ANU details findings of data breach

A cyber-attack that saw an unauthorised actor gain access to Australia National University (ANU)'s network for six weeks has shocked the country's most experienced security experts, new findings reveal.

According to a new report, the hacker infiltrated the university's Enterprise Systems Domain (ESD) network, which led to an unknown number of human resources, financial management, student administration and enterprise e-forms systems being copied and stolen.

Having successfully breached the defences in November 2018, the same actor then attempted to regain access in February 2019, but failed to get through.

ANU only first detected that a possible breach had taken place in April 2019. According to its now revealed, incident report the attack shocked even the most experienced Australian security experts.

"The initial means of infection was a sophisticated spear-phishing email which did not require user interaction, ie clicking on a link or downloading an attachment," the report stated. "The actor's dwell time on the ANU network was approximately six weeks, with most malicious activity ending around mid-December 2018, although there were some further attempts after this time."

As opposed to the initial findings in which the ANU assumed data from 19 years had been accessed, the report said that it is "much less" than that although it is unable to determine how much at this point.

"The tactics, techniques and procedures used during the attack highlight the sophistication and determination of the actor. In addition to their efficiency and precision, the actor evaded detection systems, evolved their techniques during the campaign, used custom malware and demonstrated an exceptional degree of operational security that left few traces of their activities," the report read.

The campaign started on 9 November 2018 with a spear-phishing email sent to the mailbox of a senior member of staff. The email was only previewed, however the malicious code contained in the email did not require the recipient to click on any link nor download and open an attachment.

"The actor exhibited exceptional operational security during the campaign and left very little in the way of forensic evidence. Logs, disk and file wipes were a recurrent feature of the campaign. The exception was attack station one which the actor lost control of on 30 November. At this point, the actor was part way through its clean-up cycle and as such was not able to fully erase all traces. It is the forensic analysis of these traces that form much of the content of this report. Due to the operational security and clean-up operations of the actor, it has not been possible to retrieve copies of the files exfiltrated from the network. In some cases, there was enough forensic and log data to ascertain file sizes."

In the two weeks between the detection of the breach and the public notification, ANU detected repeated attempts to gain or possibly regain access to ESD. Investigations into the nature of these attempts, which were blocked, are still ongoing.

The ANU also revealed, that as it had been advised, it was subject to further intrusion attempts within one hour of the public announcement and on the following day, both of which were stopped.

This wasn't a smash and grab. It was a diamond heist," ANU vice-chancellor professor Brian Schmidt. "It's likely they spent months planning this. They were organised and everyone knew their role. They evolved. They used custom-built malware and zero-day hacks to exploit unknown vulnerabilities in our system. They dismantled their operations as they went to cover their tracks. They brought their A team."

The university has added additional protection to the affected systems, and there is ongoing work to further reduce risks to its data. "We are working constantly to ensure the protection of the data that people entrust to us," he said. "And we are investing heavily in measures to reduce the risks of this occurring again, including a multi-year information security investment program."

A complete timeline of the attack can be found in the ANU Incident Report.