ASIO said it knows the identity of the attacker behind a large breach of the Australian National University in late 2018 but is not in a position to publicly make that attribution.
Director-general of security Mike Burgess confirmed he knew who was behind the attack during a parliamentary inquiry into national security risks in the higher education sector.
“I do know who was behind it but I would not say that publicly because I don’t believe that’s my role to do so,” Burgess said.
“My organisation’s role is to identify threats and help reduce the harm from that.
“Public attribution of that is not for the director-general [of] security alone. There are many other factors that the government must take into account when they decide on how they deal with that particular problem.”
The Australian National University (ANU) was breached in late 2018, exposing 19 years of data; the attacker was able to stay undetected for six weeks.
The same university previously suffered a “significant” compromise in mid-2018, with an advanced persistent threat (APT) thought to be behind both attacks.
Burgess said he did not know who was behind another attack that is thought to have downed services at RMIT last month.
“I genuinely don’t know who that is at this stage because it’s not reached my level - not to say someone in my organisation is not working that problem,” he said.
Burgess’s comments came after Marc Ablong, deputy secretary for national resilience and cyber security at Home Affairs, had earlier said he was unaware attribution had even been established for the ANU attack.
“It has been referred to as an advanced threat actor but it hasnt come to the point of specific deliberation or specification of the country involved,” Ablong said.
“That information has not been identified as yet.”
On RMIT, Ablong said that specifics “are still under investigation so we wouldn’t want to prejudice our ability to make any judgements about where that’s come from and who’s involved in it until such time as we’ve got the forensic information to be able to determine exactly what’s happened and when.”
“But we are aware of the attack and there are investigations underway,” he said.
Ablong did confirm that it is government policy to make attributions where certain criteria are satisfied.
"To the degree that there is specific, deliberate, identifiable, lawfully provable information, we would take a judgement - and it is a judgement - as to whether that actor should be identified," he said.
Ablong said that in general the threat of cyber security attacks against the higher education sector in Australia “is very real”.
“It is getting a lot realer and a lot harder, even for very sophisticated organisations,” he said.
“It is only going to get worse.”
He said that “at least five different state actors” had the “level of capability” to carry out substantial attacks.
"A number of criminal enterprises” had similar capabilities or could buy or rent them from actors on the dark web, he continued.
He also said that changes to critical infrastructure laws, if passed, would put additional obligations on universities around cyber preparedness and systems.
