It seems most of the reporting on this is an identical re-hashing of the report the school issued. What I haven't seen is anyone identify the actual software was ANU using. I can take a few guess, but to me it is clear negligence to use a mail reader that executes malware on a mere preview of a message. I'm admittedly curmudgeonly about this, but you have organizations that pay for crappy software, use it wantonly, and then when they get attacked, want to blame China. This isn't a report on a breach; it's a deflection of responsibility.
I have news for ANU, if in fact some state actor burrowed their way into their network, I can assure than that their own students, who had daily access to the network, undoubtedly were in there well ahead.
One last thought: When are we as security professionals going to stick a fork in HTML email?