By Adelle Millhouse
ANU has today released a full report into the 4 June data breach. The report establishes a definitive timeline of the breach, and details the methods of the attacker. It does not establish who was responsible, nor their motivations.
The report clarifies that recent forensic analysis revealed that “much less than 19 years’ worth” of data was taken as a result of the breach. In contrast to information given in June, it appears that only a very small amount of data was successfully stolen – approximately 700 MB, or 0.035% of the compromised databases. Though the attacker gained broad access to ANU’s systems, they confined themselves primarily to the ‘Enterprise Systems Domain’, which contains ANU’s human resources, financial management, student administration and enterprise e-form systems. According to ANU Vice Chancellor Brian Schmidt, “this wasn’t a smash and grab. It was a diamond heist.”
ANU was first breached by a “sophisticated operator” in early November last year, using a ‘spear-phishing’ email to access an ANU staff member’s credentials, and thereby gain access to the wider ANU network. The hacker was on the ANU network for about six weeks, with most of their activity occurring before mid-December, though they attempted to breach the network again several more times.
The breach was first detected by ANU in April 2019, in a “baseline threat hunting exercise”, but it was not discovered that data had been stolen until 17 May. ANU’s security team then spent a month implementing a “range of additional security controls” within the network before publicly announcing the breach on 4 June. ANU received advice that this delay was necessary as the announcement would likely make the university a target for secondary attacks from other opportunistic actors. An attempted attack was stopped within an hour of the announcement.
The attack on ANU’s system was so sophisticated that it “has shocked even the most experienced Australian security experts”, according to Schmidt. Techniques used included ‘spear’ phishing, custom-built malware, and ‘zero-day’ hacks. The hackers also effectively ‘cleaned up’ after themselves, dismantling their operations as they went to prevent detection. It was “most likely” carried out by a team of between five and fifteen people, “working around the clock”.
The hackers had access to information including the names, addresses, dates of birth, emergency contact details, phone numbers, tax file numbers, bank account details, and student academic records of ANU students, staff, and alumni. They did not have access to CVs or “sensitive student and staff information” such as health, counselling, or financial hardship records, or academic misconduct data. According to the report, it is “not possible to determine how many, or precisely which, records were taken”. ANU “categorically” denies that any sensitive personal information or data was taken in the breach.
There is currently no evidence that any of the breached data has been traded or used illegally. According to the report, ANU is “continuing to work with specialist service providers” to monitor this situation, and will notify affected parties if there is evidence that their data has been misused. The fact that data has not yet been used in this way makes it difficult to divine the motivations of the hacker.
ANU says it has has taken steps to prevent such a similar attack from occurring again. In addition to adding additional security to the network as a whole, the University will be attempting some cultural changes in the cybersecurity space, creating a forthcoming “strategic information security strategy”. Phishing awareness training has already commenced for high-risk groups.
Schmidt admits that although it is “clear” that ANU “moved quickly to implement hardening and security improvement measures following our first cyber attack in 2018”, the report shows that more could have been done. ANU is “investing heavily” in measures to reduce future security risks, but Schimdt emphasises that “we must all remain vigilant and follow the advice of security experts to protect our personal information”.
The report claims to be the first of its kind in Australia. Schmidt stated that this is in support of a policy of full transparency on the breach, to “encourage disclosure of these attacks more broadly”. He claims that the report contains “valuable lessons not just for ANU, but for all Australian organisations who are increasingly likely to be the target of cyber attacks”.
All members of the ANU community are able to use the services of identity and cyber support service IDCare if they are concerned about their information. A helpline is available at 02 6125 2981. Counselling is available to all students, staff, and alumni.
Support is available:
ANU Counselling – (02) 6125 2442
ANU Crisis Student Support Line – Phone: 1300 050 327; Text: 0488 884 170
Lifeline – 13 11 14
Want to get involved? You can write articles, photograph, livestream or do web support. We’re also looking for someone to yell “extra!” outside Davey Lodge at 1AM. Apply today!