The hackers had gained access to up to 19 years' worth of data in the university's Enterprise Systems Domain (ESD), which houses its human resources, financial management, student administration, and "enterprise e-forms systems".
ANU's vice-chancellor and president, Professor Brian Schmidt, had committed to making the breach investigation public. This report more than delivers on that promise. It's a must-read.
"The perpetrators of our data breach were extremely sophisticated. This report details the level of sophistication, the likes of which has shocked even the most experienced Australian security experts," Schmidt wrote this week.
The report details how the attackers organised four separate spearphishing campaigns and built their data exfiltration infrastructure on compromised web servers and legacy systems.
"In addition to their efficiency and precision, the actor evaded detection systems, evolved their techniques during the campaign, used custom malware, and demonstrated an exceptional degree of operational security that left few traces of their activities," the report said.
The attacker's tradecraft included:
Altering the signatures of more common malware to avoid detection
Assembling malware and some tools inside the ANU network after a foothold had been established. Individual components did not trigger endpoint protection
Downloading "several types of virtualisation software before selecting one"
Downloading disk images for Windows XP and Kali Linux, although "there is little evidence to suggest much use of Kali Linux"
Compiling bespoke malware within the ANU network to gain access to ESD. "The purpose of this code remains unknown, and no forensic traces of it or the executable file which was compiled from the code have been found at the time of this report," the report said
"The actor's use of a third-party tool to extract data directly from the underlying databases of our administrative systems effectively bypassed application-level logging. Safeguards against this happening again have been implemented," the report said.
The attackers even tried to maximise the effectiveness of their spearphishing efforts by attempting to disable the university's email spam filters, although "there is no forensic evidence to suggest that they were successful in this attempt".
ANU's analysis shows that the attackers exfiltrated much less data than the 19 years' worth that was originally feared, but does not show exactly what was taken.
"Despite our considerable forensic work, we have not been able to determine, accurately, which records were taken ... We also knew the stolen data has not been further misused," Schmidt wrote.
"Frustratingly this brings us no closer to the motivations of the actor."
Even though the attacker had gained broader access, ANU said it's clear from the pathway taken that their sole aim was to penetrate ESD.
"There is no forensic evidence to suggest the actor accessed or displayed any interest in files containing general administrative documents or research data; nor was the ANU Enterprise Records Management System (ERMS) affected," the report said.
"It is worth noting that ANU was subject to further intrusion attempts within one hour of the public announcement and on the following day, both of which were stopped."
ANU has declined to attribute the attack to any particular adversary.
For years now, chief information security officers (CISOs) and others have been telling organisations to share cybersecurity information to improve their defences. But few do, except perhaps as secret squirrels within their own closed industry groups.
In the past, I've been highly sceptical about whether all this cyber collaboration talk would ever become cyber action. ANU has now set the example. Who will follow?
The quantum internet will require fast-moving data and the Australian National University believes it has found a way to measure information stored in light particles which will pave the way for a safe "data superhighway".