On 9 November 2018, an email arrived in the inbox of a senior Australian National University staff member staff.
Despite no one clicking on links in the email, a hacker gained access to 19 years’ worth of private information of staff and students. For over a month, a hacker – or hackers – had access to the university’s online system without anyone knowing.
It was months before the university even realised they had been the victim of a cyber attack.
Nearly a year later, the extent of the hack still remains unclear but what they do know is that names, dates of birth, addresses and phone numbers were stolen.
The ANU has now released a 20-page report into exactly how the hack occurred, how they have strengthened their online security but, most importantly, to apologise to their current and former students.
According to the report, the “interaction-less” email attack has shocked even the most experienced Australian security experts.
Most cyber-attacks require action from someone within the target organisation such as opening an email; however, an interaction-less attack, such as the email sent to the senior ANU staff member, was only previewed and did not require the recipient to click on any link or download and open an attachment.
According to the ANU, “this ‘interaction-less’ attack resulted in the senior staff member’s credentials being sent to several external web addresses”.
The report said it is “highly likely” that the stolen credentials were used to gain access to other systems, including into the Enterprise Systems Domain (ESD) which stores the university’s human resources, financial management and student administration.
The hacker was able to copy and steal an unknown quantity of data contained in the above systems, spending around six weeks on the ANU network unnoticed.
“The tactics, techniques and procedures used during the attack highlight the sophistication and determination of the actor,” the report reads.
“In addition to their efficiency and precision, the actor evaded detection systems, evolved their techniques during the campaign, used custom malware and demonstrated an exceptional degree of operational security that left few traces of their activities.”
Indications of the intrusion were first detected in April 2019 during a baseline threat hunting exercise. On 17 May, the incident response team uncovered the data breach and reported it to the Vice-Chancellor that day.
ANU Vice-Chancellor Professor Brian Schmidt said it still remains unclear how much data was actually stolen.
“Despite our considerable forensic work, we have not been able to determine, accurately, which records were taken,” he said.
“However, our analysis has been able to establish that while the hackers had access to data up to 19-years-old, the hackers took much less than the 19 years’ worth of data we originally feared.
“We also know the stolen data has not been further misused.”
Professor Brian Schmidt said although the university implemented tougher security measures after a cyber-attack in May 2018, the report shows that “we could have done more”.
He said the ANU ultimately views the breach as an organisational issue, one which requires a change to the university’s “security culture”.
“ANU acknowledges several technical vulnerabilities and people and process issues that contributed to the success of the actor’s campaign,” the report said.
“ANU has either addressed these issues or, for more complex issues, is in the process of developing a response and remediation plan as part of our strategic information security program.”
In response to the attack, the university has added additional protection to the affected systems and there is ongoing work to further reduce risks to their data.
At the time of the report, ANU said there is no evidence that the stolen data has been traded or used illegally, but said it would continue to work with specialist service providers to scan online sources and will notify affected parties if there is any evidence their data has been misused.
Professor Brian Schmidt said the university made the report public as it contains valuable lessons not just for ANU, but for all Australian organisations who might be targets of similar attacks.
“It is confronting to say this, but we are certainly not alone, and many organisations will already have been hacked, perhaps without their knowledge,” he said. “I hope this report will help them protect themselves, and their data and their communities.”
Professor Brian Schmidt said he wanted to apologise to the victims of this data breach.
“We are working constantly to ensure the protection of the data you entrust us with; and are investing heavily in measures to reduce the risks of this occurring again, including a multi-year information security investment program,” he said.
“We must all remain vigilant and follow the advice of security experts to protect our personal information.”
Read the full report from the ANU here.