{"id":51032,"date":"2019-10-04T06:00:00","date_gmt":"2019-10-03T20:00:00","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=51032"},"modified":"2019-10-03T18:12:49","modified_gmt":"2019-10-03T08:12:49","slug":"lessons-from-the-anu-cyberattack","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/","title":{"rendered":"Lessons from the ANU cyberattack"},"content":{"rendered":"
<\/figure>\n

Australian National University Vice Chancellor Brian Schmidt\u2019s public release of a detailed report<\/a> on the damaging cyberattack on ANU systems and data marks a refreshing shift in behaviour on cybersecurity for Australian public institutions.<\/p>\n

The report is a candid, forensic account of the relentless, capable and aggressive attack on ANU systems by a sophisticated attacker between November 2018 and May 2019. It\u2019s equally revealing about the high-end forensic and protective response that the ANU cyber team embarked on, in cooperation with Northrop Grumman and government agencies, once the breach was discovered in April.<\/p>\n

The hacker seems to have had undisturbed access to ANU systems for half a year. They were sufficiently sophisticated to use three main avenues of attack: credential theft (to get logins to access systems), infrastructure compromise (to gain control of ANU systems and devices) and data theft (through simple (email) and more complex (encryption and compression) techniques).<\/p>\n

In a mark of high-end capability beyond garden-variety hackers, when they couldn\u2019t get into their primary target\u2014ANU\u2019s enterprise systems domain (ESD)\u2014after repeated attempts with readily available techniques, they used much more sophisticated \u2018bespoke source code or malware\u2019 that they downloaded and then ran on the ANU system. That\u2019s how they broke into the ESD and get hold of at least some of the personal data that seems to have been their goal.<\/p>\n

The other distinctive feature that shows the attacker had skills beyond most is what the report tells us about the \u2018hacker hygiene\u2019 they displayed\u2014cleaning up and removing the traces of their activity as they worked. The clean-up was so adept and focused that, but for a lucky firewall change in November that shut the attacker out of a compromised ANU computer (attack station one in the report), little of the forensic detail in the report would have been available. That\u2019s because the attacker hadn\u2019t finished cleaning up the compromised computer before they lost access to it.<\/p>\n

It seems that what was taken is less than the 19 years of ANU student and staff details that was initially feared, because of calculations about how, and for how long, data was exfiltrated by the attacker.<\/p>\n

So why did this hacker decide use their high-end tools against this prestigious Australian university? That can\u2019t be known with certainty, but it\u2019s always useful to go back to the Romans when investigating human behaviour. At the heart of Roman justice was addressing the key question, Cui bono?<\/em> Who benefits?<\/p>\n

Personal data on ANU students and staff of the type held in the ANU\u2019s ESD (names, addresses, contact details, tax file numbers and bank account details) is interesting, but by itself it\u2019s of limited value. A criminal hacker could sell it for gain, but the ANU says there\u2019s no indication that has happened.<\/p>\n

Perhaps the attacker wanted this personal data first, which was why they were relentless in targeting the system that held it. But they may also have intended to hang around inside the ANU\u2019s network, with all the opportunities that controlling an internal system and networks would provide. If that had happened, ANU research data would have been at risk. And while much ANU research is published openly, information about the lines of inquiry ANU experts have followed and found fruitless is usually not. There\u2019s also the obvious value of intellectual property across scientific, mathematical and other ANU research areas.<\/p>\n

Overall, though, given the hacker\u2019s priority on targeting personal data, the most likely explanation is that they were thinking of combining the stolen ANU data with other data they already held or were getting from elsewhere. As with any of our universities, some of the ANU\u2019s graduates go on to become highly successful corporate, political and government (ministerial and official) people\u2014not just leaders but capable technical experts. Personal information about such people would be of obvious value to a foreign intelligence agency. So, taking the Roman view, it seems most likely the attacker was a state-connected entity, contributing to foreign espionage work. We won\u2019t know which one unless the forensic evidence available to the government and the ANU gives some clues.<\/p>\n

The vice chancellor is right to not make attribution judgements. It\u2019s not really the role of a university to take on a nation-state or to engage in law enforcement. That\u2019s the role of government.<\/p>\n

The lessons from the ANU experience are disturbing and stark. ANU had a range of \u2018normal\u2019 cybersecurity measures in place across its networks, but they were clearly insufficient. It was only because ANU had already started to lift its cybersecurity practices and investment by April that the attacker was discovered (the report notes this happened because of a \u2018baseline threat hunting exercise\u2019).<\/p>\n

So, every public institution or company needs to examine its own practices. If it doesn\u2019t go beyond standard protective security\u2014firewalls, antivirus measures, intrusion detection software\u2014it should consider whether it needs to take more active measures within and across its internal systems.<\/p>\n

The ANU attack is also a reminder that systems and IT investment are not enough. Strong security awareness and practice by all the people in an organisation is essential to reducing the risk of cyber compromise.<\/p>\n

