In June 2020, at the peak of the COVID-19 pandemic, Australia’s Prime Minister Scott Morrison said what many others refuse to acknowledge in public.
He went on record saying that the Australian government and institutions are being targeted by ongoing sophisticated state-based cyber hacks. These cyber attacks were widespread, covering “all levels of government” as well as essential services and businesses.
Flash forward to September 2021, and attacks have extended to both public and private sectors; one such attack on Microsoft Exchange Servers impacted thousands of Australian businesses across industries. About one quarter of these attacks targeted Australia’s “critical infrastructure”–from electricity and water to education and transport systems.
The numbers tell a story. Over the 2020–21 financial year, the ACSC received over 67,500 cybercrime reports, an increase of nearly 13 percent from the previous financial year.
The increase in volume of cybercrime reporting equates to one report of a cyber attack every 8 minutes compared to one every 10 minutes last financial year. Remote working and a higher reliance on digital technologies seem to be some of the factors behind this increase.
A higher proportion of cyber security incidents this financial year was categorised by the ACSC as ‘substantial’ in impact. This change is due in part to an increased reporting of attacks by cybercriminals on larger organisations and the observed impact of these attacks on the victims, including several cases of data theft and/or services rendered offline.
The increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations.
The accessibility of cybercrime services – such as ransomware-as-a-service (RaaS) – via the dark web increasingly opens the market to a growing number of malicious actors without significant technical expertise or significant financial investment. According to data from the Office of the Australian Information Commissioner (OAIC), which periodically publishes statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme, there was a 5 per cent increase in such breaches.
The findings covered the reporting period of July-December 2020, which saw 539 breaches (up 7 per cent from the first half of the year). Malicious or criminal attacks (including cyber incidents) remain the leading source of data breaches, accounting for 58 per cent of the notifications.
Hackers don’t discriminate
No sector of the Australian economy was immune from the impacts of cybercrime and other malicious cyber activity. Large organisations, critical infrastructure providers, small to medium enterprises, families and individuals were all targeted over the reporting period – predominantly by criminals or state actors.
Incidents reported across major Australian firms, included steel maker BlueScope, logistics firm Toll Group, and state government agency Services New South Wales. Similarly, in June, internet banking services of Commonwealth Bank, Westpac and ANZ got disrupted as a result of a major outage.
Services of smaller lenders such as Macquarie Bank and ME Bank were also affected.
The ACSC has identified that attackers are looking at exploiting the pandemic environment to their advantage. Malicious actors are capitalising on Australians’ desire for digitally accessible information or services. For example, phishing emails were regularly associated with COVID-related topics, encouraging recipients to enter personal credentials for access to COVID-related information or services.
State actor activity was probably motivated by access to intellectual property or sensitive information about Australia’s response to COVID, while criminals sought to leverage critical services to increase the motivation of victims to pay ransoms. For example, the health care sector was a significant target of ransomware attacks during this reporting period.
Ransomware poses a paramount threat to Australian organisations. The ACSC recorded a 15 per cent increase in ransomware cybercrime reports in the 2020–21 financial year. Ransom demands ranged from thousands to millions of dollars, and their access to darkweb tools and services improved their capabilities.
Extortion tradecraft evolved, with criminals combining the encryption of victim networks with threats to release or on-sell stolen sensitive data and damage the victim’s reputation. The global impact of the Colonial Pipeline and JBS Foods attacks underscores the potential debilitating and widespread impact of ransomware attacks.
Then there is the disruption of essential services and critical infrastructure approach. Approximately 25 per cent of cyber incidents reported to the ACSC during the reporting period were associated with Australia’s critical infrastructure or essential services.
Significant targeting, of essential services such as the health care, food distribution and energy sectors has underscored the vulnerability of critical infrastructure to significant disruption in essential services, lost revenue and the potential of harm or loss of life, ACSC said.
Supply chains – particularly software and services – continue to be targeted by malicious actors as a means to gain access to a vendor’s customers. Although the consequences of major supply chain attacks – such as SolarWinds – were not as severe for Australia, a number of organisations were forced to take mitigation actions to prevent more serious impacts to their networks.
The threat from supply chain compromises remains high – it is difficult for both vendors and their customers to protect their networks against well-resourced actors with the ability to compromise widely used software products.
Business email compromise (BEC) continues to present a major threat to Australian businesses and government enterprises, especially as more Australians work remotely. In the 2020–21 financial year, the average loss per successful event has increased to more than $50,600 (AUD) – over one-and-a-half times higher than the previous financial year.
Cybercriminal groups conducting BEC have likely become more sophisticated and organised, and these groups have developed enhanced, streamlined methods for targeting Australians.
Given the prevalence of malicious cyber actors targeting Australian networks – which is often under-reported to the ACSC – there is a strong need for greater resilience, and for Australian organisations and individuals to prepare to respond to and recover from any cyber attack.