Lessons from the ANU cyberattack

Australian National University Vice Chancellor Brian Schmidt’s public release of a detailed report on the damaging cyberattack on ANU systems and data marks a refreshing shift in behaviour on cybersecurity for Australian public institutions.

The report is a candid, forensic account of the relentless, capable and aggressive attack on ANU systems by a sophisticated attacker between November 2018 and May 2019. It’s equally revealing about the high-end forensic and protective response that the ANU cyber team embarked on, in cooperation with Northrop Grumman and government agencies, once the breach was discovered in April.

The hacker seems to have had undisturbed access to ANU systems for half a year. They were sufficiently sophisticated to use three main avenues of attack: credential theft (to get logins to access systems), infrastructure compromise (to gain control of ANU systems and devices) and data theft (through simple (email) and more complex (encryption and compression) techniques).

In a mark of high-end capability beyond garden-variety hackers, when they couldn’t get into their primary target—ANU’s enterprise systems domain (ESD)—after repeated attempts with readily available techniques, they used much more sophisticated ‘bespoke source code or malware’ that they downloaded and then ran on the ANU system. That’s how they broke into the ESD and get hold of at least some of the personal data that seems to have been their goal.

The other distinctive feature that shows the attacker had skills beyond most is what the report tells us about the ‘hacker hygiene’ they displayed—cleaning up and removing the traces of their activity as they worked. The clean-up was so adept and focused that, but for a lucky firewall change in November that shut the attacker out of a compromised ANU computer (attack station one in the report), little of the forensic detail in the report would have been available. That’s because the attacker hadn’t finished cleaning up the compromised computer before they lost access to it.

It seems that what was taken is less than the 19 years of ANU student and staff details that was initially feared, because of calculations about how, and for how long, data was exfiltrated by the attacker.

So why did this hacker decide use their high-end tools against this prestigious Australian university? That can’t be known with certainty, but it’s always useful to go back to the Romans when investigating human behaviour. At the heart of Roman justice was addressing the key question, Cui bono? Who benefits?

Personal data on ANU students and staff of the type held in the ANU’s ESD (names, addresses, contact details, tax file numbers and bank account details) is interesting, but by itself it’s of limited value. A criminal hacker could sell it for gain, but the ANU says there’s no indication that has happened.

Perhaps the attacker wanted this personal data first, which was why they were relentless in targeting the system that held it. But they may also have intended to hang around inside the ANU’s network, with all the opportunities that controlling an internal system and networks would provide. If that had happened, ANU research data would have been at risk. And while much ANU research is published openly, information about the lines of inquiry ANU experts have followed and found fruitless is usually not. There’s also the obvious value of intellectual property across scientific, mathematical and other ANU research areas.

Overall, though, given the hacker’s priority on targeting personal data, the most likely explanation is that they were thinking of combining the stolen ANU data with other data they already held or were getting from elsewhere. As with any of our universities, some of the ANU’s graduates go on to become highly successful corporate, political and government (ministerial and official) people—not just leaders but capable technical experts. Personal information about such people would be of obvious value to a foreign intelligence agency. So, taking the Roman view, it seems most likely the attacker was a state-connected entity, contributing to foreign espionage work. We won’t know which one unless the forensic evidence available to the government and the ANU gives some clues.

The vice chancellor is right to not make attribution judgements. It’s not really the role of a university to take on a nation-state or to engage in law enforcement. That’s the role of government.

The lessons from the ANU experience are disturbing and stark. ANU had a range of ‘normal’ cybersecurity measures in place across its networks, but they were clearly insufficient. It was only because ANU had already started to lift its cybersecurity practices and investment by April that the attacker was discovered (the report notes this happened because of a ‘baseline threat hunting exercise’).

So, every public institution or company needs to examine its own practices. If it doesn’t go beyond standard protective security—firewalls, antivirus measures, intrusion detection software—it should consider whether it needs to take more active measures within and across its internal systems.

The ANU attack is also a reminder that systems and IT investment are not enough. Strong security awareness and practice by all the people in an organisation is essential to reducing the risk of cyber compromise.

And it shows what everyone knows intellectually to be true, but what a real-world example brings home in a much more palpable way: if you hold data—particularly personal data, but also data aggregations of almost any kind—it is valuable to someone. If you fail to protect it, your organisation may suffer financial loss through lost opportunity to use intellectual property, but, as importantly, if you compromise the personal data of your customers, your own people, or your partners, you will suffer reputational damage that is hard to repair.

The ANU incident report provides a menu of questions and actions for all of our universities and should be required reading for all vice chancellors. It is also a great prompt for any corporate board or CEO who wants to know more about what those cybersecurity folk in IT are and are not up to.

The last lesson from the ANU experience is one for government. Naming cyber attackers, particularly when they are state actors, is an essential part of deterrence and security. Naming and shaming may not prevent a motivated state actor from conducting further attacks, but it creates awareness of real, as opposed to hypothetical, threats. It also creates the opportunity for others to speak up and act collectively against the perpetrators. And only governments really have the horsepower and status—let alone responsibility—to bring the actions of other states to public account and attention.

It may not be possible to name the attacker in this case. But in instances where attribution is clear—as is almost certainly the case with the recent hacks into our parliament and major political parties—they should be named. Not doing so is like coming home to a burgled house, knowing who the burglar was, but still having them over to dinner that night and keeping silent about the mess around the table. That doesn’t fix the problem; it only provides a licence for further bad behaviour.

Let’s see this ANU report as the start of a healthy shift for all Australian institutions in publishing details of cyber incidents and their responses. Greater openness about such incidents will build a body of knowledge and good practice that will make us all safer in our online activities and more able to trust the institutions that hold our data and our knowledge.