The attacks reflect the shifting targets of cybercrime in Australia. The ABC and the Reserve Bank have both recently revealed attacks, while Melbourne University has confirmed that it suffered two major cyber incursions in the past 18 months.
Experts, including a former Australian Federal Police investigator, say the intensifying assault on universities is a reminder that no institution can expect to remain immune from cyber attack.
Alastair MacGibbon, who now runs CREST Australia, a not-for-profit group that certifies so-called ‘white hats’, friendly hackers deployed to test website security, says alarm bells have been ringing for some time.
“It would be churlish and naive to think that nation states haven’t been interested in Australian research institutions to find out about ground-breaking research in this country,” he told The Citizen.
Although some major attacks have received media coverage, many others have escaped public scrutiny. Their existence and frequency paint a picture of universities and other institutions under siege.
In October, Melbourne University was the subject of a data breach at the hands of hackers reportedly linked to “Anonymous”, a loosely affiliated and controversial network of internet activists.
The Black Hat
A hacker who breaks into systems or networks for self-interest or the interests of others, in most cases criminal organisations or nation states. Often motivated by fame, bragging rights, philosophical arguments and criminal intent.
The White Hat
Highly-skilled hackers known and identified who are invited to break into a website or system to help identify vulnerabilities. White hats operate according to a contract that stipulates terms, conditions and the scope of their work.
The Grey Hat
A combination of black and white. Willing to break the law as an act of activism or to draw attention. Will often alert the host after the attack, offering to repair the system. Hacking usually opportunistic.
In an operation dubbed Project WestWind, more than 120,000 staff records from leading universities across the world were uploaded to PasteBin, including the profiles of more than 500 staff from Melbourne’s engineering department. The attack was confirmed by Wayne Tufek, the university’s Manager of Internet Security and Risk.
“It occurred,” he conceded. “The information released was public facing and replicated information already on the website in terms of lecturers, specialisation and papers,” he said. Critically, the data was obtained via the hacking of the university’s systems.
A year earlier, an 18-year-old hacker called ‘st0rm’, who classes himself as a ‘grey hat’ – a hacker who gains access to servers through illegal means yet refrains in most instances from seeking financial gain – got access to 1302 logins at the university with an estimated 800 of these logins easily decipherable.
“I had access to four of the University of Melbourne’s domains,” he said in an interview with a Sydney radio station. “Anyone with knowledge about computers and a browser could do this: it’s not rocket science.”
The university classed the incident an opportunistic attack that was quickly remedied. “We enacted our incident response systems and prevented the incident from happening again or from escalating,” said Mr Tufek.
The hacking of Australian universities can be traced to at least 2004. Most cases are synonymous with ‘grey hat’ attacks.
Other notable attacks have occurred at Monash University in April 2011 when a hacker dubbed “yasser007” crashed the university’s website, replacing the home page with a picture of an Iranian flag in the shape of the nation’s borders.
While no commercial damage was done, Matthew Warren, who holds the chair in information systems at Deakin University, believes that such hacks are synonymous with “hactivists”, but underscore the risks facing universities from more sinister actors.
“The aims of those attacks were the defacement of the webpage, reporting of the attack in the media and an increase in the hacker status,” he said.
But the hacking of universities extends beyond Victoria with numerous incidents reported at prestigious universities north of the Murray.
Earlier this year, the University of New South Wales admitted that it had been victim to a “concerted attack” to breach its systems throughout December and January. In response, it had closed 25 servers and suspended a number of university accounts.
The university admitted via Facebook that its email lists had been compromised and subsequently closed. A hacker, self-titled “Anonymous”, had used the UWS mailing list to spam thousands of students and sign up many to commercial mailing lists prompting outrage across the campus.
“As a first year student who has only activated their UWS account a few days ago, 312 spam messages personally doesn’t give me a positive outlook for the next few years,” protested Jaymee Cheung on the UWS Facebook page.
These incidents highlight the security challenges faced by universities — namely, securing the confidential research data that may prove valuable for hackers with more sinister intentions.
“Universities store a lot of information and are a large network that is obviously a target, just like any other large organisation is,” said Jason But, senior lecturer in internet security at Deakin University.
“Private data could be useful and it would be good enough reason for people to try to break into systems and access that information, be that for identity theft purposes or bribery.”
The frequency and volume of cyber-attacks suggest that the confidential data held by universities is hugely valuable to those whose intentions go beyond identity theft, bribery, malware or internet activism.
“It’s a never-ending [fight] . . . we must keep on adjusting everything we do and enhancing both policies and procedures but also the technologies that protect the university and its information.” — Melbourne University’s Andrew Wilmore.
Four-out-of-five data breaches worldwide in 2012 utilised some form of hacking, with 98 per cent of those stemming from external agents, according to a report by US company Verizon Communications, which was prepared in co-operation with the US Secret Service and AFP, among others.
The report also shows that 28 per cent of data breaches from big organisations focused on the finance industry, 22 per cent on the information industry and 7 per cent on public administration.
The bandwidth and computer capabilities of Australian universities provide additional motive for hackers, beyond the value of research data.
“The average criminal hacker would be interested in the bandwidths of the pipes at Australian universities and the amount of damage that they could cause by using the university computers for their own nefarious ends,” said Crest’s Mr MacGibbon.
Despite this threat and the prevalence of data breaches, security experts claim local universities are adept at protecting information and take the responsibility very seriously.
“In some cases, Australian Universities probably take it a little too far in protecting some systems which should have limited access. They seem to block off more access than is required to be blocked off,” said Jason But.
But this endeavour didn’t dissuade the hackers of the University of Technology Sydney from goading authorities while hijacking its homepage last September.
“Dear Ugliest Tower in Sydney,” they wrote, according to a report in the Sydney Morning Herald. “Hire some staff who actually know what they are doing.”
The challenges for IT security departments are evolving and endless, acknowledges Andrew Wilmore, Director of IT Strategy and Planning at Melbourne University’s Information and Technology Services.
“It’s a never-ending journey and we must keep on adjusting everything we do and enhancing both policies and procedures but also the technologies that protect the university and its information”, said Mr Wilmore.