In a 20-page document released on Wednesday, ANU vice-chancellor and president Professor Brian Schmidt said the attacker had breached a part of the network known as the Enterprise Systems Domain where data on human resources, financial management, student administration and enterprise e-form systems were stored.
Schmidt said while the initial disclosure had warned that up to 19 years' of data might be risk, investigations by both its own staff and American defence contractor Northrop Grumman indicated that the quantum of data taken was much less than this amount. He did not specify how the investigators had come to this conclusion.
Claiming that the ANU was releasing the report to be "be as transparent with you as possible about what happened, how it happened and why it happened", Schmidt added that "this report cannot be an instruction manual for would-be hackers to launch another attack. I have asked for this report to be as transparent as is allowable to ensure our community is well-informed, but not so that criminals are armed with information that compromises our systems or that of another organisation".
The ANU has several systems that face the Internet. A look at the network analysis site Netcraft shows that one domain is hosted on Windows Server 2012, a fairly ancient operating system. Additionally, one system runs Solaris, which is well past its prime.
Regarding the data exfiltration, Schmidt said: "More recent forensic analysis has been able to determine that the amount of data taken is much less than 19 years’ worth; although it is not possible to determine how many, or precisely which, records were taken. This analysis is based on duration of exfiltration activity and known, albeit incomplete, data volumes."
The ANU systems were also broken into in 2018, but no similar report has been forthcoming about that hack.
Schmidt was at pains to emphasise that the individual or individuals who gained access to the ANU system were highly skilled.
"The tactics, techniques and procedures used during the attack highlight the sophistication and determination of the actor," he said.
"In addition to their efficiency and precision, the actor evaded detection systems, evolved their techniques during the campaign, used custom malware and demonstrated an exceptional degree of operational security that left few traces of their activities."
He said the university had increased its technical cyber security efforts considerably since the first breach in 2018 and was now nearing the end of the tactical measures program arising from that incident.
"However, given the complexity and age of the IT network, the rollout of these measures has taken considerable time. Without the measures already in place, the second intrusion would not have been detected, and the subsequent attacks might have been more successful. Unfortunately, there was not sufficient time to universally implement all measures across the ANU network between the two attacks in 2018. The sophistication and speed of the second attack underscore the threat environment in which we, and other organisations, now operate," he said.
Despite all these "measures" being in place, the ANU took three months to notice that someone had gained unauthorised access to its network. Schmidt did not provide any illumination on this score.
Commenting on the report, Todd Peterson, a researcher at identity and access management solutions provider One Identity, said: "In 2018 it took just 16 minutes for the first click to occur on a phishing email. As such it is worrying that in 2019, that timeframe has not lengthened at all.
"While advanced privileged access management systems and two-factor authentication may be used correctly by organisations, newly developed infected emails can still pass the defence line and enter a network. With this in mind, it is important that identity and access management systems and processes are current, with the fast moving nature of these hacks, it is vital organisations keep up.
"This is particularly so in the case of higher education institutions which are at risk as a result of maintaining old computers and old systems that house significant amounts of valuable personal data which can be sold on the black market."