Key cyber threats affecting Australia and provides vital advice on to protect businesses online.
The Australian Cyber Security Centre (ACSC) has released its Annual Cyber Threat Report 2020–21, highlighting the key cyber threats affecting Australian systems and networks, and uses strategic assessments, statistics, trends analysis, and case studies to describe the nature, scale, scope and impact of malicious cyber activity affecting Australian networks.
It was produced by the ACSC, with contributions from the Defence Intelligence Organisation (DIO), Australian Criminal Intelligence Commission (ACIC), Australian Security Intelligence Organisation (ASIO), The Department of Home Affairs and industry partners.
Over the 2020–21 financial year, the ACSC received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. The increase in volume of cybercrime reporting equates to one report of a cyber attack every eight minutes compared to one every 10 minutes last financial year.
A higher proportion of cyber security incidents this financial year was categorised by the ACSC as ‘substantial’ in impact. This change is due in part to an increased reporting of attacks by cybercriminals on larger organisations and the observed impact of these attacks on the victims, including several cases of data theft and/or services rendered offline.
The increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations. The accessibility of cybercrime services – such as ransomware-as-a-service (RaaS) – via the dark web increasingly opens the market to a growing number of malicious actors without significant technical expertise and without significant financial investment.
No sector of the Australian economy was immune from the impacts of cybercrime and other malicious cyber activity. Government agencies at all levels, large organisations, critical infrastructure providers, small to medium enterprises, families and individuals were all targeted over the reporting period – predominantly by criminals or state actors.
The ACSC identified the following key cyber security threats and trends in the 2020–21 financial year:
- Exploitation of the pandemic environment: Malicious actors exploited the coronavirus pandemic environment by targeting Australians’ desire for digitally accessible information or services. For example, spear phishing emails were regularly associated with COVID-related topics, encouraging recipients to enter personal credentials for access to COVID-related information or services. Criminal and state actors also targeted the health care sector. State actor activity was probably motivated by access to intellectual property or sensitive information about Australia’s response to COVID, while criminals sought to leverage critical services to increase the motivation of victims to pay ransoms. For example, the health care sector was a significant target of ransomware attacks during the reporting period.
- Disruption of essential services and critical infrastructure: Approximately one quarter of cyber incidents reported to the ACSC during the reporting period were associated with Australia’s critical infrastructure or essential services. Significant targeting, both domestically and globally, of essential services such as the health care, food distribution and energy sectors has underscored the vulnerability of critical infrastructure to significant disruption in essential services, lost revenue and the potential of harm or loss of life.
- Ransomware has grown in profile and impact, and poses one of the most significant threats to Australian organisations. The ACSC recorded a 15 per cent increase in ransomware cybercrime reports in the 2020–21 financial year. This increase has been associated with an increasing willingness of criminals to extort money from particularly vulnerable and critical elements of society. Ransom demands by cybercriminals ranged from thousands to millions of dollars, and their access to darkweb tools and services improved their capabilities. Extortion tradecraft evolved, with criminals combining the encryption of victim networks with threats to release or on-sell stolen sensitive data and damage the victim’s reputation. Ransomware incidents disrupted a range of sectors, including professional, scientific and technical organisations, and those in health care and social assistance. The global impact of the Colonial Pipeline and JBS Foods attacks underscores the potential debilitating and widespread impact of ransomware attacks.
- Rapid exploitation of security vulnerabilities: State and criminal cyber actors continued to compromise large numbers of organisations by prosecuting publicly disclosed vulnerabilities at speed and scale. Malicious actors exploited security vulnerabilities, at times within hours of public disclosure, patch release or technical write up – particularly if proof of concept (PoC) code that identified the vulnerabilities in systems was also released.
- Supply chains – particularly software and services – continue to be targeted by malicious actors as a means to gain access to a vendor’s customers. Although the consequences of major supply chain attacks – such as SolarWinds – were not as severe for Australia, a number of organisations were forced to take mitigation actions to prevent more serious impacts to their networks. The threat from supply chain compromises remains high – it is difficult for both vendors and their customers to protect their networks against well-resourced actors with the ability to compromise widely used software products.
