FAQs - October 2019

2 October 2019

The below FAQs were published on Wednesday 2 October 2019.

Report FAQs

What information was taken?

The Enterprise Systems Domain (ESD), which houses the University's human resources, financial management, student administration and enterprise e-forms systems were breached.

It is not possible to ascertain with accuracy what data was taken specifically from these systems. Data taken was from systems that contain the following information:

Names
Addresses
Phone numbers
Dates of birth
Emergency contact details
Tax file numbers
Payroll information
Bank account details
Student academic results

The analysis of log data suggests that the quantity of data stolen from ANU systems is considerably less than 19 years' worth, as originally reported, and will only likely affect a subset of our community.

Unfortunately due to the counter forensic measures employed by the actor it is not possible to determine what data was specifically taken nor is there sufficient evidence to speculate on the potential motivation for the attack other than to say it was a targeted campaign.

The student admission system was not breached. If you are a student who applied but did not enrol, your data is not included in the breach.

Systems that store credit cards, travel arrangements, police history checks, workers' compensation, some performance development records or medical records have not been affected. The alumni database was not breached.

We continue to work with Australian government security agencies and industry security partners to determine the extent of the data breach. We'd encourage all in our community to undertake the security measures advised by the Chief Information Security Officer as outlined in the advice on the website.

How much data was taken?

We aren't able to determine exactly how much data was taken. This is due to the way in which data was removed from ESD and because of the actor's clean-up operations, which left very little evidence of their activities.

However, our investigations have shown that the amount of data is far less than the University first calculation when publically announcing the breach on 4 June 2019.

While the actor had access to data up to 19 years old, they took far less than 19 years' worth of data.

How do you know this?

Investigations of log times and the rates at which data was taken from ESD have confirmed the above information.

Analysis of volumes and time periods of data extraction activities took place. This is not a precise calculation but it gives a reasonable indication of magnitude.

Was sensitive personal information or data taken?

Data of a sensitive nature and/or pertaining to vulnerable individuals, including medical records, counselling records, academic misconduct and financial hardship for example, were not accessed or removed from the ANU network.

How did the actor access the University's systems?

This was an extremely sophisticated and targeted operation which used a range of tactics, techniques and procedures during a short but highly orchestrated campaign.

The forensic evidence still available to us shows the initial means of infection was a spear-phishing email.

There were four spearphishing attempts (19, 26, 29 November and 21 December).

What's a spearphishing email and how did that enable this breach?

Spear-phishing emails mimic legitimate mail and are designed to steal credentials or enable the installation of malware.

In this case, the actor used a spearphishing email to access an ANU staff member's credentials which then helped them gain access to the wider ANU network.

This email did not require any interaction, like downloading a document, clicking on a link or opening the email. Previewing the email was enough to deliver malware.

What did the actor do while in the ANU system?

The actor used a number of techniques to access the University's Enterprise Systems Domain (ESD) - which houses human resources, financial management, student administration and e-forms.

This included creating two "attack stations" - one on a compromised legacy server and the other on a workstation. This allowed the actor to map the ANU network, locate the servers hosting ESD and eventually gain access to those systems.

Stolen data from ESD systems was taken out of the ANU network through a compromised workstation in a school.

How and when did the actor gain access to the ANU network?

The actor sent the initial spearphishing email on 9 November 2018. This gave them access to a staff member's calendar for social engineering, and possibly their credentials. This was the first step in gaining access to the wider ANU network.

The actor then compromised a webserver between 12 and 14 November. This allowed them to undertake "command and control" operations to set up infrastructure and tools used during their campaign and the eventual attack on ESD.

Operations in the ANU network took place from that time, with the actor first gaining access to ESD via the first attack station on 27 November.

The actor lost the first attack station and was cut off from ESD on 30 November due to a planned firewall change.

The actor then established a second attack station, regained access to ESD and took data from those systems between 13 and 20 December.

ANU detected the second attack station on 21 December and removed it from the ANU network that same day.

Between 21 December 2018 and March 2019 the actor temporarily gained access to a web server but was unsuccessfully in using this as a means of getting further into the network.

This was most likely another attempt to gain access to ESD.

There is also evidence of command and control activities by the actor between January and 4 March 2019 - their last known activity.

Note: no data was removed from ESD or the broader ANU network during this period or since.

When was the breach first detected?

First indications of an intrusion were detected in April 2019. Note: an intrusion is like noticing someone has been in your house.

A breach was first detected on 17 May 2019 and the Vice-Chancellor was informed that same day. Note: a breach is like noticing someone has been in your house and that they've taken something.

How was the breach first detected?

