ACSC Annual Threat Report

TLDR

The Australian Cyber Security Centre (ACSC) has just released its Annual Cyber Threat Report covering the period July 2021 to July 2022 (Report).  It will probably surprise nobody that along with the international security environment more broadly, the cyber threat landscape has deteriorated markedly over the review period.

Background

Cybercrime and the costs of cyber crime

Over the review period, the numbers of cybercrime and cyber security incidents increased across the board, with a noticeable spike in the number of cybercrime reports in Q1, trailing off to more consistent, but still elevated, levels across the remainder of the review period.

Financial losses due to business email compromise (BEC) increased over the period, as did the average cost per cybercrime reports for businesses of all sizes.

ACSC notifications

Among the more interesting nuggets of information contained in this document, the ASCS reports that it has notified:

• 148 entities of ransomware activity in their networks; and
• 5 critical infrastructure entities of malicious cyber activity and vulnerabilities.

These figures suggest that the ACSC fills a critical role in notifying entities of malicious activity in their infrastructure that the entities themselves may not be aware of.

Action taken by the ACSC

The Report gives a glimpse of the scope and scale of ACSC’s activities more broadly.  These include proactive measures taken to reduce threat levels, such as blocking malicious domain requests, taking down brute force attacks and domains hosting malicious software and conducting “high priority operational tasks” such as scanning for vulnerable devices.

Geographical disparities

While it is unsurprising that there were more cybercrimes reported in Australia’s more populous States, the statistics also reveal that in the less populated States and Territories such as Western Australia and the Northern Territory, average losses per victim were the highest.

Types of cybercrime

Online fraud constituted the lion’s share of reported cybercrime.  Despite its very high public profile, ransomware attacks made up only about .59% of all reported cybercrime over the review period.

State sponsored cybercrime

We’ve written previously about the difficulties of attributing malicious cyber activity to a particular nations state (see our article here).  However defined, the ASCS is very clear that state sponsored or supported cybercrime is a prominent and persistent feature of the threat landscape.  Interestingly, although the words “sophisticated” and “state based” are often used together, the Report notes that state sponsored cybercrime often relies on “relatively simple tools and techniques” because they are “effective, inexpensive and scalable” (page 30).  Also it means that prized “zero day” attacks can be kept in reserve for high value targets.

Operating in the “grey zone”

Continuing the theme of state sponsored activities, the Report notes the continuing prevalence of states employing cyber attack as an instrument of aggression or oppression against other states – including by spreading disinformation and launching attacks aimed at sabotaging and destabilising other states.  Cyber attacks can also be undertaken as an adjunct to more conventional methods of warfare.  The Report cites Ukrainian descriptions of the Russian invasion of Ukraine, for example, as “a dual war – one on the ground and one in the digital realm” (page 30) .  Cyber aggression operates in a “grey zone” where it may be difficult to categorise such activities as a violation of international laws.

What businesses can do to protect themselves

The Report is rounded out by some practical recommendations, including alignment to the ACSC’s “Strategies to Mitigate Cyber Security Incidents”, joining the ACSC Partnership Program and participating in the activities of the Joint Cyber Security Centres (see page 70).