“Malicious actors exploited the coronavirus pandemic environment by targeting Australians’ desire for digitally accessible information or services,” says the Australian Cyber Security Centre (ACSC) in its annual threat report for the 2020–21 financial year. The report identified more than 67,000 cybercrimes in the year, an increase of 13%.
|Breakdown of cybercrime incidents for financial year 2020–21|
“The pandemic has significantly increased Australian dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives,” the report says. “This dependence has increased the attack surface and generated more opportunities for malicious cyber actors to exploit vulnerable targets in Australia.
“Over the 2020–21 financial year, the ACSC received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. The increase in volume of cybercrime reporting equates to one report of a cyber attack every 8 minutes compared to one every 10 minutes last financial year.
“A higher proportion of cyber security incidents this financial year was categorised by the ACSC as ‘substantial’ in impact. This change is due in part to an increased reporting of attacks by cybercriminals on larger organisations and the observed impact of these attacks on the victims, including several cases of data theft and/or services rendered offline.
“The increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations. The accessibility of cybercrime services – such as ransomware-as-a-service (RaaS) – via the dark web increasingly opens the market to a growing number of malicious actors without significant technical expertise and without significant financial investment.
“No sector of the Australian economy was immune from the impacts of cybercrime and other malicious cyber activity. Government agencies at all levels, large organisations, critical infrastructure providers, small to medium enterprises, families and individuals were all targeted over the reporting period – predominantly by criminals or state actors.”
The ACSC identified the following key cyber security threats and trends in the 2020–21 financial year:
Exploitation of the pandemic environment:
Malicious actors exploited the coronavirus pandemic environment by targeting Australians’ desire for digitally accessible information or services. For example, spear phishing emails were regularly associated with COVID-related topics, encouraging recipients to enter personal credentials for access to COVID-related information or services. Criminal and state actors also targeted the health care sector. State actor activity was probably motivated by access to intellectual property or sensitive information about Australia’s response to COVID, while criminals sought to leverage critical services to increase the motivation of victims to pay ransoms. For example, the health care sector was a significant target of ransomware attacks during the reporting period.
Disruption of essential services and critical infrastructure:
Approximately one quarter of cyber incidents reported to the ACSC during the reporting period were associated with Australia’s critical infrastructure or essential services. Significant targeting, both domestically and globally, of essential services such as the health care, food distribution and energy sectors has underscored the vulnerability of critical infrastructure to significant disruption in essential services, lost revenue and the potential of harm or loss of life.
Ransomware has grown in profile and impact, and poses one of the most significant threats to Australian organisations. The ACSC recorded a 15 per cent increase in ransomware cybercrime reports in the 2020–21 financial year. This increase has been associated with an increasing willingness of criminals to extort money from particularly vulnerable and critical elements of society. Ransom demands by cybercriminals ranged from thousands to millions of dollars, and their access to darkweb tools and services improved their capabilities. Extortion tradecraft evolved, with criminals combining the encryption of victim networks with threats to release or on-sell stolen sensitive data and damage the victim’s reputation. Ransomware incidents disrupted a range of sectors, including professional, scientific and technical organisations, and those in health care and social assistance. The global impact of the Colonial Pipeline and JBS Foods attacks underscores the potential debilitating and widespread impact of ransomware attacks.
Rapid exploitation of security vulnerabilities:
State and criminal cyber actors continued to compromise large numbers of organisations by prosecuting publicly disclosed vulnerabilities at speed and scale. Malicious actors exploited security vulnerabilities, at times within hours of public disclosure, patch release or technical write up – particularly if proof of concept (PoC) code that identified the vulnerabilities in systems was also released.
Supply chains – particularly software and services – continue to be targeted by malicious actors as a means to gain access to a vendor’s customers. Although the consequences of major supply chain attacks – such as SolarWinds – were not as severe for Australia, a number of organisations were forced to take mitigation actions to prevent more serious impacts to their networks. The threat from supply chain compromises remains high – it is difficult for both vendors and their customers to protect their networks against well-resourced actors with the ability to compromise widely used software products.
Business email compromise (BEC) continues to present a major threat to Australian businesses and government enterprises, especially as more Australians work remotely. In the 2020–21 financial year, the average loss per successful event has increased to more than $50,600 (AUD) – over one-and-a-half times higher than the previous financial year. Cybercriminal groups conducting BEC have likely become more sophisticated and organised, and these groups have developed enhanced, streamlined methods for targeting Australians.
The ACSC Annual Cyber Threat Report 2020–21 has been produced by the Australian Cyber Security Centre, with contributions from the Defence Intelligence Organisation (DIO), Australian Criminal Intelligence Commission (ACIC), Australian Security Intelligence Organisation (ASIO), The Department of Home Affairs and industry partners.