The ANU security incident: cyber attack
So, what happened?
In a massive cyber attack described as being of unprecedented sophistication, hackers gained access to the computer system of Australian National University (ANU).
According to a public incident report, for weeks hackers trawled through data stored in the computer system. It was months before ANU even realised there had been a breach.
The report traces the hack back to an email sent to a senior ANU staff member in November 2018. The email was previewed but never clicked on by another staff member who had access to their colleague’s account.
Although the email was deleted, the hackers had already gained access to the senior staff member’s username, password and calendar. From here, they were able to access and compromise the ANU computer network.
ANU cyber attack timeline
The full extent of the cyber attack is still unknown, despite a forensic investigation, because the hackers were so meticulous in clearing their tracks.
However, investigators say names, addresses, phone numbers, dates of birth, payroll information, tax file numbers, bank account details and student academic records were stolen.
Cyber security expert and Cryptoloc security advisor Mark McPherson says the breach of ANU’s administrative systems was accomplished by determined attackers.
He says they acted systematically and with a sophistication of forethought indicating they were:
- working to a plan – spear-phishing for maximum yield and targeting specific systems etc.
- disciplined and patient – establishing a foothold and erasing evidence of downloaded attack tools used etc.
- varying and escalating their attack sophistication to overcome each new barrier etc
Cryptoloc solution for cyber attack
Mr McPherson says based on the public incident report, the success of the cyber attack on ANU’s administrative system appears to have hinged on several human and technical vulnerabilities.
“Not all of these vulnerabilities could have been mitigated by a Cryptoloc-based solution,” Mr McPherson says.
“However, the major impact of data theft, may have been reduced or possibly even eliminated entirely if a Cryptoloc technology-based solution was protecting the data targeted.”
How, you ask?
The primary focus of a Cryptoloc solution is to secure valuable data against unauthorised access. It accomplishes this by requiring an exchange of digital keys between an authorised user and the data storage system prior to releasing the content of a data file. Mr McPherson says this exchange can only work if a user not only possesses the correct login name and password but also has access to unlock their part of the digital key needed to access each specific data file.
“In any normal multi-user environment, Systems Administrators (aka super-users) access to a system provides them with unlimited access to all the data files stored on that system,” he says.
“But the data in files stored using a Cryptoloc-based solution remain encrypted and inaccessible even to systems administrators.
“A systems administrator can move, copy and delete any file on a system they control, but they cannot read the contents of a Cryptoloc-encrypted data file without a specific combination of material that forms the correct digital key for that specific file.
In a Cryptoloc-based solution, the complete digital key is not stored on the same system as the data file itself. The file can only be unlocked (decrypted) for reading using its complete digital key. The complete key can only be assembled by the deliberate action of an authorised user who brings their part of the digital key along with them at the time of access.
“Had ANU protected their important or sensitive data with a Cryptoloc-based solution they may not have lost control of any files securely-encrypted on their servers,” Mr McPherson says.
“This of course presupposes that unencrypted copies of important files were not otherwise also stored elsewhere on their systems.”
Mr McPherson has vast experience in security of data at Australian universities. In 1998 he joined AusCERT, a leading cyber emergency response team for Australia, based out of the University of Queensland.
AusCERT was the first CERT in Australia to operate as the national CERT and did so until 2010 when the Federal Government established its Incident Response Team (IRT). Mr McPherson was hired to help establish this new IRT called CERT Australia, which has since become part of the Australian Cyber Security Centre (ACSC).
He has worked with governments and organisations internationally to improve their security, including universities and financial institutions. He became involved with Cryptoloc after realising their encryption technology solved a massive problem for individuals and organisations worldwide to ensure data privacy.
Mr McPherson says universities and education institutions are at particular risk of cyber-attacks.
“Due to the collegial nature of educational institutions, internal cyber security is often necessarily soft-centred with a hard-shell protecting the perimeter,” he says.
“It is possible that part of the success attackers enjoy in these environments relies on exploiting this model of internal trust between colleagues and the systems they use to communicate and store their data”.