The actor's intrusion was detected during a planned threat hunt.

This started an investigation which confirmed a breach on 17 May 2019.

Does that mean the actor was in the University's network between November 2018 and May 2019?

No. The actor's total time undetected on the ANU network was about six weeks, with most malicious activity finished by mid-December 2018.

Activity outside of this time period were attempts by the actor to gain access to ESD or low-key probing activities.

Why was there so much time between the actor's access and detection of the breach?

The actor used a range of tactics, techniques and procedures to evade detection by the University's cybersecurity systems. At the time, the University was still rolling out some of its safeguards.

For example, they spent a short time on the ANU network; they identified and anticipated detection systems in order to evade them; evolved their techniques during the campaign; used custom malware; and undertook regular and frequent clean-up operations to cover up their tracks, dismantled their infrastructure and left few traces of their entire campaign.

Why did ANU only tell people about the breach on 4 June 2019?

After confirming the breach on 17 May 2019, the University had to undertake additional security measures before publically announcing the breach to prevent secondary attacks, as well as further efforts by the actor to regain access to ESD.

Were there secondary attacks?

Yes.

The University stopped a further intrusion attempt within one-hour of our public announcement on 4 June 2019, and another intrusion attempt the following day.

Who attacked and why? What was the actor's motivation?

We don't know.

However, it is clear their sole aim was to penetrate the University's human resources, financial management, student administration and enterprise e-forms housed in ESD.

Why did they target this data?

ESD contains a high volume of personally identifiable information. From a cybersecurity perspective, this data would be highly valuable to hackers and could be used for ID fraud or other malicious activities.

Have you detected ID fraud?

No.

The University continues to scan online sources for evidence of stolen data being traded, used illegally or in manner that may harm our community. To date, there is no evidence of such activity.

The University will continue to scan online sources and advise our community if we find evidence of such activity.

Did they take IP or research information or data?

No. The actor completely bypassed ANU systems holding this information. Our forensic evidence shows they had no interest in this information.

Is this breach connected to the data breach reported in May 2018?

No.

There is no correlation between the two events. Our investigations show they are also two very different operations in both scale and sophistication.

Note: no data was taken in the May 2018 breach.

What are you doing to stop this from happening again?

The University has heavily invested in and increased its technical cybersecurity efforts since the May 2018 breach.

In addition, the University is investing in training and enhancing cybersecurity knowledge, awareness and actions among its own community.

We also continue to work with relevant Australian Government security agencies and leading industry partners.

Will this report be looked at by the Foreign Interference taskforce?

The University will make this report available to the taskforce as an example of the contemporary cybersecurity challenges faced by Australian universities and other organisations.

General FAQs

What do I need to do?

You should follow the protection measures outlined in the Chief Information Security Officer's advice emailed on 4 June, which is available on the ANU website.

Has any of my information been altered?

At this stage, we only have evidence that data was stolen. No data was altered.

Should I be concerned about my personal safety as result of this data breach?

We don't believe there is a risk as a result of this data breach. However, as usual, you should be alert to any suspicious activity, emails or phone calls and report anything unusual to the ANU Security on 02 6125 2249. If you are worried about your immediate safety, you should call 000.

I have a very personal reason to be concerned about my data being compromised, who can I contact to discuss this privately?

Anyone with concerns about their data can contact 02 6125 2981 or email helpline@anu.edu.au and you will be directed through to a University staff member who will be able to assist with your enquiry. This service is confidential.

How can I know my data is safe? Why should I continue to give you my personal data?

The security and integrity of your personal data is a very high priority for ANU. It is regrettable that a malicious actor was able to steal some of this data. ANU has assessed, based on forensic findings contained in the report, where we can add further safeguards to your data to prevent this from happening again. Many of these safeguards are in place including the encryption of all stored personally identifiable information (PII) held in our human resources, finance and student administration systems.

ANU recognises the inherent risk posed by threat actors to any Internet connected system. It is with this in mind that we have increased the vigilance of our detection systems and continue to invest heavily in cybersecurity capabilities and expand security coverage of systems. This investment has been successful in stopping other attacks and assisted greatly in the detection of the data breach.

In addition, ANU is examining ways to further de-risk data we hold, in particular PII data. In addition to encryption safeguards, ANU is rolling out two-factor authentication and remediating legacy devices in our networks. We are also hardening email systems and have begun a phased approach to blocking macros - in line with ASD's Essential eight mitigations.

