Australia’s relative prosperity makes it an attractive target for cyber criminals, the Australian Cyber Security Centre (ACSC) has warned as it engages global partners to stem a cybercrime wave that’s seeing new breaches every 7 minutes – and costing victims more than ever.

The ACSC fielded over 76,000 cybercrime reports and responded to over 1,100 cyber security incidents during the 2021-22 financial year, according to its newly released third annual ACSC Annual Cyber Threat Report, which noted that the frequency of attacks had increased from one every 8 minutes in 2020-21, to one every 7 minutes over the past year.

Financial losses continued to increase over the period, with more than 1,500 reported business email compromise (BEC) attacks costing over $98 million during the year – an average of $64,000 per incident.

Overall, the average cost per reported cybercrime incident rose 14 per cent, increasing to $39,000 for small businesses; $88,000 for medium businesses; and over $62,000 for large businesses.

This growth in losses was correlated with Australia’s ranking as the world’s highest median wealth per adult, according to the recent Credit Suisse Global Wealth Report 2022 – whose findings seemingly haven’t been lost on cyber criminals.

Fraud, online shopping and online banking attacks accounted for 54 per cent of all reported cyberattacks, the ACSC found, with BEC attacks “trending towards targeting high value transactions like property settlements”.

That perception of wealth had also driven a surge in ransomware attacks, which were the most destructive cybercrime during the past year as cyber criminal groups “further evolved their business model” and stole personal information relating to “hundreds of thousands of Australians”.

“Over the last year and reflecting strategic competition globally, we have all witnessed a heightened level of malicious cyber activity,” Deputy Prime Minister and Minister for Defence Richard Marles wrote in introducing the new report.

“Threat actors across the world have continued to find innovative ways to deploy online attacks, with supply chains used to penetrate cyber defences of governments and organisations in many countries.”

Orchestrating a collaborative response

Most of the incidents ACSC responded to occurred because the compromised organisations had not kept up with patching their systems to close security holes, the ACSC said, warning that malicious actors “persistently scanned for any network with unpatched systems” and used those systems to establish a foothold into the broader organisation.

Such techniques were proving fruitful for nation-state actors that had increasingly been found to be targeting Australian critical infrastructure (CI) systems, with the ACSC notifying five CI operators of malicious cyber activity and briefing over 200 government, business, and CI organisations about the risks of “collateral damage to Australian networks” after Russia’s invasion of Ukraine.

“Australia continued to be the target of persistent cyber espionage by a wide range of state actors due to its regional and global interests, international partnerships and participation in multilateral forums,” the ACSC reported, noting that “while state actors have access to a wide range of sophisticated and bespoke capabilities, the majority of compromises the ACSC observed used relatively simple tools and techniques” such as phishing or exploiting unpatched software vulnerabilities.

“Australian network owners need to consider how to secure their critical systems and protect their sensitive information,” the report advises, “for instance, through improved segmentation between their corporate and operational networks.”

In July, the ACSC completed a pilot of its Critical Infrastructure Uplift Program (CI-UP) – part of the federal government’s long-term REDSPICE cyber security funding program – as it works to harden organisations in CI sectors such as healthcare, which accounted for 9 per cent of reported incidents; financial and insurance (4 per cent); and electricity, gas, water and waste services (3 per cent).

Fully 24 per cent of reported attacks targeted Commonwealth government agencies, while 10 per cent hit state, territory and local government bodies.

That included two cases where federal government, government shared services and regulated CI operators suffered “extensive compromise”; 26 incidents of “isolated compromise” on such operators; and 97 cases of “low-level malicious attack”.

For all the increased threat that it documented, the ACSC also flagged a range of successes in its enforcement efforts – including working with law enforcement partners in five successful operations against criminal online marketplaces and foreign scam networks.

A growing climate of international co-operation got a further boost this month, with the ACSC lauding its partnership with the UK National Cyber Security Centre (NCSC) – with which it has collaborated on initiatives such as ACSC Cyber Hygiene Improvement Programs (CHIPs) and the NCSC’s new internet scanning capability.

Despite the increasing pressure posed by “deteriorating strategic circumstances” and “expanding cyber and grey zone capabilities”, an undeterred Marles was confident that government and industry collaboration is driving the national cyber response in the right direction.

“With increased collaboration… our joint cyber security future and the digital opportunities before us remain bright,” he said.

“Together we can reach our ambitious goal to make Australia truly the most secure place to connect online.

“In this environment, the work performed by ACSC is more important than ever.”