And it shows what everyone knows intellectually to be true, but what a real-world example brings home in a much more palpable way: if you hold data\u2014particularly personal data, but also data aggregations of almost any kind\u2014it is valuable to someone. If you fail to protect it, your organisation may suffer financial loss through lost opportunity to use intellectual property, but, as importantly, if you compromise the personal data of your customers, your own people, or your partners, you will suffer reputational damage that is hard to repair.<\/p>\n

The ANU incident report provides a menu of questions and actions for all of our universities and should be required reading for all vice chancellors. It is also a great prompt for any corporate board or CEO who wants to know more about what those cybersecurity folk in IT are and are not up to.<\/p>\n

The last lesson from the ANU experience is one for government. Naming cyber attackers, particularly when they are state actors, is an essential part of deterrence and security. Naming and shaming may not prevent a motivated state actor from conducting further attacks, but it creates awareness of real, as opposed to hypothetical, threats. It also creates the opportunity for others to speak up and act collectively against the perpetrators. And only governments really have the horsepower and status\u2014let alone responsibility\u2014to bring the actions of other states to public account and attention.<\/p>\n

It may not be possible to name the attacker in this case. But in instances where attribution is clear\u2014as is almost certainly the case with the recent hacks into our parliament and major political parties\u2014they should be named. Not doing so is like coming home to a burgled house, knowing who the burglar was, but still having them over to dinner that night and keeping silent about the mess around the table. That doesn\u2019t fix the problem; it only provides a licence for further bad behaviour.<\/p>\n

Let\u2019s see this ANU report as the start of a healthy shift for all Australian institutions in publishing details of cyber incidents and their responses. Greater openness about such incidents will build a body of knowledge and good practice that will make us all safer in our online activities and more able to trust the institutions that hold our data and our knowledge.<\/p>\n","protected":false},"excerpt":{"rendered":"

Australian National University Vice Chancellor Brian Schmidt\u2019s public release of a detailed report on the damaging cyberattack on ANU systems and data marks a refreshing shift in behaviour on cybersecurity for Australian public institutions. The …<\/p>\n","protected":false},"author":766,"featured_media":51034,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[713,2138,728,2335],"class_list":["post-51032","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-cyberattack","tag-cybersecurity","tag-hacking","tag-universities"],"acf":[],"yoast_head":"\nLessons from the ANU cyberattack | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Lessons from the ANU cyberattack | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Australian National University Vice Chancellor Brian Schmidt\u2019s public release of a detailed report on the damaging cyberattack on ANU systems and data marks a refreshing shift in behaviour on cybersecurity for Australian public institutions. The ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2019-10-03T20:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-10-03T08:12:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/10\/code0310.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1050\" \/>\n\t<meta property=\"og:image:height\" content=\"700\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Michael Shoebridge\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Michael Shoebridge\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/10\/code0310.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/10\/code0310.jpg\",\"width\":1050,\"height\":700},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/\",\"name\":\"Lessons from the ANU cyberattack | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/#primaryimage\"},\"datePublished\":\"2019-10-03T20:00:00+00:00\",\"dateModified\":\"2019-10-03T08:12:49+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b7802124e14835ff19b5c244e962849f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Lessons from the ANU cyberattack\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b7802124e14835ff19b5c244e962849f\",\"name\":\"Michael Shoebridge\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9ad669e65739d5a3f4bbc0e839d8a6b8?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9ad669e65739d5a3f4bbc0e839d8a6b8?s=96&d=mm&r=g\",\"caption\":\"Michael Shoebridge\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/michael-shoebridge\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Lessons from the ANU cyberattack | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/","og_locale":"en_US","og_type":"article","og_title":"Lessons from the ANU cyberattack | The Strategist","og_description":"Australian National University Vice Chancellor Brian Schmidt\u2019s public release of a detailed report on the damaging cyberattack on ANU systems and data marks a refreshing shift in behaviour on cybersecurity for Australian public institutions. The ...","og_url":"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2019-10-03T20:00:00+00:00","article_modified_time":"2019-10-03T08:12:49+00:00","og_image":[{"width":1050,"height":700,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/10\/code0310.jpg","type":"image\/jpeg"}],"author":"Michael Shoebridge","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Michael Shoebridge","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/10\/code0310.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2019\/10\/code0310.jpg","width":1050,"height":700},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/","url":"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/","name":"Lessons from the ANU cyberattack | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/#primaryimage"},"datePublished":"2019-10-03T20:00:00+00:00","dateModified":"2019-10-03T08:12:49+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b7802124e14835ff19b5c244e962849f"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/lessons-from-the-anu-cyberattack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Lessons from the ANU cyberattack"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b7802124e14835ff19b5c244e962849f","name":"Michael Shoebridge","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/9ad669e65739d5a3f4bbc0e839d8a6b8?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9ad669e65739d5a3f4bbc0e839d8a6b8?s=96&d=mm&r=g","caption":"Michael Shoebridge"},"url":"https:\/\/www.aspistrategist.ru\/author\/michael-shoebridge\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/51032"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/766"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=51032"}],"version-history":[{"count":6,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/51032\/revisions"}],"predecessor-version":[{"id":51040,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/51032\/revisions\/51040"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/51034"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=51032"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=51032"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=51032"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}