In late 2018, a sophisticated actor launched an attack on ANU, and gained access to the Enterprise Systems Domain (ESD) which contains confidential information about student administration, financial management, and human resources. This breach allowed the unknown party to steal an unknown quantity of information
The criminal gained access through ANU’s cyber defence both via people and processes, as well as several technical vulnerabilities. These weaknesses have now all been shored up, or a remediation plan put into place for the more complex issues.
ANU defines the attack by its high degree of operational security, involving file and log erasure to cover the actor’s tracks, as well as the sophisticated measures taken by the actor to defeat forensic analysis and hide activity.
The attack launched at first with spearphishing emails to try and gain the login credentials of an administrator or someone with access to targeted systems. A senior staff member received this email and did not click on or open the window, only previewing it before deleting the email. The malicious code in the email did not require more interaction from the staff member in order to steal their login credentials as well as access their calendar.
All emails sent by the actor appeared legitimate in nature and used further information, including from the calendar, in order to create believable emails. With each extra piece of information, the actor found it easier to gain the next login credentials and further access to the network. While ANU cannot determine how much information was taken, it believes that the focus was on personal information.
In late November 2018, ANU implemented a routine firewall change which removed the actor. The actor however, immediately began activity to get back into the network, and successfully regained access after two weeks. ANU was able to detect the next spearphishing campaign and remove the actor again. There were several more intrusion attempts following this, until March 2019 which is the last known activity by this actor.
Full details of the attack and the steps which ANU have taken can be found in the full report here.
As risk management professionals we love being prepared. Here are some tips below for how best to be prepared. Many thanks to by Paul Looker of Swinburne University for allowing us to republish these.
Building a cyber incident scenario into your Crisis Management Planning is key here. Typically, Members (quite rightly) focus on physical events in their crisis management planning and build up communication plans around these.
While physical incidents can be over quickly or within a day or two, cyber incidents can go on for days or weeks or months. Rehearsing for these potentially longer crises is critical, as communications plans can (at least early on in the crisis) be very ‘light on’ in terms of knowledge as to the actual cause and how long the incident may endure.
Proactive communication and transparency are key in maintaining support through an incident like this, as successfully demonstrated by ANU.
You must decide who is to be notified of what and then promptly reach out to students and customers, governments and regulators, staff, executive councils and boards, offering compensation if appropriate.
The key is that you are transparent and show that you are taking immediate action against any ongoing risks.
First of all, we need to consider who the threat actors might be. Possible threat actors could be competitors, organised crime, trusted insiders, state sponsored actors, script kiddies (average individuals seeing what they can discover), terrorists or hacktivists.
They may be targeting a broad range of information including:
To subscribe to Emerging Risk Reports or other Unimutual updates, please send your details to firstname.lastname@example.org or follow us on LinkedIn for notifications.
Find our past resources on cyber security here.
Find Unimutual Cyber incident Notification and Claims Protocol here