Federal government faced ‘extensive compromise’

An increase in incidents that caused extensive compromise, such as significant data breaches involving cybercriminals exfiltrating data from critical infrastructure for the purposes of financial gain, was revealed by the Australian Signals Directorate (ASD) Cyber Threat Report 2022-23.

ASD categorises incidents from most severe (1) to least severe (6). In the 2022-23 financial year, the number of incidents of category 2 — those that caused extensive compromise — rose from two to five, compared to the previous financial year. These five incidents occurred across Australia’s federal government, government shared services, regulated critical infrastructure, national security and systems of national significance.

Cyber security incidents were consistent with last financial year, with around 15% of all incidents being categorised category 3 (C3) or above. Of the C3 incidents, over 30% related to organisations self-identifying as critical infrastructure, with transport (21%), energy (17%), and higher education and research (17%) the most affected sectors. The most common C3 incident type was compromised assets, network or infrastructure (23%), followed by data breaches (19%) and ransomware (14%). The common activities leading to these incidents included exploitation of public-facing applications (20%) and phishing (17%).

In 24% of the cases, ASD was who notified the affected organisations of suspicious activity.

Government is the leading sector reporting cyber incidents

Australia's federal and state governments were the leading sectors reporting cybersecurity incidents in FY 2022-23, according to the report. The federal government reported 30.7% of incidents followed by state and local governments with 12.9%.

There are a few reasons why this is so. The report warns that one of the reasons is due to the reporting obligations on government sectors, suggesting these are more likely to report an incident that unregulated ones. It is however no secret that attackers are targeting government worldwide, so this could still mean a legitimate higher number of attacks suffered by federal, state and local governments.

A recent IBM report, for example, predicted increased nation-states and other threat actors engaging in cyber activities targeting the upcoming elections in the US, Taiwan, South Korea, India, and Indonesia. Closer to home, councils in New South Wales and Queensland have been struggling to be on top of cybersecurity, while public agencies in Victoria were found to not have fully set up Microsoft 365 controls.

Most destructive cybercrime is ransomware

Ransomware remains the most destructive cybercrime threat of the 2022-23 financial year. ASD responded to over 1,100 cyber security incidents from Australian entities. Of those, 118 were ransomware, 10% of all cyber security incidents. A quarter of the ransomware reports also involved confirmed data exfiltration.

Three sectors accounted for over 40% of reported ransomware-related cyber security incidents. The professional, scientific and technical services sector (17.4%) reported ransomware-related cyber security incidents most frequently, followed by the retail trade sector (16.3%) and manufacturing (9.8%).

The top three cybercrime types for business were email compromise, business email compromise (BEC) fraud and online banking fraud. In FY 2022-23, the total self-reported BEC losses was almost $80 million. There were over 2,000 reports made to law enforcement of BEC that led to a financial loss. On average, the financial loss from each BEC incident was over $39,000.

ASD recorded 79 DoS and DDoS cyber security incidents in 2022-23, with service availability partly or wholly denied for the victim in 62 of those incidents. The remainder of the incidents had no impact on the victim. Entities who maintained situational awareness of DoS threats and proactively implemented mitigations were reportedly less impacted by subsequent DoS.