It's been compared to Ocean's Eleven - a cyber attack on Australia's top university, methodically planned and then adapted on the fly by an "A team" of hackers who cracked into the personal records of 200,000 students and staff and walked away leaving virtually no trace.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
The operation was so slick investigators say they still do not know exactly how much data was taken or if it was the work of a foreign state, as suspicion hangs over China.
But it didn't go entirely to plan either. Now, after months of forensic analysis alongside government security agencies, the Australian National University has revealed it's likely the hackers "didn't get what they wanted" from its records after all. They were foiled in the act - and it was entirely by accident.
On Wednesday, the university released a post-mortem of the hack and how staff responded - the first public report of its kind into an Australian cyber attack. The university now believes only a fraction of the 19 years' worth of data compromised by the breach was successfully extracted, but vice-chancellor Brian Schmidt said he had been left stunned none-the-less by its sophistication.
Speaking ahead of the report's release, he described a hacking team likely made of about 10 to 15 people "at the top of their game" working round the clock to actively cover their tracks and build custom malware from inside the ANU network itself.
"This wasn't a smash and grab, this was a diamond heist," he said. "Everyone knew their role. [It's] shocked even the most experienced Australian security experts."
Hackers evolved, spying on staff calendars to try new tactics and keeping one step ahead of ANU security who were then scrambling to plug holes identified during an earlier hack in 2018.
This time around, the ANU says intruders were remarkably more sophisticated and used distinctly different tactics. But "frustratingly" they left analysts very little to guess at their motive, whether state-sponsored or criminal. And security teams now scouring the dark web for the stolen data have turned up nothing so far.
So how did the hackers get in and what clues did they leave behind?
Some experts think there's really only one obvious suspect - China.
How did hackers get in?
It began, like most hacks, with a seemingly innocuous email landing in the inbox of a senior staffer in November 2018.
But this time no one clicked on anything they shouldn't have - simply previewing an attachment was enough for hackers to steal a password and gain a foothold.
Duping people into unknowingly handing over login credentials or downloading malware through email - known as "spear phishing" - is a common hacking tactic. But Professor Schmidt admits the way it was achieved in this case sent a chill down his spine.
"The fact they got in without anyone actually clicking on anything, that wasn't widely known around the traps," he says. "We were sort of ground zero for that."
From there, investigators think hackers must have gotten lucky - an inside job has now been ruled out.
They stumbled upon an old vulnerable server only months away from decommission and it was there that they built their base of operations, installing "shadow infrastructure" to cloak their movements on the network as they hunted for a way into its more secure databases.
What was the target?
Investigators say they are confident they know what the hackers were after - the HR and financial records - because they made a beeline for that part of the network to the exclusion of others they could access like research.
While the hackers methodically ran software to clean up their trail, university analysts believe they would have found traces elsewhere, as they did with the HR database, if they had been busy in more than one place.
Instead, intruders kept running email "spear-phishing" campaigns like the one that first worked in November - trying to sniff out the right credentials to access the closed HR system, and eventually taking a final, desperate run at the IT department itself.
What did they actually steal?
Once they broke into the HR database through a previously unknown vulnerability, hackers used their own custom-made software to scrape its data so detail of exactly what was taken wouldn't appear on ANU logs. But university investigators say their analysis of data flow leaves them confident the amount taken was just a fraction of the terabytes first feared - not much more than what would fill a CD.
Spanning a period of 19 years, the affected HR records include payslips, bank account details, tax file and passport numbers, emergency contacts, and some academic records. Sensitive personal information such as medical and counselling records, academic misconduct and financial hardship is not stored in the same part of the network.
Whether the data was taken based off a targeted search of the records, a random sample or some other extraction method is still unclear.
But the intruders didn't stop there.
After extracting the HR files via another compromised computer, more phishing emails were sent out to harvest credentials.
Whatever hackers planned to do next, they were interrupted. A new scheduled firewall went up, booting them out of their base of operations before they could cover their tracks.
They spent a frantic fortnight in the lead up to Christmas trying to break back in. Eventually, they found another foothold in a legacy computer not behind a firewall.
But what about those email traps sent to IT staff?
As hackers continued their operation, one or two red-faced IT staffers did click on their malicious emails, handing over more credentials.
But others in the department recognised the emails for what they were and shut down the new attack station. Unfortunately, at the time, they didn't see them as part of a much bigger attack.
Unknown to the university, hackers were now waging another a two-month-long battle to get back inside its systems.
Did they get what they wanted?
For the ANU's chief information security officer Suthagar Seevartnam, all this suggests the information they stole wasn't the endgame after all.
