ACSC report delivers overview of cyber threats, response to threat environment, provides advice to organizations
The Australian Cyber Security Centre (ACSC) unveiled its Annual Cyber Threat Report, covering cyber threats from last July to June this year. The ACSC report maps how global hackers have continued to find innovative ways to deploy online attacks, with supply chains used to penetrate the cyber defenses of governments and organizations in many countries, including Australia.
The report identified that over the last financial year and reflecting strategic competition globally, Australia witnessed a heightened level of malicious cyber activity, with many Australians having also felt its impacts, Richard Marles, MP and deputy prime minister and minister for defence, wrote in the report.
“The government considers cyber security and reinforcing our online resilience to be a national priority. Increased investment in ASD’s cyber and intelligence capabilities under project REDSPICE (Resilience, Effects, Defence, SPace, Intelligence, Cyber, Enablers) positions Australia to lift our defences and recognises the critical role ASD plays in our national security,” Marles said. “The better news is that with increased collaboration across industry, small business, and government—and with all Australians—our joint cybersecurity future and the digital opportunities before us remain bright,” he adds.
The ACSC disclosed that cyberspace has become a battleground. Cyber is increasingly the domain of warfare, as seen in Russia’s use of malware designed to destroy data and prevent computers from booting in Ukraine. Pointing out that Russia was not alone in its use of cyber operations to pursue strategic interests, the ACSC report also referred to the threats from other nation-state hackers.
Last July 2021, the Australian Government publicly attributed the exploitation of Microsoft Exchange vulnerabilities to China’s Ministry of State Security. Additionally, in a joint Five-Eyes Advisory in November 2021, it confirmed the exploitation of these vulnerabilities by an Iranian state actor. Regional dynamics in the Indo-Pacific are increasing the risk of crisis and cyber operations are likely to be used by states to challenge the sovereignty of others.
Data disclosed by the ACSC report detected an increase in financial losses due to BEC to over $98 million, an average loss of $64,000 per report. It also found a rise in the average cost per cybercrime report to over $39,000 for small businesses, $88,000 for medium businesses, and over $62,000 for large businesses, an average increase of 14 percent. Furthermore, it revealed a 25 percent increase in the number of publicly reported software vulnerabilities (Common Vulnerabilities and Exposures – CVEs) worldwide, with over 76,000 cybercrime reports, an increase of 13 percent from the previous financial year.
The ACSC report also disclosed that there were over 25,000 calls to the Cyber Security Hotline, an average of 69 per day and an increase of 15 percent from the previous financial year. 150,000 to 200,000 small office/home office (SOHO) routers in Australian homes and small businesses are vulnerable to compromise including by state actors. Additionally, fraud, online shopping, and online banking were the top reported cybercrime types, accounting for 54 percent of all reports.
The report also identified that Australia’s prosperity is attractive to cybercriminals. “According to a 2021 Credit Suisse report, Australia has the highest median wealth per adult in the world. In 2021–22, cybercrimes directed at individuals, such as online banking and shopping compromise, remained among the most common, while Business Email Compromise (BEC) trended towards targeting high-value transactions like property settlements,” it adds.
Ransomware remains the most destructive cybercrime, while ransomware groups have further evolved their business model, seeking to maximize their impact by targeting the reputation of Australian organizations. “In 2021–22, ransomware groups stole and released the personal information of hundreds of thousands of Australians as part of their extortion tactics. The cost of ransomware extends beyond the ransom demands, and may include system reconstruction, lost productivity, and lost customers,” the ACSC report disclosed.
In February, a transnational joint cybersecurity advisory (CSA) was issued that outlined the growing international threat posed by ransomware trends observed over the past year. The global security agencies said that ransomware groups have increased their impact by targeting the cloud infrastructure and managed service providers (MSPs), attacking industrial processes and the software supply chain, and launching attacks on organizations on holidays and weekends.
The ACSC report also said that globally critical infrastructure networks are increasingly targeted, as state hackers and cybercriminals view critical infrastructure as an attractive target. “The continued targeting of Australia’s critical infrastructure is of concern as successful attacks could put access to essential services at risk. Potential disruptions to Australian essential services in 2021–22 were averted by effective cyber defences, including network segregation and effective, collaborative incident response,” it adds.
