Second Unclassified Annual Cyber Threat Report
The ACSC’s Annual Cyber Threat Report updates Australian people and organizations on cyber threats impacting Australia. And how the Australian Cyber Security Centre responds to these threats 24/7. The report is produced jointly with the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC). The latest report, released on 15 September, is the center’s second unclassified annual cyber threat report since the Australian Signals Directorate (ASD) became a statutory agency in Australia’s Defense portfolio in July 2018. The report reveals that over the 2020-21 financial year, the ACSC received over 67,500 cybercrime reports, an increase of nearly 13% on the previous financial year. Self-reported losses totaled AU$33 billion, with medium businesses having the highest average financial loss. The increase in reporting amounts to one report every eight minutes. Last financial year this was “just” one every ten minutes.
Some Key Take-Aways
“Australians over the last 18 months have migrated much of their lives online. Services that we normally would conduct in person, whether it be shopping, banking, education, are now being done online. That means the threat surface area in Australia has grown, which has incentivised more criminal activity”, explained Andrew Hastie, Assistant Minister for Defense. He also pointed out the following key take-aways:
Ransomware remains the most serious cybercrime threat due to its financial and disruptive impacts. There were almost 500 ransomware related cybercrime reports received in the last financial year, an increase of almost 15% compared to the previous financial year. Cybercriminals also continued to steal significant amounts of money by impersonating trusted suppliers or business representatives through BEC scams. The average loss of each incident through business email compromise has cost more than $50,000. Malicious actors heavily exploited the coronavirus pandemic to conduct cybercrimes. The ACSC received over 18,000 reports of malicious cyber activity related to the pandemic. More than 75% resulted in financial losses or the loss of important personal information.
Further, the ACSC’s Cyber Security Hotline (1300 292 371) received over 22,000 calls, 60 calls per day on average. That’s an increase of more than 310% from the previous financial year. A notable spike in April 2020 related to a bulk extortion campaign that affected thousands of people. The top three cybercrime types reported via ReportCyber were: fraud (23%), shopping scams (17%) and online banking cybercrime (12%). During the reporting period, the ACSC issued 39 alerts and advisories to help combat urgent and critical threats.
25% of Attacks Related to Critical Infrastructure
Alarmingly, approximately one quarter of reported cyber security incidents affected organizations providing essential services, such as health, electricity, water, transport and education. One just has to look at what happened after the cyberattack that paralyzed the Colonial Pipeline, the largest refined products pipeline in the US, to understand the possible implications. After government sectors at all levels (34.7% of incidents), the professional, scientific and technical services sector (9.7%) and the health care and social assistance sector (7.3%) reported the highest number of cybersecurity incidents. These were followed by education and training (6.2%), media and communications (5.6%), and financial and insurance services (4%). Note that the high reporting frequency of government agencies is largely, or at least in part, due to the fact that government agencies have to report all significant cybersecurity incidents. So, it does not necessarily indicate that cybercriminals disproportionally target government agencies, or that they are more susceptible, compared with industry organizations.
What’s Next?
Organizations and people around the world will continue to experience new and significant cyber threats. Unfortunately, too many incidents are a result of a lack of adequate cyber hygiene. “We’ve always thought about war in terms of air, sea, or land. We now need to start thinking about it in terms of cyber”, concluded Andrew Hastie. Last year, the Australian federal government presented a bill in parliament. This new piece of legislation is looking to give law enforcement agencies enhanced powers to tackle cybercrime. Privacy advocates, however, are concerned about “scope creep”. They fear the account hacking powers would be too invasive.