"Our current sense is the actor didn't get what they wanted because they were stopped twice during their campaign," he said. "And what they did get was not immediately usable."
Part of the data harvested was made up of field names, often displayed in confusing jargon unique to the university. It would have been difficult for hackers to search and, indeed, decipher, though the ANU admits it is also the kind of information of high value to criminals dealing in identify theft online.
Both the university and police say the small number of suspected identity fraud cases involving ANU staff or students since the breach have all been deemed unrelated.
How was the hack discovered?
Whatever their plans for the data, the hackers didn't give up.
Finally in April, a routine security sweep spotted the intrusion. A small army of cyber experts descended on the campus and the hunt began.
But it would be another month before the stolen data itself was discovered and a frantic two weeks fending off further attacks before the university notified its community in June. Even after going public, ANU came under fire from two more attacks - the second of which officials believe were the original actors.
The whole campaign stretched over many months but the university estimates hackers spent a cumulative six weeks inside the network.
Who was behind it?
Whoever they were, they were well-resourced and highly skilled. As Professor Schmidt puts it: "This was a state-of-the-art hack, carried out by an actor at the very top of their game, at the very cutting edge."
Director of defence, strategy and national security at the Australian Strategic Policy Institute Michael Shoebridge has read the report closely ("It's all a bit CSI Miami"). He says the skill, aggression and resources of the hackers, as well as the kind of data they targeted, bore the hallmarks of foreign espionage rather than organised crime.
If you catch a burglar in your house, pretending it didn't happen just encourages them to come back."
- Michael Shoebridge
Shoebridge thinks it unlikely the type of data taken would have been of much interest to criminals in the first place, even if they had the means to pull off the job.
"They have better sources for that kind of stuff," he says. "But universities are great datasets for foreign espionage outfits. This would fit nicely into information China has already gotten elsewhere.
"ANU conducts a whole lot of interesting research, it's student and teaching population over time flow on to become government officials.You need information on people to pressure them into doing what you want.
"The level of sophistication and aggression here calls to mind a state actor. It's pretty impressive ANU found them. I think they would have been happy to stay in the network, undetected."
What do security agencies think?
The Australian Cyber Security Centre, which stepped in to help the ANU secure its network, did not answer questions on its own investigations into the hack, but said the breach served as a "salient reminder that the cyber threat is real".
The centre has previously warned of countries that "actively try to steal IP from tertiary institutions and research centres" and said on Wednesday no internet-connected network could be entirely secure.
While diplomacy can sometimes silence responses to cyber attacks, Mr Shoebridge said attribution, where possible, was important.
"This should serve a lesson for all institutions, especially universities," he said.
"Good on the ANU for publishing it but it shouldn't be on them to take on foreign governments. Australia needs to attribute attacks like these. If you catch a burglar in your house, pretending it didn't happen just encourages them to come back the next night."
What is ANU doing now?
Professor Schmidt handed down the report on Wednesday with an apology to students and staff and a call to break the silence surrounding attacks of this kind.
Acknowledging the university "could have done more", he said he hoped his "radical transparency" would encourage disclosure about hacks more broadly, rather than providing an instruction manual. Only a small number of very specific details have been omitted to prevent copycats.
Having identified technical weak-points in ANU systems as well as "people and process issues", the university will now look to rebuild its network entirely over the next four years and roll out extra training to staff.
ANU did not answer questions on funding for the new initiative or IT resources during the hack, but at the time it was discovered staff were in the middle of a significant security upgrade following the previous 2018 attack.
"Unfortunately, there was not sufficient time to universally implement all measures across the ANU network between the two attacks in 2018," the report says.
"The sophistication and speed of the second attack underscore the threat environment in which we now operate."
Professor Schmidt says the first attack on the university in 2018 was a wake-up call but fortunately nothing was taken during that intrusion.
"We knew we could be targets at some level but now we had to up our game, bring more people in," he says.
"We were too exposed [to do a report] then," Professor Schmidt says. "And there wasn't the same level of harm. But now after two hacks, I need my staff and my students to trust me."
Seevaratnam says commentary around hacks should focus less on what organisations did wrong - which he calls "victim-blaming" - and more on the lessons that can protect the community.
"We need to encourage and support other victims coming forward and sharing their stories."
A copy of the report has been provided to the federal government's foreign interference taskforce.
ANU handed it down as Australia's top spy agency launched an investigation into another cyber attack, this time on regional Victorian hospitals.
Those affected by the breach can receive security advice from ID Care free of charge by contacting ANU on 1800 275 268 or emailing helpline@anu.edu.au.