Security Market Segment LS
Thursday, 03 October 2019 06:13

ANU still unaware of the who and why of latest hack Featured

ANU still unaware of the who and why of latest hack Pixabay

The Australian National University has released a report about the attack on its network which was announced in June 2019, providing a detailed timeline but no attribution for the hack or a possible reason as to why it was undertaken.

In a 20-page document released on Wednesday, ANU vice-chancellor and president Professor Brian Schmidt said the attacker had breached a part of the network known as the Enterprise Systems Domain where data on human resources, financial management, student administration and enterprise e-form systems were stored.

Schmidt said while the initial disclosure had warned that up to 19 years' of data might be risk, investigations by both its own staff and American defence contractor Northrop Grumman indicated that the quantum of data taken was much less than this amount. He did not specify how the investigators had come to this conclusion.

Claiming that the ANU was releasing the report to be "be as transparent with you as possible about what happened, how it happened and why it happened", Schmidt added that "this report cannot be an instruction manual for would-be hackers to launch another attack. I have asked for this report to be as transparent as is allowable to ensure our community is well-informed, but not so that criminals are armed with information that compromises our systems or that of another organisation".

The report claimed that the initial means of infection was "a sophisticated spearphishing email which did not require user interaction, ie clicking on a link or downloading an attachment". Samples of the emails provided in the report show .zip and .doc attachments which would have contained any malicious code or macros and how these were executed without the recipient clicking on them is a mystery.

The ANU has several systems that face the Internet. A look at the network analysis site Netcraft shows that one domain is hosted on Windows Server 2012, a fairly ancient operating system. Additionally, one system runs Solaris, which is well past its prime.

Regarding the data exfiltration, Schmidt said: "More recent forensic analysis has been able to determine that the amount of data taken is much less than 19 years’ worth; although it is not possible to determine how many, or precisely which, records were taken. This analysis is based on duration of exfiltration activity and known, albeit incomplete, data volumes."

The ANU systems were also broken into in 2018, but no similar report has been forthcoming about that hack.

When the second break-in was announced in June, there were claims in some sections of the media that China was behind it.

Schmidt was at pains to emphasise that the individual or individuals who gained access to the ANU system were highly skilled.

"The tactics, techniques and procedures used during the attack highlight the sophistication and determination of the actor," he said.

"In addition to their efficiency and precision, the actor evaded detection systems, evolved their techniques during the campaign, used custom malware and demonstrated an exceptional degree of operational security that left few traces of their activities."

He said the university had increased its technical cyber security efforts considerably since the first breach in 2018 and was now nearing the end of the tactical measures program arising from that incident.

"However, given the complexity and age of the IT network, the rollout of these measures has taken considerable time. Without the measures already in place, the second intrusion would not have been detected, and the subsequent attacks might have been more successful. Unfortunately, there was not sufficient time to universally implement all measures across the ANU network between the two attacks in 2018. The sophistication and speed of the second attack underscore the threat environment in which we, and other organisations, now operate," he said.

Despite all these "measures" being in place, the ANU took three months to notice that someone had gained unauthorised access to its network. Schmidt did not provide any illumination on this score.

Commenting on the report, Todd Peterson, a researcher at identity and access management solutions provider One Identity, said: "In 2018 it took just 16 minutes for the first click to occur on a phishing email. As such it is worrying that in 2019, that timeframe has not lengthened at all.

"While advanced privileged access management systems and two-factor authentication may be used correctly by organisations, newly developed infected emails can still pass the defence line and enter a network. With this in mind, it is important that identity and access management systems and processes are current, with the fast moving nature of these hacks, it is vital organisations keep up.

"This is particularly so in the case of higher education institutions which are at risk as a result of maintaining old computers and old systems that house significant amounts of valuable personal data which can be sold on the black market."


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments