In 2022-23, Australia faced an ongoing threat to its security and prosperity from malicious cyber activities. Various actors with both the intention and capability to compromise critical systems posed a continuous risk.
The Australian Signals Directorate (ASD) actively addressed more than 1,100 cybersecurity incidents reported by entities within the country. Additionally, law enforcement received almost 94,000 reports through ReportCyber, averaging to approximately one report every six minutes.
Australian networks were consistently targeted by a mix of opportunistic and deliberate malicious cyber activities. The vast majority of the reports related to low-level attacks or isolated issues, such as compromised accounts or credentials.
ASD said critical infrastructure tends to have a broad attack surface, remote access, connected systems and third parties, which make it of interest to malicious actors.
Worldwide, state-sponsored cyber actors have aimed at government and critical infrastructure networks as part of continuous information-gathering campaigns or disruptive activities.
In 2022–23, ASD joined international partners to call out Russia’s Federal Security Service’s use of ‘Snake’ malware for cyber espionage, and also highlighted activity associated with a People’s Republic of China state-sponsored cyber actor that used ‘living-off-the-land’ techniques to compromise critical infrastructure organisations..
Australian critical infrastructure was targeted via increasingly interconnected systems.
Operational technology connected to the internet and into corporate networks has provided opportunities for malicious cyber actors to attack these systems. In 2022–23, ASD responded to 143 cyber security incidents related to critical infrastructure.
Cybercriminals continued to adapt tactics to extract maximum payment from victims.
Cybercriminals constantly evolved their operations against Australian organisations, fuelled by a global industry of access brokers and extortionists. ASD responded to 127 extortion-related incidents: 118 of these incidents involved ransomware or other forms of restriction to systems, files or accounts.
Business email compromise remained a key vector to conduct cybercrime. Ransomware also remained a highly destructive cybercrime type, as did hacktivists’ denial-of-service attacks, impacting organisations’ business operations.
Professor Matthew Warren, Director of the RMIT Centre for Cyber Security Research and Innovation (CCSRI said “Australia is facing increased risks in relation to cyber security and the new ASD 2022-23 threat report bears this out.
“Last year 94,000 cyber crime reports were reported to the government, an average of a report every six minutes; the previous year a crime was reported every seven minutes,,” said Warren
“In that time, the government also responded to 143 cyber incidents focused on Australia’s cyber security critical infrastructure,,”
“The financial costs of cyber crime incidents have also increased from last year, up by 14 percent – which is a massive increase,” he said.
One in 5 critical vulnerabilities was exploited within 48 hours.
This was despite patching or mitigation advice being available. Malicious cyber actors used these critical flaws to cause significant incidents and compromise networks, aided by inadequate patching.
Cyber security is increasingly challenged by complex ICT supply chains and advances in fields such as artificial intelligence.
To boost cyber security, Australia must consider not only technical controls such as ASD’s Essential Eight, but also growing a positive cyber-secure culture across business and the community. This includes prioritising secure-by-design and secure-by-default products during both development (vendors) and procurement (customers).
ASD’s first year of REDSPICE increased cyber threat intelligence sharing, the uplift of critical infrastructure, and an enhanced 24/7 national incident response capability.
Genuine partnerships across both the public and private sectors have remained essential to Australia’s cyber resilience; and ASD’s Cyber Security Partnership Program has grown to include over 110,000 organisations and individuals.
ASD possesses the capability to construct a comprehensive national cyber threat overview, facilitated in part by the prompt and detailed reporting of cybersecurity incidents by members of the public and Australian businesses.
The compilation of cybersecurity incident data empowers ASD to enhance threat mitigation guidance with real-time insights into the latest trends and threats posed by malicious cyber actors.
Any decline in the quantity or quality of information reported to ASD adversely impacts cybersecurity outcomes. Information provided to ASD undergoes anonymisation before being disseminated to the community.
ASD classifies each incident it addresses on a severity scale ranging from Category 1 (C1), representing the most severe, to Category 6 (C6), denoting the least severe.
Incident categorisation considers factors such as the severity of impact, extent of compromise, and the significance of the affected organization.
The number of C2 incidents increased from 2 in year 2021–22 to 5 in the fiscal year 2022–23. This includes noteworthy data breaches wherein cybercriminals extracted data from critical infrastructure for financial gain.
Cybersecurity incidents maintain consistency with the previous fiscal year, with approximately 15 percent of all incidents categorized as C3 or higher.
Among C3 incidents, over 30 percent were associated with organisations self-identifying as critical infrastructure, with the most affected sectors being transport (21 percent), energy (17 percent), and higher education and research (17 percent).
The prevalent C3 incident type was compromised assets, network, or infrastructure (23 percent), followed by data breaches (19 percent) and ransomware (14 percent).
Common activities leading to C3 incidents included the exploitation of public-facing applications (20 percent) and phishing (17 percent).
Almost a quarter (24 percent) of C3 incidents involved notification by ASD to the affected organizations regarding suspicious activity.
Although reports of low-level malicious attacks are often labeled as unsuccessful, these reports still signify a persistent targeting of Australian entities.
As Australians increasingly incorporate technology into their personal lives and business operations, the potential points of vulnerability, or attack surface, for malicious cyber actors continue to expand.
A larger attack surface poses greater challenges for effective defense. Malicious cyber actors commonly target security weaknesses within Information and Communication Technology (ICT), referred to as common vulnerabilities and exposures (CVEs), to compromise systems, pilfer data, or gain complete control over a system.
The prevalence of published CVEs has exhibited a consistent upward trend. The US National Vulnerability Database documented 19,379 CVEs in FY 2020–21, 24,266 CVEs in FY 2021–22, and 29,019 CVEs in FY 2022–23.
In order to assess the exploitation rates of CVEs following the availability of patches or mitigations, ASD conducted an analysis spanning from July 1, 2020, to February 28, 2023, covering 60 CVEs.
The findings revealed that approximately 82 percent of vulnerabilities had a ‘network’ attack vector according to the Common Vulnerability Scoring Scheme. This suggests a preference among malicious actors for vulnerabilities that can be exploited remotely and are present on internet-facing or edge devices.
Incredible as it may seem, over 90 percent of Common Vulnerabilities and Exposures (CVEs) come with a patch or mitigation advice within a mere two weeks of public disclosure! Now, that’s a testament to the incredible efficiency of the cybersecurity community.
But here’s the kicker – despite this rapid response, about 50 percent of these CVEs are still falling victim to exploitation more than two weeks after the patch or advice is out in the wild.
During the analysis period, ASD noted that Log4Shell (CVE-2021-44228) and ProxyLogon (CVE-2021-26855) stood out as the most frequently exploited vulnerabilities. These two vulnerabilities accounted for 29 percent of all incidents related to CVEs.
Actors Target Critical Infrastructure
Critical infrastructure assets and networks are attractive targets for malicious cyber activity as these assets need to hold sensitive information, maintain essential services, and often have high levels of connectivity with other organisations and critical infrastructure sectors.
A cyber incident can result in a range of impacts to critical services. For instance, the disruption of an electricity grid could cause a region to lose power. Without power, a hospital may lose access to patient records and struggle to function, internet services may be down and affect communications and payment systems, or water supply could be impacted.
Globally, a broad range of malicious cyber actors, including state actors, cybercriminals and issue‑motivated groups, have demonstrated the intent and the capability to target critical infrastructure.
Malicious cyber actors may target critical infrastructure for a range of reasons. For example, they may:
- attempt to degrade or disrupt services, such as through denial-of-service (DoS) attacks, which can have a significant impact on service providers and their customers
- steal or encrypt data or gain insider knowledge for profit or competitive advantage
- preposition themselves on systems by installing malware, in anticipation of future disruptive or destructive cyber operations, potentially years in advance
- covertly seek sensitive information through cyber espionage to advance strategic aims.
Critical infrastructure can be targeted by the mass scanning of networks for both old and new vulnerabilities. In February 2023, an Italian energy and water provider was affected by ransomware.
While there was no indication the water or energy supply was affected, it reportedly took 4 days to restore systems like information databases.
Italy’s National Cybersecurity Agency publicly noted the ransomware attack targeted older and unpatched software, exploiting a 2-year-old vulnerability.
According to Professor Warren Cyber crimes are becoming increasingly sophisticated operations, and these attacks will continue to rise in the micro and macro levels until we introduce preventative measures that can keep up with their development.
“The report states key cyber issues identified are ongoing poor patch management and poorly connected IT and operation technology networks,”
“Hopefully, the Federal Government’s Cyber Security Strategy, which is set to be handed down next week, will strengthen Australia’s cyber security strategies and regulations to minimise the risks and disruptions caused by increasing cyberattacks,” he said.
The ASD Cyber Threat Report serves as a stark revelation of the evolving digital landscape in Australia, signaling the emergence of a new cyber normal.
The findings underscore the persistent and sophisticated nature of cyber threats, necessitating a heightened level of vigilance and adaptive cybersecurity measures.
As the nation grapples with an increasingly complex threat landscape, it is imperative for stakeholders across government, industry, and the public to collaboratively fortify their defenses.