- Business email compromise (BEC) continues to present a major threat to Australian businesses and government enterprises, especially as more Australians work remotely. In the 2020–21 financial year, the average loss per successful event has increased to more than A$50,600 (AUD) – over one-and-a-half times higher than the previous financial year. Cybercriminal groups conducting BEC have likely become more sophisticated and organised, and these groups have developed enhanced, streamlined methods for targeting Australians.
Fraud-related cybercrime – where actors use computers or online services to commit fraud – continued to be a prevalent cyber threat to Australians, with this activity accounting for nearly 23 per cent of cybercrime reports (see Figure 3). The cybercrime categories with the most reports were primarily types of cyber-enabled crime, which occur when computers are used to facilitate an existing offence such as online fraud or online child sexual exploitation offences. The top three cybercrime types reported via ReportCyber were:
- fraud cybercrime – approximately 23 per cent
- shopping cybercrime – approximately 17 per cent
- online banking cybercrime – approximately 12 per cent.
While the number of ransomware-related cybercrime reports is a relatively small proportion of the total number of cybercrime reports, ransomware remains the most serious cybercrime threat due to its high financial impact and disruptive impacts to victims and the wider community.
Self-reported financial losses due to cybercrime in Australia-based cybercrime reports totalled more than $33 billion (AUD). Due to open and complex cybercrime investigations, these figures may not be fully verified by law enforcement and a significant portion are related to cyber-enabled crimes. Small businesses made a higher number of cybercrime reports than in the previous financial year; however, medium businesses had the highest average financial loss per cybercrime report.
Compared to the previous financial year, the total number of cyber security incidents in the 2020–21 financial year decreased by 28 per cent and there were no Category 1 or Category 2 incidents in the 2020–21 financial year.
However, a higher proportion of incidents in the 2020–21 financial year were categorised as Category 4 incidents – indicating that cyber security incidents reported this year had a more profound impact on victim organisations. This change is due in part to an increase in attacks by cybercriminals on larger organisations and the impact of these attacks on the victims. The attacks included data theft, extortion and/or rendering services offline.
Approximately one quarter of reported cyber security incidents affected critical infrastructure organisations, including essential services such as education, health, communications, electricity, water and transport. After the government sector as the top reporting sector, the professional, scientific and technical sector and the health care and social assistance sector reported the highest number of cyber security incidents during the 2020–21 financial year. The top ten reporting sectors accounted for approximately 77 per cent of all incidents for the 2020–21 financial year.
During the 2020–21 financial year, the ACSC received nearly 500 ransomware cybercrime reports via ReportCyber, which is an increase of nearly 15 per cent compared with the previous 2019–20 financial year.
In the 2020–21 financial year, the ACSC also responded to nearly 160 cyber security incidents related to ransomware. The professional, scientific and technical services sector and the health sector reported the most ransomware-related cyber security incidents (see Figure 8). The top five reporting sectors for ransomware-related incidents accounted for approximately 50 per cent of all ransomware-related incidents reported to the ACSC during the 2020–21 financial year.
Phishing campaigns, targeted spear phishing, remote access through vulnerable machines and the use of publicly available exploits remain the most common vectors for deploying ransomware. Personal information on professional and social networking platforms, including profiles, can provide malicious actors with useful information for targeting, including spear phishing or other socially engineered online approaches.
Business Email Compromise (BEC)
Australian businesses are losing significant amounts of money through BEC. BEC cybercrime was one of the top cybercrime categories, making up nearly 7 per cent of the cybercrime reports received in the 2020–21 financial year. While there has been a slight decrease in BEC reports compared with the previous financial year, self-reported financial losses have increased – total losses were approximately $81.45 million (AUD) for the 2020–21 financial year, an increase of nearly 15 per cent from the previous financial year. Average loss per successful BEC transaction also increased, by 54 per cent (see Figure 9) – in one case, BEC led to the bankruptcy of a company (see Case Study: Australian hedge fund subject to BEC and declared bankruptcy).