As rapid exploitation of critical public vulnerabilities became the norm, Australian organizations and even individuals were indiscriminately targeted by malicious cyber actors, according to the ACSC report. “Malicious actors persistently scanned for any network with unpatched systems, sometimes seeking to use these as entry points for higher value targets. The majority of significant incidents ACSC responded to in 2021–22 were due to inadequate patching.”
During the reporting period, the ACSC report said that it responded to over 1,100 cyber security incidents, and blocked over 24 million malicious domain requests through the Australian Protective Domain Name System. It took down over 29,000 brute force attacks against Australian servers through the domain takedown service and disclosed that over 15,000 domains hosting malicious software targeted Australia’s COVID-19 vaccine rollout. Furthermore, the agency shared over 28,000 indicators of compromise with ACSC Partners through the Cyber Threat Intelligence Sharing platform.
The ACSC collaborated with partners on five successful operations against criminal online marketplaces and foreign scam networks. It responded to 135 ransomware incidents, an increase of over 75 percent compared to 2019–20, notified 148 entities of ransomware activity on their networks, conducted 49 high-priority operational tasks in response to identified and potential significant cyber threats including scanning for vulnerable Australian devices, and published 49 alerts and 14 advisories.
The agency also issued an advisory urging Australian organizations to adopt an enhanced security posture following Russia’s invasion of Ukraine, which was updated 10 times. It briefed more than 200 government, business, and critical infrastructure organizations on the risk of collateral damage to Australian networks following the Russian invasion of Ukraine. It also led 24 cyber security exercises involving over 280 organizations to strengthen Australia’s cyber resilience, and operationalized amendments to the Security of Critical Infrastructure Act, including through new incident categorization thresholds and changes to the ReportCyber website.
The ACSC also notified five critical infrastructure entities of malicious cyber activity and vulnerabilities potentially impacting their networks since the implementation of amendments to the Security of Critical Infrastructure Act. It has also completed the Critical Infrastructure Uplift Program (CI-UP) pilot and rolled out activities and tools open to all critical infrastructure partners.
The ACSC report proposes that in the face of rising threats to the digital-dependent Australian economy, cyber defense must be a priority for all Australians. The most effective means of defending against cyber threats continues to be the implementation of the Essential Eight cyber security strategies. To support this, the ACSC launched several new initiatives in 2021–22 to improve Australia’s cyber resilience, such as a Cyber Threat Intelligence Sharing (CTIS) platform which automates sharing of indicators of compromise.
Additionally, the Australian government’s ten-year investment in ASD, known as REDSPICE, will further harden Australia’s cyber defenses in 2022–23 and beyond.
For larger organizations, the ACSC report calls for the implementation of the agency’s Essential Eight mitigation strategies, Strategies to Mitigate Cyber Security Incidents and the Information Security Manual. In the case of smaller organizations, it prescribes following the ACSC’s advice for ransomware, Business Email Compromise, and other threats, reviewing the cyber security posture of remote workers, patching vulnerabilities within 48 hours, and using only reputable cloud service providers and managed service providers that implement appropriate cyber security measures.
Commenting on the ACSC report, Satnam Narang, senior staff research engineer at Tenable, wrote in an emailed statement said that “while it’s noteworthy that the Australian Cyber Security Centre (ACSC) responded to 135 ransomware incidents, a 75% increase compared to 2019-20, it also saw a 10% decrease in the number of ransomware cybercrime reports in 2020-2021.”
Narang added that what’s most important to recognize about ransomware attacks is that the figures can be misleading, as some organizations won’t report these incidents. “Many organisations are not legally obligated to report unless personal information is compromised, and unless such an incident will likely result in, or likely cause serious harm to the individual whose information was compromised or exposed.”
Last month, the Australian government began consulting on the Risk Management Program Rule under Part 2A of the Security of Critical Infrastructure Act 2018. The initiative works towards a strong and effective government-industry partnership that is central to achieving the government’s vision for critical infrastructure security and resilience. The consultation is open for 45 days, from October 5 until November 18.
Related
