The Australian National University suffered a cyber attack in mid-2018, the details of which have been revealed in a recent report containing details of the attack, timeline, technology used and more.
“The perpetrators of our data breach were extremely sophisticated,” said VC Prof. Brian Schmidt in the forward.
19 years of data was feared to have been stolen, but the investigation revealed much less than that was compromised. But the full extent of the damage is unknown.
“Despite our considerable forensic work, we have not been able to determine, accurately, which records were taken,” Schmidt said.
The goal of the hack seems to have been HR records, but even this isn’t clear.
The hackers targeted users for their passwords and other credentials in order to gain administrative access, using a technique known as ‘spear-phishing’. This entails sending fake emails to victims, prompting them to click on a link, which in turn runs nefarious code. They built a portfolio of credentials in the event one or more were compromised. The report also details a ‘shadow ecosystem’ of compromised machines, which the attackers used to run tools and track people of interest. They used these methods to steal user data.
The timeline illustrates the degree of sophistication. Attackers set up two ‘virtual machines’ on one system early on, which are commonly used for legitimate reasons by system administrators for governments, large companies and small businesses. In this case, the virtual machines were loaded up with Windows XP, a 12-year-old operating system with outdated security, and Kali Linux, an open-source Linux distribution pre-loaded with penetration testing tools. While ‘penetration testing’ isn’t nefarious on its own, serving a legitimate purpose in software testing, the tools can also be used for unethical purposes. They used a legacy mail server, which is an old server that has been ‘grandfathered in’ (and importantly has no authentication requirement), to contact users and steal their information.
An example of a ‘phishing’ email from the report. Hackers used these to steal user information.
The hackers also wrote bespoke, nefarious code within ANU’s network to avoid detection. They routinely erased files, logs and any trace of their actions, known as a ‘wipe down’. The report, according to its authors, derives nearly all of its content from the fact the hacker(s) lost control of one of their systems before they could complete a wipe-down.
ANU is far from the first victim of sophisticated cyber attacks. Universities have been dealing with them since 2003, beginning with attacks on US institution Yale University. Our own parliament was nearly compromised in early 2019, with representatives from the Centre for International Security Studies pointing fingers at Russia and China. But there is no evidence for either this, nor the ANU attack, suggesting these countries were involved. Nor is there any evidence it was organised crime, which the report describes as ‘frustrating’.
Another attack on ANU servers was attempted in the same timeframe, likely by the same people, the report confirmed.
The university learned several lessons from the attack, including the use of two-factor authentication, decommissioning legacy systems with security vulnerabilities, educating the most at-risk personnel on phishing attacks and better firewall coverage.
It wasn’t just old machines and human error. Experts found modern systems to be compromised, even when updated with the latest security. Furthermore, the phishing emails needed to only be previewed for the malware to run, a perplexing fact. Expert Darren Hopkins in an interview with the AAP stated this more covert style of hacking has become more normal. “The way we’re being attacked now is designed to make it really difficult for us to detect”, he said.
“I don’t know how any of us are going to do business if we can’t open our emails.”
It’s possible to learn much from this turn of events as an onlooker. Applicable to many is the importance of checking the validity of emails. Even if an email comes from an apparently legitimate source, checking the address only constitutes one step in the process of staying safe. Simply questioning the intent behind the email, faulty grammar, odd file types and lack of specificity number among a few elements to be wary of. Activating two-factor authentication and any other additional security measures could mean the difference between getting hacked and safety.
“This wasn’t a smash and grab, it was a diamond heist. It’s likely they spent months planning this”, Prof Schmidt said.
Investigators are currently searching for the perpetrators. While ANU has shaken the trust of its stakeholders, the report is an unprecedented insight into an Australian cybersecurity attack. It serves to show what transpired, but omits specific details to prevent copycats.