Cyber-attacks are something of a nightmare risk for most of our Members. Unfortunately, one of our own, the Australian National University, recently fell victim to a cyber-attack and following this has released an in-depth report about the incident in order to educate and warn fellow educational institutions and businesses of the shockingly sophisticated techniques used in the attack. ANU handled this attack in a swift and decisive manner and has generously published an incident report to help educate others. We encourage all our Members to take the time and read this report and then use the information to improve our own protections and cyber crisis handling plans.

What happened?

In late 2018, a sophisticated actor launched an attack on ANU, and gained access to the Enterprise Systems Domain (ESD) which contains confidential information about student administration, financial management, and human resources. This breach allowed the unknown party to steal an unknown quantity of information

The criminal gained access through ANU’s cyber defence both via people and processes, as well as several technical vulnerabilities. These weaknesses have now all been shored up, or a remediation plan put into place for the more complex issues.

ANU defines the attack by its high degree of operational security, involving file and log erasure to cover the actor’s tracks, as well as the sophisticated measures taken by the actor to defeat forensic analysis and hide activity.

The attack launched at first with spearphishing emails to try and gain the login credentials of an administrator or someone with access to targeted systems. A senior staff member received this email and did not click on or open the window, only previewing it before deleting the email. The malicious code in the email did not require more interaction from the staff member in order to steal their login credentials as well as access their calendar.

All emails sent by the actor appeared legitimate in nature and used further information, including from the calendar, in order to create believable emails. With each extra piece of information, the actor found it easier to gain the next login credentials and further access to the network. While ANU cannot determine how much information was taken, it believes that the focus was on personal information.

In late November 2018, ANU implemented a routine firewall change which removed the actor. The actor however, immediately began activity to get back into the network, and successfully regained access after two weeks. ANU was able to detect the next spearphishing campaign and remove the actor again. There were several more intrusion attempts following this, until March 2019 which is the last known activity by this actor.

Full details of the attack and the steps which ANU have taken can be found in the full report here.

What steps should you take to prepare for a similar cyber-attack?

As risk management professionals we love being prepared. Here are some tips below for how best to be prepared. Many thanks to by Paul Looker of Swinburne University for allowing us to republish these.

Have a plan for effective communication through a cyber incident

Building a cyber incident scenario into your Crisis Management Planning is key here. Typically, Members (quite rightly) focus on physical events in their crisis management planning and build up communication plans around these.

While physical incidents can be over quickly or within a day or two, cyber incidents can go on for days or weeks or months. Rehearsing for these potentially longer crises is critical, as communications plans can (at least early on in the crisis) be very ‘light on’ in terms of knowledge as to the actual cause and how long the incident may endure.

Proactive communication and transparency are key in maintaining support through an incident like this, as successfully demonstrated by ANU.

You must decide who is to be notified of what and then promptly reach out to students and customers, governments and regulators, staff, executive councils and boards, offering compensation if appropriate.

The key is that you are transparent and show that you are taking immediate action against any ongoing risks.

Check that you have the basics in place:

• Alignment to appropriate standards which may include ISO27001, COBIT, Australian Signals Directorate cyber security principles and guidelines and more;
• Current state assessment is performed of threat actors, cyber security risks, and existing controls. Perform a gap analysis, develop and execute a remediation plan;
• Identify which control improvements will mitigate the highest rated of the identified risks, and prioritise those;
• Common cyber risk language is agreed and used;
• Cyber risk appetite and tolerance are agreed;
• Critical cyber assets are identified and prioritised;
• Preparations are made for cyber incidents;
• Regular patching, anti-virus, spam filters and firewalls are in place;
• Strong passwords, secure remote access, encryption;
• Role based access controls, monitoring, staff awareness;
• Backup strategy and schedule; offsite storage and recovery;
• Cloud security considerations are not ignored given the increasing proliferation of cloud services adopted by many organisations.

Find out what your organisation has by way of:

• Comprehensive monitoring – server / social media etc. & quick action;
• A trained and cross-disciplined Crisis Management Team (CMT);
• A succinct Crisis Management Plan (‘CMP’) with well understood roles and responsibilities;
• A very challenging cyber/data breach scenario that has been tested;
• Practice, practice, practice – using experts to really challenge the CMT in test scenarios;
• Media training for CMT – ensuring authentic, prompt messaging.

What are these hackers looking for?

First of all, we need to consider who the threat actors might be. Possible threat actors could be competitors, organised crime, trusted insiders, state sponsored actors, script kiddies (average individuals seeing what they can discover), terrorists or hacktivists.

They may be targeting a broad range of information including:

• Personal details including tax file numbers and bank account details;
• Medical details;
• Trademarks, patents;
• Commercially sensitive information or trade secrets;
• Government and military information.

Higher education specific threats can come in the guise of:

• Unauthorised modification of banking details;
• Phishing emails causing an email account to be hijacked, then the compromised account used to email other staff resulting in multiple employees being compromised. Learn how to spot phishing attempts here;
• University staff / students’ credentials being caught up in general data breaches worldwide;
• iTunes scams – universities have been an active target of these;
• Students ‘going rogue’ and attempting to hack or hold sensitive data for ransom;
• Misuse of university resources for crypto currency trading or any other inappropriate or unacceptable behaviour;
• Institutions that provide cyber resources (including bandwidth or storage) to third parties becoming a target for hackers;
• Researchers putting themselves at risk: institutions balancing the need to allow for academic freedom against exposing an institution to unacceptable risk.

To subscribe to Emerging Risk Reports or other Unimutual updates, please send your details to service@unimutual.com.au or follow us on LinkedIn for notifications.

Find our past resources on cyber security here.

Find Unimutual Cyber incident Notification and Claims Protocol here