Incident report on the breach of the Australian National University's administrative systems

Universities Information resources management Cyber intelligence Cyber security Australia China

In early November 2018, a sophisticated actor gained unauthorised access to the ANU network. This attack resulted in the breach of part of the network known as the Enterprise Systems Domain (ESD), which houses our human resources, financial management, student administration and enterprise e-forms systems.

By gaining access to ESD, the actor was able to copy and steal an unknown quantity of data contained in the above systems. There is some evidence to suggest the same actor attempted to regain access to ESD during February 2019, but this second attack was ultimately unsuccessful.

Indications of an intrusion were first detected in April 2019 during a baseline threat hunting exercise. The hunt uncovered network traffic data suggesting the presence of a malicious actor whose characteristics were distinct from the actor detected during the breach reported by the University in May 2018. The new detection precipitated an incident response, led by Northrop Grumman, working with ANU cybersecurity staff. The incident response team uncovered the data breach on Friday 17 May and verbally reported it to the Vice-Chancellor that day.

The initial means of infection was a sophisticated spearphishing email which did not require user interaction, ie clicking on a link or downloading an attachment. The actor’s dwell time on the ANU network was approximately six weeks, with most malicious activity ending around mid-December 2018, although there were some further attempts after this time.

The actor’s activity was contained to a handful of systems, although they had gained broader access. It is clear from the pathway taken by the actor the sole aim was to penetrate ESD and gain unauthorised access to the systems mentioned above. There is no forensic evidence to suggest the actor accessed or displayed any interest in files containing general administrative documents or research data; nor was the ANU Enterprise Records Management System (ERMS) affected.

At the time of the public announcement, ANU was not able to ascertain how much data or specifically which fields might have been accessed. As such it was assumed that all data, dating back some 19 years, had been potentially affected and reported as such to err on the side of caution. More recent forensic analysis has been able to determine that the amount of data taken is much less than 19 years’ worth; although it is not possible to determine how many, or precisely which, records were taken. This analysis is based on duration of exfiltration activity and known, albeit incomplete, data volumes.

ANU worked closely with, and reported findings to, the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC), before public notification. During the intervening two weeks between the detection of the breach and the public announcement on Tuesday 4 June 2019, we implemented a range of additional security controls inside ESD and the broader network – many of these activities were to expedite hardening measures already scheduled for implementation.

Publication Details
License type:
All Rights Reserved
Access Rights Type: