This week has been a whirlwind of media related to the Australian National University hack and data breach involving 200,000 past and current staff, students and visitors with data ranging across 19 years. You may have come across my articles in the ABC, SBS and Business Times China, which covers some of my initial insights on this topic.
I have been receiving much interest in people wanting to know why with relation to a number of questions on this event. So I thought I would cover them here to give my insights.
While this attack has been quite large, it's happening fairly regularly. According to Verizon's 2018 data breach investigations report - 53,308 security incidents, 2,216 data breaches, 65 countries and 67 contributors.
Question: Why are they keeping 19 years worth of data, not just about active staff, students and visitors but also people from the past who have no involvement in ANU anymore?
My best guess would be that its convenience, with the affordability of storage we have much greater capability to just store everything and never have to archive or delete old data.
They may also see it as useful if a past staff member, student or visitor returns back to the University, they can more easily dig up their history and reinitialise their account.
The worst case scenario is they just didn't see a need to delete it or archive it or forgot about it.
Question: How could this have happened?
The reality is there are a number of ways which this could occur, my guess at this stage would be a sophisticated remote code execution exploit such as BlueKeep which is described by CVE as:
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
Why I would lean towards BlueKeep? Because the NSA released a statement on June 4th, 2019 advising people to patch the vulnerability as soon as possible as a patch won't be available until June 11th, 2019.
However it could be any number of other exploits, I detail many of them such as 'Double Kill' in my other article linked here.
Thanks to a report by Recorded Future, they have conducted research and given us an insight into the top cybersecurity vulnerabilities from Jan 1st, 2018 until Dec 31st 2018 - everything from exploit kits to trojan and phishing attacks. Aside from a number of concerning statistics, this one highlights the sheer amount of tools available to exploit systems: 35 new remote access trojans were released in 2018.
Question: What will happen with my data
Any number of things could happen with your data. When we look at what was stolen as stated by ANU in their media release below its all critical personal data.
My best guess and linking to research from Verizon in 2018 state that: "76% of breaches were financially motivated". I would say that this data could be used to steal identities and then create credit cards and cause all kinds of financial chaos.
Depending on the information you have provided to the University, this may include names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed. -ANU Vice Chancellor
Some other experts in the field believe it could be used to influence or "groom" past students of ANU who end up working for the Government. As apparently many of ANU's graduates end up in Government careers. Seems like a stretch, but stranger things have happened.
The 'Dark Web'?
We have seen data such as this end up on the 'dark web' for sale. The dark web is a popular place for criminals to sell stolen data such as that taken from ANU, as it is more difficult for law enforcement to track because websites on the 'dark web' "are not indexed or searchable, like other parts of the internet".
A recent 2017 example was Australian Medicare patient details (cards) for sale for $39 each. It was stated that these details could be used by "criminals to purchase drugs and lease or buy houses or cars". While it has not been discovered by anyone as of yet, it could still be on there just undiscovered. However, at least for the moment, it looks like its not an avenue for this stolen data. Here is what the dark web looks like with reference to the sale of the Medicare cards (courtesy of The Guardian news website).
Question: Who could be responsible?
I am not going to make any claims on this as no one knows and there is nothing concrete been released by ANU.
Many experts in the media are pointing at China as a potential culprit. When you are dealing with elite hacking teams, they bounce around the world before entering a victim system - they don't just log in from their laptop and go about their hacking. They also can spoof their source address, so they could mimic coming from China when in fact they are coming from somewhere else.
My best guess would be related to the Iranian hacking group Cobalt Dickens and The Mabna Institute, because in 2018 it was reported that they stole information from 76 Universities across 21 countries (such as UK, USA, Canada, China and Switzerland).
So my advice to the experts which say it's likely to be China, just to be careful, the more likely culprit may be someone else or another group entirely.
I will update this article as new data pops up, however, I wanted to sum this up by saying time is going to tell what will happen with all this data. It is a nightmare for all of those involved and I hope nothing serious happens as a result of this. We are yet to see any signs of who has it or where it will end up. A deal may have been done already on the black market or the thieves are analysing it to see what they have and then make a move.
If you are part of those 200,000 people your data is stolen and it's in the wind (and that won't magically change unless a ransom is requested). What you can do in the meantime is to increase your personal defences and control your personal data. Follow these tips which may help:
Or my appearance on the ABC Canberra radio station 'Drive' on 7/6/2019 then check out this link and fast forward to 15 minutes.