Threat environment and key cyber security trends
Australia faced a complex and evolving cyber threat environment in 2020 and 2021. This was in part due to the impacts of the coronavirus pandemic, but also to the increasing opportunities afforded to malicious actors, the rampant activities of cybercriminals and Australia’s geostrategic environment.
The coronavirus pandemic continued to expand the boundaries of Australia’s computer networks, pushing corporate systems into homes across the nation as a large percentage of the workforce shifted to remote working arrangements. The speed at which this occurred saw many organisations rapidly deploy new remote networking solutions, sometimes to the detriment of their cyber security. Various malicious cyber actors repeatedly took advantage of Australia’s heightened vulnerability during this time to conduct espionage, steal money and sensitive data, and disrupt the services on which Australians rely.
Alongside the virtualisation of Australian life, the disclosure of significant vulnerabilities in software used in Australian networks expanded the targeting opportunities available to adversaries. The Microsoft Exchange and Accellion File Transfer Application (FTA) vulnerabilities were notable examples where the ACSC observed multiple compromises after initial disclosure. In some cases, both state-sponsored actors and cybercriminals were able to rapidly exploit vulnerabilities at scale, including against targets in Australia.
Across this period, Australia remained a key and regular target of state-sponsored actors. These actors employed a wide range of tactics to target Australian networks, seeking sensitive information that could be used to weaken Australia’s competitive advantage and degrade national security.
Australians were also frequent victims of financially motivated cybercrime, particularly ransomware and business email compromise. Cybercriminals were prolific and overt in their targeting of Australian organisations, and the impacts of their operations were felt across the community. In some cases, these impacts included the disruption of essential services, as happened when the March 2021 ransomware attack against a Victorian public health service affected four hospitals and aged care facilities, and resulted in the postponement of elective surgeries. Ransomware attacks on an Australian media company and JBS Foods further demonstrated a move by cybercriminals away from low-level ransomware operations towards extracting hefty ransoms from large or high-profile organisations. To increase the likelihood of ransoms being paid, cybercriminals would encrypt networks and also exfiltrate data, then threaten to publish stolen information on the internet. These shifts in targeting and tactics have intensified the ransomware threat to Australian organisations across all sectors, including critical infrastructure.
Cybercriminals also preyed on the community’s desire for information and resources on topical issues. In particular, the pandemic provided compelling content for email and SMS phishing campaigns. However, often poor cyber security controls – such as unpatched vulnerabilities and unsecured remote access solutions – allowed cybercriminals to launch their attacks with minimal targeting effort or technical expertise. The ease with which malicious actors could gain access to networks increased Australia’s susceptibility to cybercrime targeting.
This was also a period in which new and serious concerns joined the list of existing cyber threats. Chief among these was the protection of Australia’s COVID-19 vaccine supply, including distribution processes, from malicious cyber actors. State and criminal cyber actors alike possess the capability to disrupt Australia’s critical infrastructure – including vaccine supply and distribution chains – with the pandemic only amplifying the opportunities for these actors to cause Australia harm. Even in the absence of direct and intentional targeting, there remains the potential for malicious cyber actors to inadvertently disrupt vaccine supply and distribution chains, making the threat more difficult to address.
What does the future hold?
The headlining global cyber security events of 2020 and 2021 – such as the SolarWinds Orion supply chain compromises, the exploitation of on-premises Microsoft Exchange server vulnerabilities and the volley of large-scale ransomware attacks – are now the new norm. Over the next 12 months, additional supply chain compromises will likely come to light, major vulnerabilities will continue to emerge and Australia will experience more major financially motivated cyber incidents, some of which could disrupt critical services.
Despite the headlines, many of the compromises experienced by Australians will continue to be fuelled by a lack of adequate cyber hygiene. This delivers a significant advantage to adversaries and lowers the technical barrier to targeting victims in Australia, highlighting the need to uplift cyber security maturity across the Australian economy. Given the prevalence of malicious cyber actors targeting Australian networks – which is often under-reported to the ACSC – there is a strong need for greater resilience, and for Australian organisations and individuals to prepare to respond to and recover from any cyber attack to their networks.