, 8 September, accessed 16 October 2020 .

Challis, N 2019, ‘ANU data breach stretching back 19 years detected’, ABC News, 4 June, accessed 17 October 2020, .

Cimpanu, C 2020, ‘University of Utah pays $457,000 to ransomware gang’, ZDNet, 21 August, accessed 1 October 2020, .

Council on Foreign Relations n.d., Winnti Umbrella, CFR, accessed 12 October 2020, .

Counter Threat Unit Research Team 2019, Cobalt Dickens goes back to school...again, Secureworks, accessed 11 August 2020, .

ESET 2020, Amid student protests, Winnti Group targets Hong Kong universities, ESET discovers, ESET, viewed 25 October 2020, .

Federal Bureau of Investigation 2018, Nine Iranians charged in massive hacking campaign on behalf of Iran government, FBI, accessed 20 October 2020, .

2020 | DECEMBER 15 CYBER INTELLIGENCE LAB BIBLIOGRAPHY CONT. FireEye 2019, Double Dragon, APT41, a dual espionage and cyber crime operation, FireEye, accessed 27 August 2020, .

FireEye iSIGHT Intelligence 2017, APT10 (Menupass Group): New tools, global campaign latest manifestation of longstanding threat, FireEye, accessed 1 October 2020, .

Freed, B 2020, ‘Michigan State hit by ransomware threatening leak of student and financial data’, EDScoop, 27 May, accessed 1 October 2020, .

Gordon, D 2020, ‘What even is Winnti?’ Risky Business, accessed 14 October 2020, .

Hassold, C 2018, ‘Silent librarian: More to the story of the Iranian Mabna Institute indictment’, Phishlabs, 26 March, accessed 2 October 2020, .

Hegel, T 2018, ‘Burning umbrella: An intelligence report on the Winnti Umbrella and associated state sponsored attackers’, Protectwise 401TRG, 3 May, accessed 14 October 2020, .

Hellard, B 2020, ‘‘NetWalker’ ransomware explodes thanks to ‘as a service’ expansion’, ITPro, 4 September, accessed 28 September 2020, .

Hurst, D 2020, ‘Cyber-attack Australia: sophisticated attacks from ‘state-based actor’, PM says’, The Guardian, 19 June, accessed 28 August 2020, .

Ilascu, I 2020, ‘Chinese malware used in attacks against Australian orgs’, Bleeping Computer, June 28, accessed 23 September 2020, .

Kaspersky Lab Global Research and Analysis Team 2013, ‘Winnti’ more than just a game, Kaspersky Lab, accessed 2 October 2020 .

2020 | DECEMBER 16 CYBER INTELLIGENCE LAB BIBLIOGRAPHY CONT. Macquarie University 2015, Privacy management plan, Macquarie University, accessed 17 October 2020, .

Macquarie University 2018, Cancer, Macquarie University, accessed 1 October 2020, .

Macquarie University n.d., MQCQE, Macquarie University, accessed 1 October 2020, .

McGowan, M 2020, ‘China behind massive Australian National University hack, intelligence officials say’, The Guardian, 6 June, accessed 2 October 2020, .

Nichols, S 2020, ‘China's Winnti hackers (apparently): Forget the money, let's get political and start targeting Hong Kong students for protest info’, The Register, accessed 14 October 2020, .

Polidori, K & Devereaux, M 2020, ‘Breaking: Columbia student information at risk in ransomware attack’, The Columbia Chronicle, 5 June, accessed 1 October 2020, .

ProofPoint Threat Insight Team 2019, ‘Threat actor profile: TA407, the Silent Librarian’, ProofPoint, web log post, 14 October, accessed 18 October 2020, .

PWC & Bae Systems 2017, Operation Cloud Hopper, PWC, accessed 29 September 2020, .

QS World University Rankings 2020, World research ranking universities, QS World Ranking, accessed 20 October 2020, .

Samtani, S, Chinn, R, Chen, H, & Nunamaker, JF 2017, ‘Exploring emerging hacker assets and key hackers for proactive cyber threat intelligence’, Journal of Management Information Systems, vol. 34, no. 4, pp.1023-1053.

2020 | DECEMBER 17 CYBER INTELLIGENCE LAB BIBLIOGRAPHY CONT. Seals, T 2020, ‘NetWalker ransomware gang hunts for top-notch affiliates’, ThreatPost, 20 May, accessed 28 September, .

Security Affairs, 2019, Iran-linked group Cobalt Dickens hit over 60 universities worldwide, Security Affairs, accessed 16 October 2020, .

Seret, T, Mairet, V, Sman, J, Alvarado, A, Jux, T, Mundo, A, Fokker, J, Lopez, M & Roccia, T 2020, Take a “NetWalk” on the wild side, McAfee, accessed 25 September 2020, .

Tidy, J 2020, ‘How hackers extorted $1.14m from University of California, San Francisco’, BBC News, 29 June, accessed 1 October 2020, .

Tonkin, C 2020, ‘Toll Group recovers after ransomware attack’, Information Age, 6 February, accessed 1 October 2020, .

Tsing, W 2019, ‘The advanced persistent threat files: APT1’, Malwarebytes, 16 January, accessed 18 October 2020 .

Varghese, S 2020, ‘Australian firm Tandem Corp hit by Windows NetWalker ransomware', ITWire, 2 September, accessed 5 September 2020, .

Victor, K 2020, ‘Reflective loading runs NetWalker fileless ransomware’, TrendMicro, 18 May, accessed 1 October 2020. .

Walter, J 2020, ‘NetWalker ransomware: no respite, no English required’, Sentinel Labs, 4 June, accessed 1 October 2020, .

Wroe, D 2019, ‘China ‘behind’ huge ANU hack amid fears government employees could be compromised’, The Sydney Morning Herald, 5 June, accessed 6 October 2020, .

2020 | DECEMBER 18 CYBER INTELLIGENCE LAB