In an admirable move, the Australian National University (ANU) has released a report outlining the details of the sophisticated cyber-attack that wreaked havoc amongst the University in November last year. 
The breach, which saw the attackers set up camp within the system for at least 6 weeks, was conducted by incredibly adept hackers who were able to meticulously cover their tracks and disguise their tools, motives and identities.
How It Began
In early November 2018 a phishing email was sent to a senior ANU staff member, designed as an “interaction-less” attack, meaning a simple preview of the email was enough to steal login credentials and open the first door for the hackers. The hackers then infiltrated the ANU computer network known as “attack station one”, gaining access to staff emails, phone numbers and titles and enabling them to create convincing emails due to the level of understanding the hackers now had of the types of emails staff were exchanging.
This led them to the pot of gold – the Enterprise Systems Domain (ESD). This contained finance, human resources and student administration databases, tax file numbers, student academic records, personal details and more. It is still unclear how much of this data was stolen, although recent forensic analysis has shown that it was less than the 19 years’ worth of data that was on offer.
The intrusion was finally detected in April this year during a baseline threat hunting exercise, although the attack had effectively been thwarted in December by the University’s planned system maintenance. The attackers repeatedly attempted to regain access over the next few months, even after ANU had announced the data breach.
Profile of the Attackers
In their report, ANU highlighted the unprecedented determination and ability of the attackers, their tactics and their procedures. They were not only incredibly efficient and precise, but also able to evolve their techniques during the campaign, use customised malware, meticulously cover their tracks and demonstrate incredible operational security. While this level of attack may seem extraordinary now, when one considers the astonishing speed in which cyber-attacks are evolving it is more than likely that threat actors and techniques such as these will proliferate and become commonplace.
Protection Going Forward
It is a harsh reality and a tough lesson learned by ANU, who have in response demonstrated their desire for others to learn from their mistakes. The University admitted that, although it was in the midst of hardening its cybersecurity, more should have been done. The report highlighted various security measures and protocols that, had they been implemented sooner or more thoroughly, could have prevented or mitigated this disastrous attack. Most notably, these recommendations include:
- Strengthening the safety measures around Personally Identifiable Information (PII) – ANU in response have established a working group, chaired by the Chief Privacy Officer, to review, develop and guide PII security measures;
- Enhancing awareness of social engineering and phishing techniques, both through education and through enhancing mail gateway system security;
- Removing legacy authentication and introducing and continuously improving two-factor authentication in its place;
- Continuously reviewing and re-validating the network’s Firewall coverage;
- Expediting, improving and reviewing vulnerability and patch management initiatives; and
- Scheduling regular simulation exercises.
Apart from obvious technical measures such as these, ANU has recognised the wider organisational issue where security is systematically misunderstood and undervalued. Essentially, in order to be truly effective, the implementation of security measures must involve a corresponding organisational shift in security culture. To this effect, ANU has promised to focus on the modernisation of its IT and security infrastructure, and to zone in on its security culture and awareness amongst students, staff and researchers.
The report’s investigations and recommendations have been passed on to a University Foreign Interference Taskforce that was established in August. However, the report must also be viewed as yet another reminder for any institution across any industry to take cybersecurity seriously and proactively. As the ANU Vice-Chancellor Professor Brian Schmidt puts it, “we are certainly not alone, and many organisations will already have been hacked, perhaps without their knowledge. I hope this report will help them protect themselves, their data and their communities”.
This underpins Agilient’s appreciation of the need to understand, prioritise, tailor and manage each client’s unique cybersecurity needs, not only considering their current risk appetite and threat environment, but also planning for the cyber challenges of tomorrow.
At Agilient, we specialise in a variety of cybersecurity services, including Cybersecurity Risk & Compliance Management, Penetration Testing and Cybersecurity Risk Management. Contact us today to learn more about your cybersecurity potential.
Author: Elsa Chapple, Agilient Consultant