Inside a massive cyber hack that risks compromising leaders across the globe

Updated

The hack on a prestigious Australian university with far-reaching international implications.

One email was all it took for hackers to steal some of the most personal information from people potentially now in high-ranking roles across the globe.

The cyber attack was so sophisticated it didn't even need the person to click on a link or open a document to compromise decades worth of private information.

The email was sent to a senior staff member at the Australian National University (ANU) in November last year.

A person working closely with that staff member previewed the email before deleting it — but it was too late.

Merely previewing the email was enough for hackers to steal a username and password that opened the first door into the ANU network.

This wasn't the first time ANU had been hacked. An earlier cyber attack in 2018 had given ANU what its leader called a "wakeup call", but that awakening ultimately failed to protect the university from what came next.

"It was an extremely sophisticated operation … they were on a mission … the A-team was clearly brought in in this case," ANU vice chancellor Brian Schmidt told the ABC as he released a report into the hack.

"This report shows we could have done more."

How it happened

Spear phishing attack one

Remember the Nigerian prince scams from the 1990s? Spear phishing emails are a much more targeted message that look like they're from a real person. No princes were on offer in the email sent to the senior staff member at the ANU. The email was previewed by one of their colleagues who had access to their emails and that allowed hackers to copy the senior staff members' username, password and calendar.

Creation of attack station one

The details stolen on November 9 were used by hackers to gain control of a section of the ANU computer network known as "attack station one". To ensure their break-in wasn't discovered, the hackers meticulously covered their tracks by deleting logs that showed what they'd done. They also used software called Tor, which disguised where they were operating from.

Network map copied

The hackers wanted an overall view of how ANU's computer network operated. Imagine a large map, showing how everything connects. They emailed those details to external addresses by using an old ANU mail server that didn't need login details to send messages.

Second spear phishing campaign

The hackers targeted 10 people at ANU, sending them an email with an attachment, inviting them to attend an event at the university. The hackers also accessed a directory that houses usernames, emails, phone numbers and titles of staff, allowing them to understand roles and responsibilities within the university. This information assisted the hackers in determining who to send the next spear phishing email to.

Data taken

The hackers reached what they considered to be the pot of gold, the university's enterprise systems domain (ESD). It holds human resources, finance and student administration databases, containing tax file numbers, student academic records and personal details, including dates of birth and addresses. The investigation could not determine how much of this data was stolen or if the hackers targeted certain people. It found the hackers passed valuable research and intellectual property on the way to the ESD but didn't take anything from those databases.

Third spear phishing campaign

Dozens of emails were sent to ANU addresses and the hackers gained the username and password of at least one network administrator who had keys to open other doors within the computer network.

Hackers kicked out

The hackers were working to clean up their tracks when ANU launched planned maintenance, effectively kicking them out of the system. The hackers were intent on pushing down the door again, and made several attempts to get back in.

Hackers back in and data stolen

The hackers found a different door that the university had not put proper protections on. It appears they were setting up with the intention of staying for some time. The hackers also took further data from the ESD.

Fourth spear phishing campaign

The hackers were desperate for more information and sent an email with an attachment to 40 ANU staff that had the keys to a number of sections of ANU's computer network. The group were IT staff and some clicked on the attachment but others realised what the email was and removed the attack.

Hackers kicked out again

The second attack station was found and removed. The hackers have tried several times since to enter the network via different doors but have not been successful in removing further personal data.

Hackers try their luck again

Repeated attempts were made by hackers to gain access to ESD but were denied. After ANU announced the data breach, investigators believed the same group tried again to enter the network.

The faceless keyboard warriors behind the hack

The ANU suspects up to 15 people were involved in the hack.

The cyber attack was so sophisticated it's left the nation's leading security experts shocked.

"The fact it took us six months to find that they had been here … we were pleased that we were even able to find them," Professor Schmidt said.

The investigation didn't determine who was behind the attack, but the vice chancellor has outlined who could be the potential perpetrators.

"There are a whole bunch of countries that can do it, it's not one or two countries, it's probably dozens of countries," he said.

"Organised crime potentially has the ability to do it and certainly all of these groups going forward are going to have more and more capabilities."

The ANU has refused to single out any one country.

But Tom Uren, a senior analyst with the Australian Strategic Policy Institute (ASPI), said the evidence pointed to one suspect.

"It's likely to be China, frankly, they've got strong interests in Australia for a number of different reasons," he said.

"We're part of the Five Eyes alliance so there's a relationship with American military and intelligence. Canberra is the heart of government and there's many students at the ANU that go on to work in government.

"Plus, there's also a lot of Chinese students who come to Australia to study and one theory that's been told to me is that perhaps the Chinese Government wants to keep tabs on what its students in Australia are doing as well."

The report has been handed to a university foreign interference taskforce, which Education Minister Dan Tehan established in August to provide better protection for universities against foreign interference.

The theft of personal information

The hackers left very little evidence for investigators to sift through, having regularly wiped logs, disk and files.

They bypassed ANU systems that held intellectual property and research information, instead targeting the database that held personal details of current and former staff and students.

What was stolen: • Names

• Addresses

• Phone numbers

• Dates of birth

• Emergency contact details

• Tax file numbers

• Payroll information

• Bank account details

• Student academic records

Investigators couldn't determine what was taken or who was affected because of the attacker's abilities to erase the evidence of their work and encrypt the files they stole.

The database holds 19 years of records but the investigators believe the hackers only took a fraction of the available data.

There is no evidence that the information has been used by criminals for identity fraud.

Analyst Tom Uren said China had a reputation for building and keeping profiles of people of interest.

"One possibility is that they're using it to just keep tabs on their own students," he said.

"Another theory is that they're trying to find a pool of potential people that they could cultivate later.

"A third possibility is that they're just looking for people who are in government currently and are trying to find more about them."

The investigation didn't determine the motivation of the hackers, but Professor Schmidt pointed to the type of people studying and working at ANU.

"Universities are places that the future leaders of our country, of other countries, are going to be," he said.

"We are obviously a place of interest to people who want to break in and hack but as to the overall motivation, I'm scratching my head."

The wakeup call

The details of the six-week long hack are outlined in a report released by the ANU, which Professor Schmidt said was the first time a public institution in Australia has issued such a comprehensive account of a cyber attack.

The ANU report provides insights into how the hackers worked but still leaves many questions unanswered, including the exact details of what was stolen and the number of victims.

"In 2019, the world is making a transition where cyber issues are going to actually be part of daily life from here on out," the vice chancellor said.

"It's important for other universities and other institutions and businesses just to see what one of these things look like because they are going to have to face up to them themselves."

The university is spending millions upgrading its computer network to better safeguard against future attacks.

However, the Australian Cyber Security Centre warns a computer network is never 100 per cent secure in the face of a growing industry of hackers keen to steal information.

It wants all Australians, from individuals to organisations, to take the threat seriously and ensure they're adequately protected.

Mr Uren is pleased the ANU has disclosed the details of the hack and hopes it prompts other organisations to disclose the details of hacks they fall victim to.

"Every time a plane crashes there's an investigation to find out what the cause is," he said.

"This is the equivalent of that investigation, people can learn from this report, see how they compare and take steps to improve their own posture."

Credits:

Reporter: Stephanie Borys

Design and illustration: Emma Machan

Developer: Andrew Kesper

Topics: government-and-politics, hacking, national-security, university-and-further-education, australia, australian-national-university-0200, canberra-2600, act

First posted