Hack every 8 minutes: Australia, COVID-19 and the cybercrime pandemic

Share:

Share on facebook
Share on twitter
Share on linkedin
Australian organisations reported an incident of cyber crime once every eight minutes last year, as criminals sought to extort businesses for their money, exploit the COVID-19 crisis, and disrupt essential services and critical infrastructure. 

Key takeaways

  • Australian Cyber Security Centre has released its annual report for the 2020-21 financial year: a highly anticipated and relevant collection of data on cybercrime
  • Cybercrime grew by more than 15% in financial year 2020-2021
  • Total losses equalled a whopping $33 billion
  • 15% jump in ransomware attacks in Australia over the period


Australian organisations reported an incident of cyber crime once every eight minutes last year, as criminals sought to extort businesses for their money, exploit the COVID-19 crisis, and disrupt essential services and critical infrastructure. 

The Australian Cyber Security Centre revealed in its annual report for the 2020-21 financial year that reports of cyber crime had grown 13 percent to more than 67,500 incidents. 

Total losses equalled a whopping $33 billion. And these are just the ones we know about.

More than half of these incidents were considered to be “substantial” in severity and impact, the ACSC said, where the result had been things like data theft or services rendered offline. Around a quarter involved critical infrastructure or essential services. 

The increasing frequency of this criminal activity is at least partially thanks to the evolution of cyber crime-for-hire models like ransomware-as-a-service that give less skilled or resourced crims the ability to hack organisations despite their limitations. 

In fact, ransomware was one of the most common types of cyber attack seen by the ACSC over the past year: the agency recorded a 15% jump in ransomware reports to 500 incidents over 2020-21. 

“This increase has been associated with an increasing willingness of criminals to extort money from particularly vulnerable and critical elements of society,” the ACSC said. 

“Ransom demands by cyber criminals ranged from thousands to millions of dollars, and their access to dark web tools and services improved their capabilities. Extortion tradecraft evolved, with criminals combining the encryption of victim networks with threats to release or on-sell stolen sensitive data and damage the victim’s reputation.” 

Cyber criminals are also more rapidly making use of security vulnerabilities in systems and products, sometimes exploiting them within hours of the flaws being publicly disclosed. Often large numbers of organisations were compromised through exploitation of the same vulnerability at around the same time, the ACSC found. 

Similarly, supply chains remain a favoured attack vector: targeting one vendor of software or services provides a way to also compromise large numbers of that vendor’s customers. This was made starkly evident in a number of cases like the Solar Winds and Kaseya hacks, as just two examples. 

“The threat from supply chain compromises remains high – it is difficult for both vendors and their customers to protect their networks against well-resourced actors with the ability to compromise widely used software products,” the ACSC said. 

One of the less talked about but more considerable menaces, business email compromise (BEC), continues to present “a major threat” to Australian organisations, especially with the increase in remote work, the agency found. 

BEC incidents usually involve a crim breaking into a person’s work email and pretending to be them, either to gain access to sensitive data or to steal money by tricking others into redirecting payments into a bank account they control. 

“Spear phishing emails were regularly associated with COVID-related topics, encouraging recipients to enter personal credentials for access to COVID-related information or services,” the agency reported. 

Australian organisations are losing a “significant” amount of money to BEC, the ACSC said: total losses equalled around $81 million last year. In one case, a BEC incident caused the victim company to become bankrupt. 

“Cyber criminal groups conducting BEC have likely become more sophisticated and organised, and these groups have developed enhanced, streamlined methods for targeting Australians,” the ACSC said. 

And none of us will be surprised that hackers took full advantage of the fear and uncertainty surrounding the COVID-19 pandemic to try to scam people out of their money or personal data. 

There were around four reports per day of cyber crime related to the pandemic last year, the ACSC said. More than 75 percent of these reports involved Australians losing cash or sensitive information. 

“Spear phishing emails were regularly associated with COVID-related topics, encouraging recipients to enter personal credentials for access to COVID-related information or services,” the agency reported. 

“Criminal and state actors also targeted the health care sector. State actor activity was probably motivated by access to intellectual property or sensitive information about Australia’s response to COVID, while criminals sought to leverage critical services to increase the motivation of victims to pay ransoms.” 

The report can be read in full here.

But what does all this mean for us? 

Many of the compromises experienced over the past year continue to be “fuelled by a lack of adequate cyber hygiene”, the ACSC says. 

It wants all organisations to implement the Australian Government’s Essential Eight model for mitigating cyber attacks. 

The Essential Eight outlines the key defensive baseline strategies that make it harder for cyber criminals to compromise an organisation’s network. 

There are, however, six actions that should be undertaken particularly promptly, according to the ACSC: 

  • Know your networks. Understand where your valuable information and systems are, and make sure they’re properly protected. 
  • Patch security flaws in internet-facing systems within 48 hours where there’s a known exploit, or if not, within two weeks of the vulnerability becoming public. 
  • Make sure you’ve properly assessed the risks in your supply chain
  • Assume a cyber security incident will occur, and prepare for it. Have strong incident response, business continuity, and disaster recovery plans in place – and test them! Lots of organisations have these plans but fail to test that they’ll work in reality, so fall over come crunch time. 
Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.