Australia clocked one cybercrime report every 7 minutes in the past year, with ransomware proving to be the “most destructive” threat. State actors also remain a persistent threat for agencies such as the Australian Bureau of Statistics, which personal information on the local population makes it an attractive target.
The country saw an almost 13% increase in the number of reported cybercrime cases to more than 76,000 last year, according to the Annual Cyber Threat Report 2021-2022 released by Australian Cyber Security Centre (ACSC). This meant there was one reported case every 7 minutes, up from every 8 minutes in the last financial year, the government agency said.
Its annual report contains insights from the Australian Federal Police, Australian Criminal Intelligence Commission, Australian Security Intelligence Organisation, Defence Intelligence Organisation, and Department of Home Affairs.
ACSC pointed to ransomware, in particular, as the most damaging, with all sectors in the local economic directly impacted by such attacks last year, where 447 ransomware cases were reported. This figure was a 10% drop from the previous year, but the report surmised that ransomware remained significantly underreported, especially amongst victims who opt to pay a ransom.
The education and training sector recorded the most ransomware incidents, moving up from being fourth place the year before, and alongside four others in the top five sectors accounted for 47% of all reported ransomware attacks.
“Top-tier ransomware groups are continuing to target Australian ‘big game’ entities–organisations that are high profile, high value, or provide critical services,” ACSC said. “While global trends indicate a decline in ‘big game’ targeting and a shift towards targeting small and midsize businesses (SMBs), that change has yet to be seen in Australia.”
State actors a persistent threat amidst geopolitical tensions
What it had witnessed in the past year, though, were persistent attempts from state actors looking to access sensitive data, including personally identifiable information, to support their government’s intelligence requirements.
Deputy Prime Minister and Minister for Defence Richard Marles said: “We are currently witnessing deteriorating strategic circumstances in our region and globally, including a military buildup unseen since World War II, and expanding cyber and grey zone capabilities are of particular concern.”
The Australian Bureau of Statistics, for instance, is an attractive target as it holds personal information on the local population, according to the report.
Prior to the national census which was conducted in August 2021, the ACSC said it held threat intelligence briefings with the bureau and assessed cyber activities against the agency. It also conducted a review of the bureau’s systems, which included a source code review, penetration testing to identify vulnerabilities, and analysis to detect malicious activities that might already be in the system.
ACSC said it not find any indication of malicious activities and critical cybersecurity recommendations were resolved by the bureau before the census was conducted.
While this ran without cybersecurity incident or service disruption, the cybersecurity agency noted that cyber was increasingly the domain of warfare. It pointed to Russia’s use of malware to remove data and shut down computers in Ukraine.
It also highlighted a July 2021 incident in which Australia attributed the exploitation of Microsoft Exchange vulnerabilities to China’s Ministry of State Security. The Five Eyes advisory in November 2021 also confirmed an Iranian state actor had exploited the same vulnerabilities.
ACSC warned that Indo-Pacific dynamics were fuelling the risk of a crisis and cyber operations were likely to be used by states to challenge the sovereignty of others.
“These actors do not just want classified information. They also want to understand who we are, how we connect with each other, and what values we hold,” the Australian agency said. “In some cases, they may seek to pre-position in strategic networks to prepare for coercive or disruptive activity against us.”
The report further pointed to Australia’s critical infrastructures, which continued to face potential threat from state actors as well as cybercriminals looking to cause disruptions.
“Critical infrastructure encompasses the physical facilities, communication networks, and information and operational technologies that provide essential services,” ACSC said. “A sustained disruption in one part of the critical infrastructure ecosystem has knock-on effects elsewhere in the economy, and could ultimately lead to harm or loss of life, as seen internationally as a consequence of ransomware attacks on health services.”
It noted that CS Energy’s corporate network in November last year was targeted by Russia-aligned Conti ransomware group. The Queensland electricity generator, which produces 10% of electricity for the national electricity market, had cut the external online connection to its network after detecting the ransomware attack and initiated business continuity procedures.
ACSC said 95 cyber incidents, or about 8% of all cyber incidents it responded to last year, had involved critical infrastructures
Amongst other key findings in its report this year, the security agency estimated that AU$98 million ($62.74 million) was lost to business email compromise incidents, with an average AU$64,000 lost per report.
The average cost per cybercrime report for small businesses also climbed to more than AU$39,000, while this figure clocked at AU$88,000 for medium businesses and more than AU$62,000 for large businesses.
More than 25,000 calls were made to the country’s cyber security hotline, or an average 69 per day, up 15% from the previous year.
Fraud, online shopping, and online banking were the leading cybercrime categories, accounting for 54% of all reported incidents.
Marles noted: “This [ACSC] report maps how threat actors across the world have continued to find innovative ways to deploy online attacks, with supply chains used to penetrate cyberdefences of governments and organisations in many countries, including Australia.
“Reporting cybercrime is vital for us to build a threat picture that can prevent others from falling victim to the ransomware syndicates and cybercriminals. The best cyberdefence is informed by the best intelligence,” the minister added.
The government is seeking stiffer financial penalties for serious or repeated data privacy breaches, pushing maximum fines of up to AU$50 million ($31.57 million). The move comes amidst a spate of cybersecurity incidents that compromised customer data, including Optus and Medibank.