Building on the work and investment to date, ANU will soon be embarking on a multi-year information security strategic program. Under this program the University will be creating a cybersecurity operations centre which will monitor our network and continue the regular threat hunting that found breach. The CSOC will also help train the next-generation of cyber specialists in collaboration with the ANU Cyber Institute which will bring together world class practitioners and researchers. The strategic program will also focus heavily on building a safe, trusted and resilient digital ecosystem which at its core will emphasise and drive positive security culture.

Was information in my ANU email account accessed?

No.

The actor attempted to disable the University's spam filter but were unsuccessful.

I'm upset about this and my study will be affected. How can I access special consideration?

The normal procedures for special consideration apply. Those details are available here: https://www.anu.edu.au/students/program-administration/assessments-exams/special-assessment-consideration.

Where can I go for counselling support?

Student Assistance:

ANU Crisis Student Support Line
Phone (voice calls only): 1300 050 327
SMS text message service 0488 884 170
https://www.anu.edu.au/students/health-safety-wellbeing
Employee Assistance

Employee Assistance:

Employee Assistance Hotline - 1800 808 374
https://services.anu.edu.au/human-resources/wellbeing/employee-assistance-program

External Support Services are also available

Lifeline - provides 24/7 telephone counselling - 13 11 14

What do I do if I think there has been suspicious activity with my tax file number?

Please contact the Australian Tax Office and report any suspicious activity. Advice from Government about protecting your personal data can be found here: https://www.oaic.gov.au/individuals/data-breach-guidance/what-to-do-after-a-data-breach-notification#tax-file-number-information.

The Australian Tax Office has been informed about the data breach and provided relevant information to help protect accounts.

Can I confirm whether my personal records have been accessed?

We believe that significantly less than 19 years worth of records have been breached. Please refer to the advice on protecting your personal data.

The amount of data stolen is significantly less than the University first assumed when announcing the data breach on 4 June 2019. As such, the amount of individuals potentially affected is low.

In addition, from our investigations we have no evidence of misuse of any stolen data to date.

I am concerned my passport information is not safe, what should I do?

Call DFAT on 131232, or contact your passport issuer. You can also contact IDCare - phone 1300 432 273, web form https://www.idcare.org/contact/get-help.

Was WATTLE affected?

WATTLE (the teaching and learning environment) was not affected.

I am concerned about my Tax File Number being accessed - what should I do?

The University has notified the ATO about the data breach and providing the ATO with details of all tax file numbers (TFNs) so they can be monitored for any unusual or suspicious activity.

You can also contact the ATO Client Identity Support Centre on 1800 467 033 (between 8.00am-6.00pm Monday to Friday) to notify them that your TFN may have been accessed by an unauthorised third party. The ATO can apply security measures that will monitor your TFN for any unusual or suspicious activity on your account.

The Client Identity Support Centre is a support service for taxpayers who have had their identities stolen or misused. They will give you information, advice and assistance to re-establish your identity.

https://www.ato.gov.au/General/Online-services/Online-security/Protective-measures-for-individuals-following-a-data-breach/

Why can't ANU delete my records from the ANU systems?

The University is required to retain information in compliance with legislative requirements. You can request that the information is corrected if it is incorrect. The information is disposed of in accordance with the National Archives legislation.

You can access the University's Privacy Policy here: https://policies.anu.edu.au/ppl/document/ANUP_010007

You can access the University's Records and archives management here: https://policies.anu.edu.au/ppl/document/ANUP_001233

I am worried about identity fraud or theft as a result of the data breach. What should I do?

To the best of our knowledge, no data stolen as part of the breach has been used maliciously; however we do understand concerns about identity fraud or theft, so the University has procured the services of IDCARE.

IDCARE's Identity & Cyber Security Counsellors are available to provide anonymous and tailored advice and response information free of charge. IDCARE will also facilitate any interactions you may need with any relevant organisations or agencies needed to place further safeguards on your data.

Please contact the ANU help line on 02 6125 2981or helpline@anu.edu.au if you wish to engage IDCARE. The ANU team can provide you with the relevant code and contact details for the University's subscription.

IDCARE recommends the following actions to reduce the risk of identity theft.

Contacting your financial institution to advise them of the breach and to discuss any additional protection they can provide;

Monitor financial transactions since November 2018, for any suspicious or unexplained behaviour;

Request a copy of your credit report from an national credit reporting organisation to see anyone has initiated a credit application;

Ensure you have two-factor authentication on your online accounts including banking; and

Be extra vigilant when receiving unsolicited emails, phone calls and text messages and avoid providing personal and financial information if requested.

What are some of the changes ANU will be implementing to prevent further data breaches?

The University will be undertaking a number of activities to raise cyber security awareness and further tighten our security systems. Some of these measures include: