Hacks in history: What businesses can learn from the ANU cyber attack
In a cyber attack so sophisticated that it shocked even the most experienced Australian experts, hackers gained access to the computer system of the Australian National University (ANU) in 2018. Here’s what the attack can teach us about how we can protect ourselves today.
According to a public incident report released by the University in 2019, hackers spent weeks quietly trawling through data stored in ANU’s system. It was months before anyone at the institution even realised there had been a breach.
The report traces the hack back to an email sent by a senior ANU staff member in November 2018. The email was previewed, but never clicked on, by another staff member who had access to their colleague’s account.
Although the email was swiftly deleted, the hackers had already gained access to the senior staff member’s username, password and calendar. From there, they were able to access and compromise the ANU computer network.
Despite a forensic investigation, the full extent of the attack and the motivation behind it is still unknown, because the hackers were so meticulous in clearing their tracks. However, investigators say names, addresses, phone numbers, dates of birth, payroll information, tax file numbers, bank account details and student academic records were stolen.
Cyber security expert Mark McPherson, a member of Cryptoloc’s advisory board, says the breach of ANU’s administrative systems appears to have been accomplished by determined hackers. He says they acted systematically, and with a sophistication of forethought indicating they were:
- Working to a plan – Spear-phishing for maximum yield and targeting specific systems.
- Disciplined and patient – Establishing a foothold and erasing evidence of the attack tools used.
- Varying and escalating their attack sophistication to overcome each new barrier.
McPherson has worked with governments and organisations internationally to improve their security, including universities and financial institutions. He became involved with Cryptoloc after realising the company’s encryption technology would help to ensure data privacy for individuals and organisations worldwide.
Based on the public incident report, McPherson says that the success of the ANU attack hinged on human vulnerabilities as well as technical vulnerabilities.
McPherson says cyber attacks on institutions like ANU often exploit the trust that exists between colleagues – as in this case, where another staff member had access to their colleague’s account and previewed the malicious email.
“Due to the collegial nature of educational institutions, internal cyber security is often necessarily soft-centred with a hard shell protecting the perimeter,” he says.
“It is possible that part of the success attackers enjoy in these environments relies on exploiting the model of internal trust between colleagues and the systems they use to communicate and store their data.
“However, the major impact of data theft may have been reduced – or possibly even eliminated entirely – if a Cryptoloc-based solution was protecting the data that was targeted.”
That’s because the primary focus of a Cryptoloc-based solution is to secure valuable data against unauthorised access. It accomplishes this by requiring an exchange of digital keys between an authorised user and the data storage system prior to releasing the contents of a data file.
McPherson says this exchange can only work if the user possesses not only the correct login name and password, but also has access to their part of the digital key needed to access each specific data file.
“In any normal multi-user environment, systems administrators – also known as super users – have unlimited access to all the data files stored on that system,” he says.
“But the data in files stored using a Cryptoloc-based solution remain encrypted and inaccessible, even to systems administrators. A systems administrator can move, copy and delete any file on a system they control, but they cannot read the contents of a Cryptoloc-encrypted data file without the correct digital key for that specific file.
“In a Cryptoloc-based solution, the complete digital key is not stored on the same system as the data file itself. The file can only be unlocked – decrypted – for reading using the complete key, which can only be assembled by the deliberate action of an authorised user who brings their part of the digital key along with them at the time of access.”
McPherson says that if ANU had taken these sorts of precautions, their data may not have been vulnerable to hackers – assuming they didn’t commit another basic human error.
“Had ANU protected their important or sensitive data with a Cryptoloc-based solution, they may not have lost control of any files securely encrypted on their servers,” he says.
“This, of course, presupposes that unencrypted copies of important files were not otherwise also stored elsewhere on their systems.”
When it comes to cybersecurity, humans are the weakest link – and no matter how secure your software is, every member of your organisation should be on their guard to reduce the risk of a cyber attack.