A “state-of-the-art” cyber attack on one of Australia’s most prestigious universities stemmed from a single email that was only previewed, a new report has found.
The Australian National University revealed earlier this year that its internal network had been compromised in late 2018 as the result of a hacking incident, and the personal information of thousands of staff and students had been accessed.
The university has now released a detailed report on the breach, outlining how it took place and the efforts the university has taken to mitigate any further risks. The university has been unable to determine the exact extent of the attack, how much information was taken or who was behind it.
ANU vice-chancellor Brian Schmidt said the attack demonstrated an “incredible level of sophistication” and “shocked even the most experienced Australian security experts”.
“This wasn't a smash and grab. This was a diamond heist,” Schmidt said. “They dismantled their operations as they went to cover their tracks. They brought their A-team.
“This was a state-of-the-art hack, carried out by an actor at the very top of their game and at the very cutting edge.”
The attackers were inside the ANU’s network for six weeks from November last year, and were eventually kicked out on 21 December. The university did not discover the attack until May this year.
The investigation found that the hacking attack began with just a single “sophisticated spearphishing” email that the actors sent to a senior staff member.
This email was only previewed, with no links clicked or attachments downloaded, but this was enough for the malicious code contained in it to gain access to the staff members’ credentials.
They then mapped the university’s network and sent out 10 targeted emails to other people at the ANU inviting them to an event at the uni. After sending more emails, the hackers eventually gained access to the username and password of a network administrator.
The attackers used these details to eventually gain access to the university’s Enterprise Systems Domain, which houses human resources, financial management, student administration and enterprise e-forms system.
They were then able to copy and steal and unknown quantity of data on the university’s staff and students, including names, addresses, phone numbers, dates of birth, emergency contacts, tax file numbers, payroll information, bank account details and academic records.
“Despite our considerable forensic work, we have not been able to determine, accurately, which records were taken...we also know the stolen data has not been further misused,” the report said. “Frustratingly this brings us no closer to the motivations of the actor.”
When the hack was first revealed, there were fears that up to 19 years’ worth of personal of 200,000 staff and students had been compromised. But the ANU report said this number is likely far less.
“More recent forensic analysis has been able to determine that the amount of data taken is much less than 19 years’ worth; although it is not possible to determine how many, or precisely which, records were taken,” the report said.
The university has had specialists monitoring the dark web to ensure the data is not being sold or traded, and they have not detected any evidence of this or identification fraud involving the information.
The investigation found that the attack was likely carried out by up to 15 people “working around the clock” after months of planning but was unable to determine whether a nation-state or organised crime network was behind it.
“They were organised and everyone knew their role,” the report found. “They evolved. They used custom-built malware and zero-day hacks to exploit unknown vulnerabilities in our system.”
The investigation found the attack was made possible by the university’s old network system, rather than individuals not downloading updates. It found that “several technical vulnerabilities and people and process issues contributed to the success of the actor’s campaign”.
The ANU has since invested in better cyber security, along with efforts to improve leadership and culture around the issue.
“We are working constantly to ensure the protection of the data that people entrust to us,” Schmidt said. “And we are investing heavily in measures to reduce the risks of this occurring again, including a multi-year information security investment program.
“But we must all remain vigilant and follow the advice of security experts to protect our personal information.”