The number of reports of cybercrime in Australia had shot up by 13% to 76,000 in a year, or one every seven minutes, even before a series of high-profile privacy breaches hit the headlines.
These threats are imposing an increasingly heavy cost on businesses, with the average loss per cybercrime rising by 14% to $39,000 for a small business and $62,000 for a large business.
The Australian Signals Directorate’s latest annual cyber threat report, published on Friday, also warns cyberspace “has become a battleground” and is “increasingly the domain of warfare”.
ASD’s Australian Cyber Security Centre received more than 76,000 reports of cybercrime in the 2021-22 financial year, or an average of one every seven minutes.
The most common crimes reported to the ACSC were fraud (27% of the total), followed by online shopping (14%) and online banking-related incidents (13%).
While ransomware was only a small part of the total (less than 1%), the report says it “remains the most destructive cybercrime threat” because businesses face disruptions and damage to their reputation if stolen data is released or sold as threatened. The public can also be heavily affected.
“In 2021-22, ransomware groups stole and released the personal information of hundreds of thousands of Australians as part of their extortion tactics,” the report said.
The report covers the period before millions of Australians were caught up in the Optus and Medibank Private breaches, but the head of the ACSC, Abigail Bradshaw, alluded to increasing public concerns about serious cyber theft.
“We know Australian organisations, businesses and households are worried about the cyber threat environment, about the impacts of ransomware attacks, email compromises and sophisticated phishing attempts, and from the theft of our most sensitive and personal information,” she said.
“We know that cyber threats are constantly evolving, and that they are putting our critical infrastructure sectors at even greater risk, so it’s vital that we share our understanding of this threat environment.”
The report said critical infrastructure networks were increasingly being targeted around the world by countries’ intelligence services and cybercriminals.
It said continued targeting of Australia’s critical infrastructure “is of concern as successful attacks could put access to essential services at risk”. But potential disruptions to Australian essential services last financial year “were averted by effective cyber defences”.
There were two cases of “extensive compromise” involving either federal government agencies or nationally regulated critical infrastructure in 2021-22.
The Queensland government-owned electricity generator CS Energy was targeted by the Russian-aligned Conti ransomware group in November 2021, the report said. But energy supplies were not disrupted because its operational systems were segregated from its corporate network.
Bradshaw said the agency had seen “state and non-state actors indiscriminately target Australian organisations” over the past year. She raised particular concern about “the rapid and prolific exploitation of critical vulnerabilities”.
“There has been, in the last financial year, a 25% increase in those critical vulnerabilities – and many of those are being exploited now within hours, or days, as opposed to weeks.”
Between 150,000 and 200,000 small office or home office routers in Australia may be vulnerable to compromise by state actors, according to the report.
The head of ASD, Rachel Noble, said: “There are state-based actors who are sophisticated and capable and they have enormous amounts of money and people to put at this endeavour.”
Highlighting cyber attacks as a means of warfare, the report cited Russia’s use of malware designed to destroy data and prevent computers from booting in Ukraine.
But it said Russia was not alone in its use of cyber operations to pursue strategic interests: the Australian government has blamed China’s Ministry of State Security for the exploitation of vulnerabilities within Microsoft Exchange.
“Regional dynamics in the Indo-Pacific region are increasing the risk of crisis and cyber operations are likely to be used by states to challenge the sovereignty of others,” the report said.
The defence minister, Richard Marles, said the government would be “reinforcing Australia’s cyber security as a national priority”.
The minister for home affairs and cyber security, Clare O’Neil, said recent examples of malicious cyber activity had demonstrated how important it was to prioritise cyber security.
The ACSC is urging Australian individuals and businesses to patch their systems with the latest updates, turn on multi-factor authentication, and to seek expert advice.