The volume of cyber security attacks has grown so much during the COVID-19 pandemic that victims were lodging a new cybercrime report every 8 minutes, the Australian Cyber Security Centre (ACSC) reported, as it launched its latest annual report into Australian cybercrime.

With over 67,500 reports of cybercrime received during the 2020-21 financial year, the ACSC Annual Cyber Threat Report 2020-21 found that attack volumes increased nearly 13 per cent compared with the previous year when the agency received one report every 10 minutes.

Not only were there more incidents, but more were classified as ‘substantial’ in their impact – reflecting an increase in attacks on larger organisations and their bigger consequences for victims.

“Malicious cybercriminals are escalating their attacks on Australians,” Andrew Hastie, Assistant Minister for Defence, said as the new report was launched.

“We need all Australians to be vigilant… [and] on guard against malicious emails and texts.”

Reflecting the surge of cybercrime during the pandemic, over 1,500 COVID-related reports were lodged per month with the ACSC – which also provided domestic and foreign advice and assistance for more than 1,630 cyber incidents as nation-state actors searched for “sensitive information about Australia’s response to COVID”.

“The increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations,” the report warns, flagging the development of off-the-shelf cybercrime tools – such as ransomware-as-a-service – that had simplified cybercrime for “a growing number of malicious actors without significant technical expertise and without significant financial investment.”

Sophisticated or not, those malicious actors were moving “at speed and scale”, the ACSC said, often exploiting new vulnerabilities within hours of their public disclosure.

“We know some of the tried and true methods cybercriminals use to target organisations,” Tenable staff research engineer Satnam Narang said in response to the ACSC update, “[yet] despite this knowledge being widely discussed, we continue to witness cybercriminals successfully utilising these tactics.”

“Readily available proof-of-concept exploit code typically provided for defenders are being routinely incorporated into toolkits by cybercriminals and used against vulnerable systems.”

Attacks on key Australian infrastructure operations had increased dramatically over the past year, with one-quarter of incidents reported to the ACSC related to “significant targeting” of critical Australian infrastructure or services.

While the consequences of supply-chain attacks were “not as severe” for Australian companies as last year’s SolarWinds compromise, the ACSC said, “a number of organisations were forced to take mitigation actions to prevent more serious impacts to their networks.”

“The threat from supply chain compromises remains high.”

Also problematic is business email compromise (BEC) – a type of email attack in which cybercriminals pretend to be trusted executives or business partners to manipulate employees into wiring them money.

The average BEC victim lost over $50,600 during 2020-21– representing a more than 50 per cent increase over the previous year – and the ACSC warned of worse damage to come as “these groups have developed enhanced, streamlined methods for targeting Australians”.

Time for a new approach

The new figures are the latest in a parade of statistics confirming that cybercriminal activity surged during 2020 and shows no signs of stopping this year, with Australia one of the world’s most-hacked countries and costs spiralling into the millions per incident.

Compromises of Australian hospitals were of particular concern, given their importance in the ongoing national COVID response.

“By targeting bigger businesses and essential services, the attackers are calculating that the victims can’t afford to be offline for any extended period and will pay the ransom just so they can continue operating as usual,” noted Dale Heath, engineering manager with anti-ransomware firm Rubrik ANZ.

“These attacks are not going to stop anytime soon. In fact, quite the opposite. They will continue to evolve, becoming more sophisticated, and more disruptive as attackers aim to make recovery as difficult and costly as possible.”

Preparedness is critical to minimising the impact of attacks, the ACSC said, citing the proactivity of Victoria’s Department of Health in recovering after a ransomware attack crippled Victorian hospitals earlier this year.

“Prompt action by the health service, the use of advanced cyber security tools provided by the Department, and collaboration between the health service, government and contracted cyber security partners,” the report notes, “significantly reduced the impact of the ransomware attack and the restoration time.”

Hastie repeated a familiar refrain, exhorting Australians to fight attacks – and the widespread exploitation of legitimate user credentials to execute them – by taking “simple cyber security steps” such as using strong passphrases, using two-factor authentication, updating software and devices, and maintaining regular data backups.

Yet there are signs authorities are tiring of offering the same old advice over and over, with new discussions this year considering whether to light a fire under company directors by holding them personally responsible for cyber attacks.

“If the definition of insanity is to do the same thing over and over and expect a different result, then government and business must acknowledge that a completely new approach to protecting and verifying identity credentials online is required,” said H. Daniel Elbaum, chairman and co-CEO of Australian security firm Veroguard.

With new technologies like AI, big data, analytics and virtual reality set to “add further complexities and greater vulnerabilities to already stressed systems,” he said, “prevention is better than detection and remediation – which is always too late.”